Report - ZeroBOX

ScreenShot

Info
Location map


Created	2021.04.15 07:41	Machine	s1_win7_x6401
Filename	jvppp.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	7	Behavior Score	7.0
ZERO API	file : clean
VT API (file)	55 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Cookiesstealer, SpyAgent, HgIASSAA, Unsafe, confidence, 100%, CookieStealer, Eldorado, Attribute, HighConfidence, ACLN, PSWTool, hqsnsl, Facebook, CLOUD, Generic ML PUA, DownLoader38, Static AI, Suspicious PE, JazoStealer, wcoir, KVM003, kcloud, score, R356907, GenericRXAA, ai score=82, BScope, Infospy, R002C0DD321, Hufm, ZexaF, 8uW@aKzHNfnj, Genetic, susgen)
md5	9786f11c6015566b11b9c3c89378679d
sha256	83ca633800860209287078ee57257d3c04151b6bc7561a96b4cbdbd41dab4747
ssdeep	24576:fzdZZK1KPQAcVmXW3ARaBfmeTNkdBAnlXG6+Z1mbXul:3Z2AcVmXWwR2fmGkUlXF+Z1Iel
imphash	af32313fc3f12018e1ca631ff1044218
impfuzzy	48:c9nBQnc+F9HtoS1rMUZFuPZ7OjKZNj6Nh6p2:c4c+vHtoS1rMUZ07cKZNeNYp2

Network IP location

Signature (16cnts)

Level	Description
danger	File has been identified by 55 AntiVirus engines on VirusTotal as malicious
watch	Deletes executed files from disk
watch	Installs itself for autorun at Windows startup
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Creates executable files on the filesystem
notice	Drops an executable to the user AppData folder
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	Sends data using the HTTP POST Method
notice	Steals private information from local Internet browsers
notice	The binary likely contains encrypted or compressed data indicative of a packer
info	Checks amount of memory in system
info	The file contains an unknown PE resource name possibly indicative of a packer
info	This executable has a PDB path

Rules (26cnts)

Level	Name	Description	Collection
danger	Win32_Trojan_Emotet_2_Zero	Win32 Trojan Emotet	binaries (download)
danger	Win32_Trojan_Emotet_2_Zero	Win32 Trojan Emotet	binaries (upload)
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
notice	Str_Win32_Http_API	Match Windows Http API call	binaries (upload)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	OS_Processor_Check_Zero	OS Processor Check Signature Zero	binaries (upload)
info	PE_Header_Zero	PE File Signature Zero	binaries (download)
info	PE_Header_Zero	PE File Signature Zero	binaries (upload)
info	HasDebugData	DebugData Check	binaries (upload)
info	HasDigitalSignature	DigitalSignature Check	binaries (download)
info	HasOverlay	Overlay Check	binaries (download)
info	HasRichSignature	Rich Signature Check	binaries (download)
info	HasRichSignature	Rich Signature Check	binaries (upload)
info	IsPacked	Entropy Check	binaries (download)
info	IsPacked	Entropy Check	binaries (upload)
info	IsWindowsGUI	(no description)	binaries (download)
info	IsWindowsGUI	(no description)	binaries (upload)
info	screenshot	Take screenshot	binaries (download)
info	screenshot	Take screenshot	binaries (upload)
info	Str_Win32_Wininet_Library	Match Windows Inet API library declaration	binaries (upload)
info	Win32_Trojan_Gen_2_0904B0_Zero	Win32 Trojan Gen	binaries (upload)
info	win_files_operation	Affect private profile	binaries (upload)
info	win_registry	Affect system registries	binaries (download)
info	win_registry	Affect system registries	binaries (upload)

Network (16cnts) ?

Request	ASN Co	IP4	ZERO ?
http://uyyge5w3ye.2ihsfa.com/api/fbtime whois	AS-CHOOPA	207.246.80.14	clean
http://uyyge5w3ye.2ihsfa.com/api/?sid=92468&key=165d0df49d4f7de7b67582d2a0345a1b whois	AS-CHOOPA	207.246.80.14	clean
http://ip-api.com/json/ whois	TUT-AS	208.95.112.1	clean
https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150 whois	GOOGLE	142.250.199.78	clean
https://iplogger.org/18hh57 whois	Hetzner Online GmbH	88.99.66.31	clean
https://www.facebook.com/ whois	FACEBOOK	157.240.215.35	clean
script.google.com whois	GOOGLE	216.58.220.110	clean
iplogger.org whois	Hetzner Online GmbH	88.99.66.31	mailcious
www.facebook.com whois	FACEBOOK	31.13.82.36	clean
uyyge5w3ye.2ihsfa.com whois	AS-CHOOPA	207.246.80.14	clean
ip-api.com whois	TUT-AS	208.95.112.1	clean
207.246.80.14 whois	AS-CHOOPA	207.246.80.14	mailcious
88.99.66.31 whois	Hetzner Online GmbH	88.99.66.31	mailcious
142.250.199.78 whois	GOOGLE	142.250.199.78	clean
208.95.112.1 whois	TUT-AS	208.95.112.1	clean
157.240.215.35 whois	FACEBOOK	157.240.215.35	clean

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
0x464028 SizeofResource
0x46402c GetTempPathA
0x464030 LockResource
0x464034 GetModuleHandleW
0x464038 FindResourceW
0x46403c WinExec
0x464040 WriteConsoleW
0x464044 CreateThread
0x464048 CopyFileA
0x46404c GetModuleFileNameA
0x464050 LocalFree
0x464054 GetLastError
0x464058 FormatMessageW
0x46405c Sleep
0x464060 LoadResource
0x464064 lstrlenW
0x464068 HeapSize
0x46406c CreateFileW
0x464070 SetStdHandle
0x464074 GetProcessHeap
0x464078 SetEnvironmentVariableW
0x46407c FreeEnvironmentStringsW
0x464080 GetEnvironmentStringsW
0x464084 GetCommandLineW
0x464088 GetCommandLineA
0x46408c GetOEMCP
0x464090 GetACP
0x464094 IsValidCodePage
0x464098 FindNextFileW
0x46409c FindFirstFileExW
0x4640a0 FindClose
0x4640a4 GetTimeZoneInformation
0x4640a8 MultiByteToWideChar
0x4640ac GetStringTypeW
0x4640b0 WideCharToMultiByte
0x4640b4 EnterCriticalSection
0x4640b8 LeaveCriticalSection
0x4640bc DeleteCriticalSection
0x4640c0 EncodePointer
0x4640c4 DecodePointer
0x4640c8 GetCPInfo
0x4640cc CompareStringW
0x4640d0 LCMapStringW
0x4640d4 GetLocaleInfoW
0x4640d8 SetLastError
0x4640dc InitializeCriticalSectionAndSpinCount
0x4640e0 CreateEventW
0x4640e4 TlsAlloc
0x4640e8 TlsGetValue
0x4640ec TlsSetValue
0x4640f0 TlsFree
0x4640f4 GetSystemTimeAsFileTime
0x4640f8 GetProcAddress
0x4640fc CloseHandle
0x464100 SetEvent
0x464104 ResetEvent
0x464108 WaitForSingleObjectEx
0x46410c UnhandledExceptionFilter
0x464110 SetUnhandledExceptionFilter
0x464114 GetCurrentProcess
0x464118 TerminateProcess
0x46411c IsProcessorFeaturePresent
0x464120 IsDebuggerPresent
0x464124 GetStartupInfoW
0x464128 QueryPerformanceCounter
0x46412c GetCurrentProcessId
0x464130 GetCurrentThreadId
0x464134 InitializeSListHead
0x464138 RtlUnwind
0x46413c RaiseException
0x464140 FreeLibrary
0x464144 LoadLibraryExW
0x464148 ExitProcess
0x46414c GetModuleHandleExW
0x464150 GetModuleFileNameW
0x464154 GetStdHandle
0x464158 WriteFile
0x46415c HeapReAlloc
0x464160 HeapFree
0x464164 HeapAlloc
0x464168 GetFileType
0x46416c GetFileSizeEx
0x464170 SetFilePointerEx
0x464174 FlushFileBuffers
0x464178 GetConsoleCP
0x46417c GetConsoleMode
0x464180 GetDateFormatW
0x464184 GetTimeFormatW
0x464188 IsValidLocale
0x46418c GetUserDefaultLCID
0x464190 EnumSystemLocalesW
0x464194 DeleteFileW
0x464198 ReadFile
0x46419c ReadConsoleW
0x4641a0 SetEndOfFile
ADVAPI32.dll
0x464000 RegSetValueExW
0x464004 RegOpenKeyExW
0x464008 RegCreateKeyW
0x46400c RegCloseKey
0x464010 AllocateAndInitializeSid
0x464014 RegSetValueExA
0x464018 FreeSid
0x46401c CheckTokenMembership
0x464020 RegOpenKeyExA
SHELL32.dll
0x4641a8 ShellExecuteExA
WINHTTP.dll
0x4641b0 WinHttpQueryHeaders
0x4641b4 WinHttpReadData
0x4641b8 WinHttpOpenRequest
0x4641bc WinHttpSetOption
0x4641c0 WinHttpCloseHandle
0x4641c4 WinHttpAddRequestHeaders
0x4641c8 WinHttpQueryAuthSchemes
0x4641cc WinHttpGetProxyForUrl
0x4641d0 WinHttpSendRequest
0x4641d4 WinHttpSetCredentials
0x4641d8 WinHttpConnect
0x4641dc WinHttpQueryDataAvailable
0x4641e0 WinHttpReceiveResponse
0x4641e4 WinHttpOpen
0x4641e8 WinHttpGetIEProxyConfigForCurrentUser

EAT(Export Address Table) is none

Report - jvppp.exe

Signature (16cnts)

Rules (26cnts)

Network (16cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure