ScreenShot
Created | 2021.04.15 07:41 | Machine | s1_win7_x6401 |
Filename | jvppp.exe | ||
Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
AI Score |
|
Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 55 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Cookiesstealer, SpyAgent, HgIASSAA, Unsafe, confidence, 100%, CookieStealer, Eldorado, Attribute, HighConfidence, ACLN, PSWTool, hqsnsl, Facebook, CLOUD, Generic ML PUA, DownLoader38, Static AI, Suspicious PE, JazoStealer, wcoir, KVM003, kcloud, score, R356907, GenericRXAA, ai score=82, BScope, Infospy, R002C0DD321, Hufm, ZexaF, 8uW@aKzHNfnj, Genetic, susgen) | ||
md5 | 9786f11c6015566b11b9c3c89378679d | ||
sha256 | 83ca633800860209287078ee57257d3c04151b6bc7561a96b4cbdbd41dab4747 | ||
ssdeep | 24576:fzdZZK1KPQAcVmXW3ARaBfmeTNkdBAnlXG6+Z1mbXul:3Z2AcVmXWwR2fmGkUlXF+Z1Iel | ||
imphash | af32313fc3f12018e1ca631ff1044218 | ||
impfuzzy | 48:c9nBQnc+F9HtoS1rMUZFuPZ7OjKZNj6Nh6p2:c4c+vHtoS1rMUZ07cKZNeNYp2 |
Network IP location
Signature (16cnts)
Level | Description |
---|---|
danger | File has been identified by 55 AntiVirus engines on VirusTotal as malicious |
watch | Deletes executed files from disk |
watch | Installs itself for autorun at Windows startup |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | Foreign language identified in PE resource |
notice | HTTP traffic contains suspicious features which may be indicative of malware related traffic |
notice | Looks up the external IP address |
notice | Performs some HTTP requests |
notice | Sends data using the HTTP POST Method |
notice | Steals private information from local Internet browsers |
notice | The binary likely contains encrypted or compressed data indicative of a packer |
info | Checks amount of memory in system |
info | The file contains an unknown PE resource name possibly indicative of a packer |
info | This executable has a PDB path |
Rules (26cnts)
Level | Name | Description | Collection |
---|---|---|---|
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (download) |
danger | Win32_Trojan_Emotet_2_Zero | Win32 Trojan Emotet | binaries (upload) |
watch | UPX_Zero | UPX packed file | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (upload) |
notice | Str_Win32_Http_API | Match Windows Http API call | binaries (upload) |
info | IsPE32 | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (upload) |
info | OS_Processor_Check_Zero | OS Processor Check Signature Zero | binaries (upload) |
info | PE_Header_Zero | PE File Signature Zero | binaries (download) |
info | PE_Header_Zero | PE File Signature Zero | binaries (upload) |
info | HasDebugData | DebugData Check | binaries (upload) |
info | HasDigitalSignature | DigitalSignature Check | binaries (download) |
info | HasOverlay | Overlay Check | binaries (download) |
info | HasRichSignature | Rich Signature Check | binaries (download) |
info | HasRichSignature | Rich Signature Check | binaries (upload) |
info | IsPacked | Entropy Check | binaries (download) |
info | IsPacked | Entropy Check | binaries (upload) |
info | IsWindowsGUI | (no description) | binaries (download) |
info | IsWindowsGUI | (no description) | binaries (upload) |
info | screenshot | Take screenshot | binaries (download) |
info | screenshot | Take screenshot | binaries (upload) |
info | Str_Win32_Wininet_Library | Match Windows Inet API library declaration | binaries (upload) |
info | Win32_Trojan_Gen_2_0904B0_Zero | Win32 Trojan Gen | binaries (upload) |
info | win_files_operation | Affect private profile | binaries (upload) |
info | win_registry | Affect system registries | binaries (download) |
info | win_registry | Affect system registries | binaries (upload) |
Network (16cnts) ?
Suricata ids
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)
ET POLICY External IP Lookup ip-api.com
ET POLICY External IP Lookup ip-api.com
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x464028 SizeofResource
0x46402c GetTempPathA
0x464030 LockResource
0x464034 GetModuleHandleW
0x464038 FindResourceW
0x46403c WinExec
0x464040 WriteConsoleW
0x464044 CreateThread
0x464048 CopyFileA
0x46404c GetModuleFileNameA
0x464050 LocalFree
0x464054 GetLastError
0x464058 FormatMessageW
0x46405c Sleep
0x464060 LoadResource
0x464064 lstrlenW
0x464068 HeapSize
0x46406c CreateFileW
0x464070 SetStdHandle
0x464074 GetProcessHeap
0x464078 SetEnvironmentVariableW
0x46407c FreeEnvironmentStringsW
0x464080 GetEnvironmentStringsW
0x464084 GetCommandLineW
0x464088 GetCommandLineA
0x46408c GetOEMCP
0x464090 GetACP
0x464094 IsValidCodePage
0x464098 FindNextFileW
0x46409c FindFirstFileExW
0x4640a0 FindClose
0x4640a4 GetTimeZoneInformation
0x4640a8 MultiByteToWideChar
0x4640ac GetStringTypeW
0x4640b0 WideCharToMultiByte
0x4640b4 EnterCriticalSection
0x4640b8 LeaveCriticalSection
0x4640bc DeleteCriticalSection
0x4640c0 EncodePointer
0x4640c4 DecodePointer
0x4640c8 GetCPInfo
0x4640cc CompareStringW
0x4640d0 LCMapStringW
0x4640d4 GetLocaleInfoW
0x4640d8 SetLastError
0x4640dc InitializeCriticalSectionAndSpinCount
0x4640e0 CreateEventW
0x4640e4 TlsAlloc
0x4640e8 TlsGetValue
0x4640ec TlsSetValue
0x4640f0 TlsFree
0x4640f4 GetSystemTimeAsFileTime
0x4640f8 GetProcAddress
0x4640fc CloseHandle
0x464100 SetEvent
0x464104 ResetEvent
0x464108 WaitForSingleObjectEx
0x46410c UnhandledExceptionFilter
0x464110 SetUnhandledExceptionFilter
0x464114 GetCurrentProcess
0x464118 TerminateProcess
0x46411c IsProcessorFeaturePresent
0x464120 IsDebuggerPresent
0x464124 GetStartupInfoW
0x464128 QueryPerformanceCounter
0x46412c GetCurrentProcessId
0x464130 GetCurrentThreadId
0x464134 InitializeSListHead
0x464138 RtlUnwind
0x46413c RaiseException
0x464140 FreeLibrary
0x464144 LoadLibraryExW
0x464148 ExitProcess
0x46414c GetModuleHandleExW
0x464150 GetModuleFileNameW
0x464154 GetStdHandle
0x464158 WriteFile
0x46415c HeapReAlloc
0x464160 HeapFree
0x464164 HeapAlloc
0x464168 GetFileType
0x46416c GetFileSizeEx
0x464170 SetFilePointerEx
0x464174 FlushFileBuffers
0x464178 GetConsoleCP
0x46417c GetConsoleMode
0x464180 GetDateFormatW
0x464184 GetTimeFormatW
0x464188 IsValidLocale
0x46418c GetUserDefaultLCID
0x464190 EnumSystemLocalesW
0x464194 DeleteFileW
0x464198 ReadFile
0x46419c ReadConsoleW
0x4641a0 SetEndOfFile
ADVAPI32.dll
0x464000 RegSetValueExW
0x464004 RegOpenKeyExW
0x464008 RegCreateKeyW
0x46400c RegCloseKey
0x464010 AllocateAndInitializeSid
0x464014 RegSetValueExA
0x464018 FreeSid
0x46401c CheckTokenMembership
0x464020 RegOpenKeyExA
SHELL32.dll
0x4641a8 ShellExecuteExA
WINHTTP.dll
0x4641b0 WinHttpQueryHeaders
0x4641b4 WinHttpReadData
0x4641b8 WinHttpOpenRequest
0x4641bc WinHttpSetOption
0x4641c0 WinHttpCloseHandle
0x4641c4 WinHttpAddRequestHeaders
0x4641c8 WinHttpQueryAuthSchemes
0x4641cc WinHttpGetProxyForUrl
0x4641d0 WinHttpSendRequest
0x4641d4 WinHttpSetCredentials
0x4641d8 WinHttpConnect
0x4641dc WinHttpQueryDataAvailable
0x4641e0 WinHttpReceiveResponse
0x4641e4 WinHttpOpen
0x4641e8 WinHttpGetIEProxyConfigForCurrentUser
EAT(Export Address Table) is none
KERNEL32.dll
0x464028 SizeofResource
0x46402c GetTempPathA
0x464030 LockResource
0x464034 GetModuleHandleW
0x464038 FindResourceW
0x46403c WinExec
0x464040 WriteConsoleW
0x464044 CreateThread
0x464048 CopyFileA
0x46404c GetModuleFileNameA
0x464050 LocalFree
0x464054 GetLastError
0x464058 FormatMessageW
0x46405c Sleep
0x464060 LoadResource
0x464064 lstrlenW
0x464068 HeapSize
0x46406c CreateFileW
0x464070 SetStdHandle
0x464074 GetProcessHeap
0x464078 SetEnvironmentVariableW
0x46407c FreeEnvironmentStringsW
0x464080 GetEnvironmentStringsW
0x464084 GetCommandLineW
0x464088 GetCommandLineA
0x46408c GetOEMCP
0x464090 GetACP
0x464094 IsValidCodePage
0x464098 FindNextFileW
0x46409c FindFirstFileExW
0x4640a0 FindClose
0x4640a4 GetTimeZoneInformation
0x4640a8 MultiByteToWideChar
0x4640ac GetStringTypeW
0x4640b0 WideCharToMultiByte
0x4640b4 EnterCriticalSection
0x4640b8 LeaveCriticalSection
0x4640bc DeleteCriticalSection
0x4640c0 EncodePointer
0x4640c4 DecodePointer
0x4640c8 GetCPInfo
0x4640cc CompareStringW
0x4640d0 LCMapStringW
0x4640d4 GetLocaleInfoW
0x4640d8 SetLastError
0x4640dc InitializeCriticalSectionAndSpinCount
0x4640e0 CreateEventW
0x4640e4 TlsAlloc
0x4640e8 TlsGetValue
0x4640ec TlsSetValue
0x4640f0 TlsFree
0x4640f4 GetSystemTimeAsFileTime
0x4640f8 GetProcAddress
0x4640fc CloseHandle
0x464100 SetEvent
0x464104 ResetEvent
0x464108 WaitForSingleObjectEx
0x46410c UnhandledExceptionFilter
0x464110 SetUnhandledExceptionFilter
0x464114 GetCurrentProcess
0x464118 TerminateProcess
0x46411c IsProcessorFeaturePresent
0x464120 IsDebuggerPresent
0x464124 GetStartupInfoW
0x464128 QueryPerformanceCounter
0x46412c GetCurrentProcessId
0x464130 GetCurrentThreadId
0x464134 InitializeSListHead
0x464138 RtlUnwind
0x46413c RaiseException
0x464140 FreeLibrary
0x464144 LoadLibraryExW
0x464148 ExitProcess
0x46414c GetModuleHandleExW
0x464150 GetModuleFileNameW
0x464154 GetStdHandle
0x464158 WriteFile
0x46415c HeapReAlloc
0x464160 HeapFree
0x464164 HeapAlloc
0x464168 GetFileType
0x46416c GetFileSizeEx
0x464170 SetFilePointerEx
0x464174 FlushFileBuffers
0x464178 GetConsoleCP
0x46417c GetConsoleMode
0x464180 GetDateFormatW
0x464184 GetTimeFormatW
0x464188 IsValidLocale
0x46418c GetUserDefaultLCID
0x464190 EnumSystemLocalesW
0x464194 DeleteFileW
0x464198 ReadFile
0x46419c ReadConsoleW
0x4641a0 SetEndOfFile
ADVAPI32.dll
0x464000 RegSetValueExW
0x464004 RegOpenKeyExW
0x464008 RegCreateKeyW
0x46400c RegCloseKey
0x464010 AllocateAndInitializeSid
0x464014 RegSetValueExA
0x464018 FreeSid
0x46401c CheckTokenMembership
0x464020 RegOpenKeyExA
SHELL32.dll
0x4641a8 ShellExecuteExA
WINHTTP.dll
0x4641b0 WinHttpQueryHeaders
0x4641b4 WinHttpReadData
0x4641b8 WinHttpOpenRequest
0x4641bc WinHttpSetOption
0x4641c0 WinHttpCloseHandle
0x4641c4 WinHttpAddRequestHeaders
0x4641c8 WinHttpQueryAuthSchemes
0x4641cc WinHttpGetProxyForUrl
0x4641d0 WinHttpSendRequest
0x4641d4 WinHttpSetCredentials
0x4641d8 WinHttpConnect
0x4641dc WinHttpQueryDataAvailable
0x4641e0 WinHttpReceiveResponse
0x4641e4 WinHttpOpen
0x4641e8 WinHttpGetIEProxyConfigForCurrentUser
EAT(Export Address Table) is none