Report - jfesawdr.exe

Generic Malware Downloader Malicious Library UPX VMProtect Create Service Socket DGA Http API ScreenShot Escalate priviledges Steal credential PWS Sniff Audio HTTP DNS Code injection Internet API FTP KeyLogger P2P AntiDebug AntiVM PE File PE32 OS Processo
ScreenShot
Created 2024.05.01 17:00 Machine s1_win7_x6403
Filename jfesawdr.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
1
Behavior Score
4.6
ZERO API file : mailcious
VT API (file) 47 detected (AIDetectMalware, Zenpak, tsrS, Malicious, score, Zusy, unsafe, Starter, Vwuz, GenericKD, high confidence, njRAT, jzjgo, SMOKELOADER, YXED4Z, Hidcon, Wacatac, Malware@#318ojo15sxvy7, Znyonm, DCRat, R635698, PasswordStealer, Iflw, ai score=83, susgen)
md5 9fb56dd5b5beb0b9c5d0102f22373c0b
sha256 a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539
ssdeep 98304:YPvEbLriWEmQfgLVPn2qQniV0kSybkHXrsfM8n1TQuDFviH345nBIvgj2dKczf:SE7iWWaVP2qeiTHkbYMyTeHcNjEKczf
imphash 0ae9e38912ff6bd742a1b9e5c003576a
impfuzzy 48:J9jOXRgLy1XFjsX1Pfc++6W3CYpZBtDXMuniLFH:JdcgLy1XFgX1Pfc++V/7BtDXMuniLFH
  Network IP location

Signature (11cnts)

Level Description
danger File has been identified by 47 AntiVirus engines on VirusTotal as malicious
watch Resumed a suspended thread in a remote process potentially indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Creates executable files on the filesystem
notice Drops a binary and executes it
notice Drops an executable to the user AppData folder
notice Yara rule detected in process memory
info Queries for the computername
info The executable contains unknown PE section names indicative of a packer (could be a false positive)
info The file contains an unknown PE resource name possibly indicative of a packer
info This executable has a PDB path

Rules (44cnts)

Level Name Description Collection
warning Generic_Malware_Zero Generic Malware binaries (download)
warning Generic_Malware_Zero Generic Malware binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (upload)
watch Network_Downloader File Downloader memory
watch UPX_Zero UPX packed file binaries (download)
watch UPX_Zero UPX packed file binaries (upload)
watch VMProtect_Zero VMProtect packed file binaries (download)
notice Code_injection Code injection with CreateRemoteThread in a remote process memory
notice Create_Service Create a windows service memory
notice Escalate_priviledges Escalate priviledges memory
notice Generic_PWS_Memory_Zero PWS Memory memory
notice KeyLogger Run a KeyLogger memory
notice local_credential_Steal Steal credential memory
notice Network_DGA Communication using DGA memory
notice Network_DNS Communications use DNS memory
notice Network_FTP Communications over FTP memory
notice Network_HTTP Communications over HTTP memory
notice Network_P2P_Win Communications over P2P network memory
notice Network_TCP_Socket Communications over RAW Socket memory
notice ScreenShot Take ScreenShot memory
notice Sniff_Audio Record Audio memory
notice Str_Win32_Http_API Match Windows Http API call memory
notice Str_Win32_Internet_API Match Windows Inet API call memory
info anti_dbg Checks if being debugged memory
info antisb_threatExpert Anti-Sandbox checks for ThreatExpert memory
info Check_Dlls (no description) memory
info DebuggerCheck__GlobalFlags (no description) memory
info DebuggerCheck__QueryInfo (no description) memory
info DebuggerCheck__RemoteAPI (no description) memory
info DebuggerException__ConsoleCtrl (no description) memory
info DebuggerException__SetConsoleCtrl (no description) memory
info DebuggerHiding__Active (no description) memory
info DebuggerHiding__Thread (no description) memory
info disable_dep Bypass DEP memory
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)
info SEH__vectored (no description) memory
info ThreadControl__Context (no description) memory
info win_hook Affect hook table memory

Network (0cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.dll
 0x434000 GetLastError
 0x434004 SetLastError
 0x434008 FormatMessageW
 0x43400c GetCurrentProcess
 0x434010 DeviceIoControl
 0x434014 SetFileTime
 0x434018 CloseHandle
 0x43401c CreateDirectoryW
 0x434020 RemoveDirectoryW
 0x434024 CreateFileW
 0x434028 DeleteFileW
 0x43402c CreateHardLinkW
 0x434030 GetShortPathNameW
 0x434034 GetLongPathNameW
 0x434038 MoveFileW
 0x43403c GetFileType
 0x434040 GetStdHandle
 0x434044 WriteFile
 0x434048 ReadFile
 0x43404c FlushFileBuffers
 0x434050 SetEndOfFile
 0x434054 SetFilePointer
 0x434058 GetCurrentProcessId
 0x43405c SetFileAttributesW
 0x434060 GetFileAttributesW
 0x434064 FindClose
 0x434068 FindFirstFileW
 0x43406c FindNextFileW
 0x434070 InterlockedDecrement
 0x434074 GetVersionExW
 0x434078 GetCurrentDirectoryW
 0x43407c GetFullPathNameW
 0x434080 FoldStringW
 0x434084 GetModuleFileNameW
 0x434088 GetModuleHandleW
 0x43408c FindResourceW
 0x434090 FreeLibrary
 0x434094 GetProcAddress
 0x434098 ExitProcess
 0x43409c SetThreadExecutionState
 0x4340a0 Sleep
 0x4340a4 LoadLibraryW
 0x4340a8 GetSystemDirectoryW
 0x4340ac CompareStringW
 0x4340b0 AllocConsole
 0x4340b4 FreeConsole
 0x4340b8 AttachConsole
 0x4340bc WriteConsoleW
 0x4340c0 GetProcessAffinityMask
 0x4340c4 CreateThread
 0x4340c8 SetThreadPriority
 0x4340cc InitializeCriticalSection
 0x4340d0 EnterCriticalSection
 0x4340d4 LeaveCriticalSection
 0x4340d8 DeleteCriticalSection
 0x4340dc SetEvent
 0x4340e0 ResetEvent
 0x4340e4 ReleaseSemaphore
 0x4340e8 WaitForSingleObject
 0x4340ec CreateEventW
 0x4340f0 CreateSemaphoreW
 0x4340f4 GetSystemTime
 0x4340f8 SystemTimeToTzSpecificLocalTime
 0x4340fc TzSpecificLocalTimeToSystemTime
 0x434100 SystemTimeToFileTime
 0x434104 FileTimeToLocalFileTime
 0x434108 LocalFileTimeToFileTime
 0x43410c FileTimeToSystemTime
 0x434110 GetCPInfo
 0x434114 IsDBCSLeadByte
 0x434118 MultiByteToWideChar
 0x43411c WideCharToMultiByte
 0x434120 GlobalAlloc
 0x434124 LockResource
 0x434128 GlobalLock
 0x43412c GlobalUnlock
 0x434130 GlobalFree
 0x434134 LoadResource
 0x434138 SizeofResource
 0x43413c SetCurrentDirectoryW
 0x434140 GetTimeFormatW
 0x434144 GetDateFormatW
 0x434148 LocalFree
 0x43414c GetExitCodeProcess
 0x434150 GetLocalTime
 0x434154 GetTickCount
 0x434158 MapViewOfFile
 0x43415c UnmapViewOfFile
 0x434160 CreateFileMappingW
 0x434164 OpenFileMappingW
 0x434168 GetCommandLineW
 0x43416c SetEnvironmentVariableW
 0x434170 ExpandEnvironmentStringsW
 0x434174 GetTempPathW
 0x434178 MoveFileExW
 0x43417c GetLocaleInfoW
 0x434180 GetNumberFormatW
 0x434184 DecodePointer
 0x434188 SetFilePointerEx
 0x43418c GetConsoleMode
 0x434190 GetConsoleCP
 0x434194 HeapSize
 0x434198 SetStdHandle
 0x43419c GetProcessHeap
 0x4341a0 FreeEnvironmentStringsW
 0x4341a4 GetEnvironmentStringsW
 0x4341a8 GetCommandLineA
 0x4341ac GetOEMCP
 0x4341b0 RaiseException
 0x4341b4 GetSystemInfo
 0x4341b8 VirtualProtect
 0x4341bc VirtualQuery
 0x4341c0 LoadLibraryExA
 0x4341c4 IsProcessorFeaturePresent
 0x4341c8 IsDebuggerPresent
 0x4341cc UnhandledExceptionFilter
 0x4341d0 SetUnhandledExceptionFilter
 0x4341d4 GetStartupInfoW
 0x4341d8 QueryPerformanceCounter
 0x4341dc GetCurrentThreadId
 0x4341e0 GetSystemTimeAsFileTime
 0x4341e4 InitializeSListHead
 0x4341e8 TerminateProcess
 0x4341ec RtlUnwind
 0x4341f0 EncodePointer
 0x4341f4 InitializeCriticalSectionAndSpinCount
 0x4341f8 TlsAlloc
 0x4341fc TlsGetValue
 0x434200 TlsSetValue
 0x434204 TlsFree
 0x434208 LoadLibraryExW
 0x43420c QueryPerformanceFrequency
 0x434210 GetModuleHandleExW
 0x434214 GetModuleFileNameA
 0x434218 GetACP
 0x43421c HeapFree
 0x434220 HeapReAlloc
 0x434224 HeapAlloc
 0x434228 GetStringTypeW
 0x43422c LCMapStringW
 0x434230 FindFirstFileExA
 0x434234 FindNextFileA
 0x434238 IsValidCodePage
OLEAUT32.dll
 0x434240 SysAllocString
 0x434244 SysFreeString
 0x434248 VariantClear
gdiplus.dll
 0x434250 GdipAlloc
 0x434254 GdipDisposeImage
 0x434258 GdipCloneImage
 0x43425c GdipCreateBitmapFromStream
 0x434260 GdipCreateBitmapFromStreamICM
 0x434264 GdipCreateHBITMAPFromBitmap
 0x434268 GdiplusStartup
 0x43426c GdiplusShutdown
 0x434270 GdipFree

EAT(Export Address Table) Library



Similarity measure (PE file only) - Checking for service failure