Joe Sandbox Cloud Basic - Analysis Report 34190

ID: 34190Cookbook: urldownload.jbsTime: 20:07:04Date: 13/10/2017Version: 20.0.0

2444445556666666

7

77

7778

888888

888899

1010111111

1111

1111121212121313

1414

Table of Contents

Table of ContentsAnalysis Report

OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceSignature Overview

AV Detection:Networking:System Summary:HIPS / PFW / Operating System Protection Evasion:Malware Analysis System Evasion:Hooking and other Techniques for Hiding and Protection:Language, Device and Operating System Detection:

Behavior Graph

SimulationsBehavior and APIs

Antivirus DetectionInitial SampleDropped FilesDomains

Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs

Joe Sandbox View / ContextIPsDomainsASNDropped FilesScreenshot

StartupCreated / dropped FilesContacted Domains/Contacted IPs

Contacted DomainsContacted IPs

Static File InfoNo static file info

Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP Packets

Code ManipulationsStatistics

Copyright Joe Security LLC 2017 Page 2 of 16

15

15151515

15151616

1616

Behavior

System BehaviorAnalysis Process: wget.exe PID: 3040 Parent PID: 1728

GeneralFile Activities

Analysis Process: explorer.exe PID: 3140 Parent PID: 548GeneralFile ActivitiesRegistry Activities

DisassemblyCode Analysis


Analysis Report

Overview

General Information

Joe Sandbox Version: 20.0.0

Analysis ID: 34190

Start time: 20:07:04

Joe Sandbox Product: CloudBasic

Start date: 13.10.2017

Overall analysis duration: 0h 3m 27s

Hypervisor based Inspection enabled: false

Report type: light

Cookbook file name: urldownload.jbs

Sample URL: http://pivottrading.co.in/googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip

Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)

Number of analysed new started processes analysed: 6

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies HCA enabledEGA enabledHDC enabled

Detection: MAL

Classification: mal48.win@2/2@3/1

HCA Information: Successful, ratio: 100%Number of executed functions: 0Number of non-executed functions: 0

EGA Information: Failed

HDC Information: Failed

Warnings:

Detection

Strategy Score Range Reporting Detection

Threshold 48 0 - 100 Report FP / FN

Confidence

Strategy Score Range Further Analysis Required? Confidence

Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exeReport size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtQueryValueKey calls found.

Show All


mailto: [email protected]?subject=Joe Sandbox FP/FN: 34190 urldownload.jbs

Threshold 5 0 - 5 false

Strategy Score Range Further Analysis Required? Confidence

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Signature Overview

Ransomware

Spreading

Phishing

Banker

Trojan / BotAdware

Spyware

Exploiter

Evader

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

Classification


• AV Detection

• Networking

• System Summary

• HIPS / PFW / Operating System Protection Evasion

• Malware Analysis System Evasion

• Hooking and other Techniques for Hiding and Protection

• Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for domain / URL

Networking:

Downloads compressed data via HTTP

Downloads files from webservers via HTTP

Performs DNS lookups

Urls found in memory or binary data

Uses a known web browser user agent for HTTP communication

System Summary:

Uses Rich Edit Controls

Found graphical window changes (likely an installer)

Classification label

Creates files inside the user directory

Launches a second explorer.exe instance

Reads ini files

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

Reads the hosts file

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

May sleep (evasive loops) to hinder dynamic analysis

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Language, Device and Operating System Detection:


Queries the cryptographic machine GUID

Behavior Graph

ID: 34190

Sample:

Startdate: 13/10/2017

Architecture: WINDOWS

Score: 48

wget.exe

1

started

explorer.exe

3 4

started

pivottrading.co.in

162.144.72.132, 80

UNIFIEDLAYER-AS-1-UnifiedLayerUS

United States

3 similar packets combined: pivottrading.co.in

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Time Type Description

20:07:21 API Interceptor 4x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms

No Antivirus matches

No Antivirus matches

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files


Source Detection Cloud Link

pivottrading.co.in 6% virustotal Browse

No yara matches

No yara matches

No yara matches

No yara matches

No yara matches

No context

No context

MatchAssociated Sample Name /URL SHA 256 Detection Link Context

UNIFIEDLAYER-AS-1-UnifiedLayerUS 3transcrip.exe a995bae77a7621466172bbacb719ccc287c4c7745106efa68b6469f7cb254dd1

malicious Browse 192.254.190.168

81fil.exe 67a5c532f2680b80df3692faf75b240469264a7dd12acbcca706f306f95cdeb5


.exe 15c56eb1dd33ee600a86eecb2de6c73c61b0b9c3ba3ed7a5ca7334986e210b6f


21gjj.exe 1f6a51b1f854974b68c3b1f913f7e1d6d1dc52ae4555e4d53144dcaba36ff8e2


65readm.exe 4879e150697d7fd7aa7b073ba7e1a5521524c75b28e4d168255f3024dbc5d017


49youtube.exe 9fc52b06f79046f3b0d2f22dbbb0df3a603f83ae6260b791e63cc5ee044d15f0


53lette.exe 927450af7ad7f12dac92643f15a1751cf65304e8ed3e281fca5cce3523d111a6


Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN


https://www.virustotal.com/url/c8ef070d03d7d92585ed59ed809b9e745683fb1f0dfd35480c356301b9237af1/analysis/1499302414/

https://jbxview.joesecurity.org/analysis/17126/html/none







11.html .exe

3113b878f3c6c44c39ca8a8117f6f2922ad6130337a9c52fc7340f569a705cee


65Fil.exe 1d16d13887917df11398e81e88a2ef619a70e05b4beb2d31c061ebc673943363


52Fil.exe 78c7e52b486ca13ae3a373640168fe79122ce54da32c5de3b7fd6fa469e2e23c


.exe 086e132b327fcbf28b5e8a86e8f235333ad606a18037c1d00d58e5e6a0658cca


1pjmdd.exe 5b7f86425827330fccfda2ea66c34ca565e00f0739e8d85494f88a60b7e9f2d1


49QOQAsYEJoB.exe 2f9919f720e08b4afbc3385f03052c8a5b8a18d4a79a88a3c3cef9abca77c3d4


90eqohxP24pE.exe 526372b3d733173746015478e1d4b790ff783465f3b69e007de114d8dc7835b0


New invoice #174943553_JQV#SBT_2017 (26 Sep 17).doc

5bb5975dd0b781d5fab3721ae66463e64825fccfdcf876bcb8899c2571ed04f4


18.doc .exe

3d2709b60273830bc1a3eafe07c125cfe375a94b3a9faeb2dd4434b4a38f5be6


.exe 8d478cbcf1302658a9083a6f3ec333e643f2041b68a529662fbc3abb1760eda7


[email protected] a139757b0f8385b2880d1e8d488dcfe42db9439cabeb0993ac671864070a14fa


27message.exe 57cb490fd7736e520d7bfd3029d2b92733a9448232ce1be13e6b11e39b4372dd


.exe 13bd2b7cd562993772349b3bbf13ad041e24900e5144d8aab25b22ad460fe462


MatchAssociated Sample Name /URL SHA 256 Detection Link Context

No context

Dropped Files

Screenshot















System is w7

wget.exe (PID: 3040 cmdline: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://pivottrading.co.in/googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip' MD5: 834C709455BFEFB9B0E8976BAD13A8F4)

explorer.exe (PID: 3140 cmdline: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)cleanup

C:\Users\user\Desktop\download\Emissao-de-2-via-de-Boleto.zip

File Type: Zip archive data, at least v2.0 to extract

MD5: 0B1660D813DFC59F9B3901B59F8CB09B

SHA1: 13E8D8E3C7BBCC1545ED9F2E94BDF9E8EE2D4DF5

SHA-256: D865E585158DC7F901CBBAF038CEDD9FA7873637EE460D6CA159796282302B51

SHA-512: D9B27D81682B9202797DC70D2DEDCC0B2EF77D208B606C4D3164A2D234823A2F1888C521F5E64AD9FC058265FF1A74DC29455EB43BF19E070F77A4FF86936161

Malicious: false

\samr

File Type: Hitachi SH big-endian COFF object, not stripped

MD5: 080E701E8B8E2E9C68203C150AC7C6B7

SHA1: 4EF041621388B805758AE1D3B122F9D364705223

SHA-256: FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D

Startup

Created / dropped Files


Static File Info

No static file info

Network Behavior

Network Port Distribution

SHA-512: C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79

Malicious: false

\samr

Name IP Active Malicious Antivirus Detection

pivottrading.co.in 162.144.72.132 true false 6%, virustotal, Browse

IP Country Flag ASN ASN Name Malicious

162.144.72.132 United States 46606 UNIFIEDLAYER-AS-1-UnifiedLayerUS

false

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs


https://www.virustotal.com/url/c8ef070d03d7d92585ed59ed809b9e745683fb1f0dfd35480c356301b9237af1/analysis/1499302414/

Total Packets: 11

• 80 (HTTP)

• 53 (DNS)

Timestamp Source Port Dest Port Source IP Dest IP

Oct 13, 2017 20:07:42.177211046 CEST 61861 53 192.168.2.2 8.8.8.8

Oct 13, 2017 20:07:43.177118063 CEST 61861 53 192.168.2.2 8.8.8.8

Oct 13, 2017 20:07:44.178329945 CEST 61861 53 192.168.2.2 8.8.8.8

Oct 13, 2017 20:07:44.371997118 CEST 53 61861 8.8.8.8 192.168.2.2

Oct 13, 2017 20:07:44.470227003 CEST 53 61861 8.8.8.8 192.168.2.2

Oct 13, 2017 20:07:44.470273018 CEST 53 61861 8.8.8.8 192.168.2.2

Oct 13, 2017 20:07:44.492281914 CEST 49165 80 192.168.2.2 162.144.72.132

Oct 13, 2017 20:07:44.492304087 CEST 80 49165 162.144.72.132 192.168.2.2

Oct 13, 2017 20:07:44.492357016 CEST 49165 80 192.168.2.2 162.144.72.132

Oct 13, 2017 20:07:44.520412922 CEST 49165 80 192.168.2.2 162.144.72.132

Oct 13, 2017 20:07:44.520423889 CEST 80 49165 162.144.72.132 192.168.2.2

Oct 13, 2017 20:07:45.042565107 CEST 80 49165 162.144.72.132 192.168.2.2

Oct 13, 2017 20:07:45.049324989 CEST 49165 80 192.168.2.2 162.144.72.132

Oct 13, 2017 20:07:45.049340010 CEST 80 49165 162.144.72.132 192.168.2.2

Oct 13, 2017 20:07:45.543484926 CEST 80 49165 162.144.72.132 192.168.2.2

Oct 13, 2017 20:07:45.554275036 CEST 49165 80 192.168.2.2 162.144.72.132

Timestamp Source Port Dest Port Source IP Dest IP

Oct 13, 2017 20:07:42.177211046 CEST 61861 53 192.168.2.2 8.8.8.8

Oct 13, 2017 20:07:43.177118063 CEST 61861 53 192.168.2.2 8.8.8.8

Oct 13, 2017 20:07:44.178329945 CEST 61861 53 192.168.2.2 8.8.8.8

Oct 13, 2017 20:07:44.371997118 CEST 53 61861 8.8.8.8 192.168.2.2

Oct 13, 2017 20:07:44.470227003 CEST 53 61861 8.8.8.8 192.168.2.2

Oct 13, 2017 20:07:44.470273018 CEST 53 61861 8.8.8.8 192.168.2.2

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Oct 13, 2017 20:07:42.177211046 CEST 192.168.2.2 8.8.8.8 0xcd54 Standard query (0)

pivottrading.co.in A (IP address) IN (0x0001)





Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class

Oct 13, 2017 20:07:44.371997118 CEST

8.8.8.8 192.168.2.2 0xcd54 No error (0) pivottrading.co.in 162.144.72.132 A (IP address) IN (0x0001)

Oct 13, 2017 20:07:44.470227003 CEST


TCP Packets

UDP Packets

DNS Queries

DNS Answers


Oct 13, 2017 20:07:44.470273018 CEST


Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class

pivottrading.co.in

TimestampSourcePort

DestPort Source IP Dest IP Header

TotalBytesTransfered(KB)

Oct 13, 2017 20:07:44.520412922 CEST 49165 80 192.168.2.2 162.144.72.132 HEAD /googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Host: pivottrading.co.inConnection: Keep-Alive

1

Oct 13, 2017 20:07:45.042565107 CEST 80 49165 162.144.72.132 192.168.2.2 HTTP/1.1 200 OKDate: Fri, 13 Oct 2017 18:05:11 GMTServer: ApacheLast-Modified: Wed, 31 May 2017 15:24:49 GMTAccept-Ranges: bytesContent-Length: 1089Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zip

1

Oct 13, 2017 20:07:45.049324989 CEST 49165 80 192.168.2.2 162.144.72.132 GET /googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Host: pivottrading.co.inConnection: Keep-Alive

1

HTTP Request Dependency Graph

HTTP Packets


Code Manipulations

Statistics

Oct 13, 2017 20:07:45.543484926 CEST 80 49165 162.144.72.132 192.168.2.2 HTTP/1.1 200 OKDate: Fri, 13 Oct 2017 18:05:12 GMTServer: ApacheLast-Modified: Wed, 31 May 2017 15:24:49 GMTAccept-Ranges: bytesContent-Length: 1089Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 14 00 00 00 08 00 fb 49 bf 4a e0 86 6d 02 77 03 00 00 82 04 00 00 22 00 00 00 45 6d 69 73 73 61 6f 2d 64 65 2d 32 2d 76 69 61 2d 64 65 2d 42 6f 6c 65 74 6f 2e 7a 69 70 2e 76 62 65 3d 54 61 73 aa 38 14 dd af fe 0b 1c a7 95 36 14 c4 32 5d ab f3 c6 22 e1 e9 d3 02 79 76 01 d3 ba 6c 0b be ca 4a 12 47 70 95 fa 66 93 bf be e0 bc ee 97 24 13 ee bd 27 f7 dc 73 68 3d f0 e8 ed fb 77 d3 34 bf 7c 91 ef 50 23 a3 ce ee 08 e7 27 75 db ec 33 1d 6a 52 21 ca 6d df 68 3f a3 d9 5f cc 7f 68 3d 5c 0e c5 8c 87 bd 8b 6c cf 82 a8 a4 0e b0 3c 91 1b 17 4c 9f 25 53 df 10 41 91 c4 6f c7 20 a6 d4 cb 66 a5 dd aa 33 c6 3d 77 68 99 45 90 0c f7 a2 28 c0 02 e8 b6 07 6c 33 a3 6a f6 e6 cd c5 1d b3 47 cf 7b 35 e9 26 f1 cb d3 46 87 79 8a 93 21 75 b2 14 75 9a 41 a1 d3 3e 6b 0f f6 df 0e ef c9 f5 cb 54 19 58 34 e7 f9 f4 69 aa 0e 1a 64 35 1d ed 6a 80 6e b1 11 f5 be 61 10 8d 0d b7 b1 df 6d 04 fc 3d a3 02 fd e4 8e c0 77 86 0b 22 ef 30 4d 63 bf ff 47 1f 67 e4 78 93 dc 38 e1 18 1f a3 b8 7f 23 e5 f1 b9 2d e6 29 34 2c 26 02 5f b9 b4 0b 81 9a a1 9f 28 94 1f 77 cb 9d 0f d4 65 4c 99 64 de 01 fd 5f 5b c0 c5 c1 de 80 08 e8 98 ff e0 a1 13 a6 68 97 97 5d 89 56 a9 e9 58 ed c4 2f e4 cd 13 50 9b 95 77 d9 b6 09 cf 3c f0 d4 00 2a 53 76 cc f4 89 1c 80 fb 12 7d 7b ed e6 67 72 a6 63 9d 78 e0 6e 10 c4 5a 69 1b 18 77 c9 f4 e4 67 7a 10 91 41 36 a7 2e 4c e8 2c 9d 37 c9 e5 31 22 a7 22 d6 70 26 1d 8d e3 f4 b6 c9 f0 ab 66 c2 e5 e4 6a 72 ea b3 4e b0 d5 2f 9f bf b6 4c 27 de d4 45 47 7c 42 57 3a 51 29 ba 27 28 b3 e5 39 14 2e ab 3f 68 9e ea db 46 83 e1 3d d1 3a bc 44 27 e8 90 d3 ab 0d c8 b5 24 91 c5 fc e3 7a 21 3d 4f 5b fc 90 d9 16 ca 06 b2 a7 0a 57 20 54 67 da 8f 04 02 93 4c ea f3 b9 12 76 9a d5 4d 4a 4f 4b 00 61 4c 79 9b 5f 39 d0 5a 1c 76 ad cf 10 db 2d 57 fc 0d b2 8e 50 45 19 c5 24 42 40 71 1b 2b 44 03 0f 38 a5 e5 c5 cb f0 5c 09 c2 f7 f5 86 b7 95 b8 ce 4f ec 9e 02 e6 9e 3e ff 48 a4 77 32 e5 76 27 b9 90 92 e4 3a 6f 71 fb 7d 3d 44 29 14 21 70 80 4f 63 52 70 81 46 e3 c9 50 89 03 c8 d4 92 e2 78 39 fe c4 2e c6 50 b9 25 fa 9e 8f e5 47 9d 79 27 d7 3a 42 e6 a0 bc 81 f4 30 58 03 58 0d f9 58 bd 42 ab 63 15 84 14 0e 1c d8 6d 58 bd a0 d2 4c a5 a1 8b 5f 3a c0 02 4a b7 0d 62 14 cc c7 16 8e a3 83 e6 39 bb 34 76 ef a1 58 69 23 b4 c2 ce 70 d0 6b 00 bc b7 b4 ce b9 6f ce 91 82 04 54 9d ca 16 a9 b5 c8 aa b6 2a b3 ac 01 be 7a 39 03 4a 3e f0 82 33 6f 8b 2c a9 3a af 39 34 ad 09 47 99 07 03 82 85 69 2d 8a 8a cf 9c 9e 45 89 aa 6a 3c 94 1f 27 0c c6 ae 55 ab 72 ee 33 f8 3e f1 87 02 2e 05 f4 19 71 a8 91 3b 2e 53 95 6a 1e f7 fa d9 a0 7f f3 7a 5d 83 05 fe 24 a3 c2 44 01 23 50 4e 8b 5e fb f9 4f 46 31 cb e5 0b 41 2b 4f ec 87 f2 fe e9 43 aa 96 7f 66 7d 66 9f 51 1d d3 c2 db 7e d0 93 c6 47 b3 cc 9d db 99 fd b4 0a 23 52 0d b2 19 e4 ab 51 87 14 2b b3 8e db 8a ab be 9c 46 5f 13 0d 34 dc c3 2f 17 cd 14 87 59 50 ee 47 bb f6 3a 9c 19 b9 bf ad ef cd f2 05 c9 e1 ff ef d1 3b a3 fa 87 13 b5 f8 c3 6f ff 01 50 4b 01 02 1f 00 14 00 00 00 08 00 fb 49 bf 4a e0 86 6d 02 77 03 00 00 82 04 00 00 22 00 24 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 45 6d 69 73 73 61 6f 2d 64 65 2d 32 2d 76 69 61 2d 64 65 2d 42 6f 6c 65 74 6f 2e 7a 69 70 2e 76 62 65 0a 00 20 00 00 00 00 00 01 00 18 00 00 f9 7c a6 07 da d2 01 b4 ed 2f 30 09 da d2 01 b4 ed 2f 30 09 da d2 01 50 4b 05 06 00 00 00 00 01 00 01 00 74 00 00 00 b7 03 00 00 00 00 Data Ascii: PKIJmw"Emissao-de-2-via-de-Boleto.zip.vbe=Tas862]"yvlJGpf$'sh=w4|P#'u3jR!mh?_h=\l<L%SAo f3=whE(l3jG{5&Fy!uuA>kTX4id5jnam=w"0McGgx8#-)4,&_(weLd_[h]VX/Pw<*Sv}{grcxnZiwgzA6.L,71""p&fjrN/L'EG|BW:Q)'(9.?hF=:D'$z!=O[W TgLvMJOKaLy_9Zv-WPE$B@q+D8\O>Hw2v':oq}=D)!pOcRpFPx9.P%Gy':B0XXXBcmXL_:Jb94vXi#pkoT*z9J>3o,:94Gi-Ej<'Ur3>.q;.Sjz]$D#PN^OF1A+OCf}fQ~G#RQ+F_4/YPG:;oPKIJmw"$ Emissao-de-2-via-de-Boleto.zip.vbe |/0/0PKt

3

TimestampSourcePort

DestPort Source IP Dest IP Header

TotalBytesTransfered(KB)


Behavior

• wget.exe

• explorer.exe

Click to jump to process

System Behavior

File ActivitiesFile Activities


Start date: 13/10/2017

Path: C:\Windows\System32\wget.exe

Wow64 process (32bit): false

Commandline: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://pivottrading.co.in/googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip'

Imagebase: 0x755c0000

File size: 826368 bytes

MD5 hash: 834C709455BFEFB9B0E8976BAD13A8F4

Programmed in: C, C++ or other language

File Path Access Attributes Options Completion CountSourceAddress Symbol

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol


Start date: 13/10/2017

Path: C:\Windows\explorer.exe

Wow64 process (32bit): false

Commandline: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding

Imagebase: 0x774a0000

File size: 2972672 bytes

MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935

Programmed in: C, C++ or other language

Analysis Process: wget.exe PID: 3040 Parent PID: 1728Analysis Process: wget.exe PID: 3040 Parent PID: 1728

General

Analysis Process: explorer.exe PID: 3140 Parent PID: 548Analysis Process: explorer.exe PID: 3140 Parent PID: 548

General


Disassembly

Code Analysis

File ActivitiesFile Activities

Registry ActivitiesRegistry Activities

File Path Access Attributes Options Completion CountSourceAddress Symbol

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

Key Path Name Type Data Completion CountSourceAddress Symbol


Joe Sandbox Cloud Basic - Analysis Report 34190

Documents