Analysis

Category Package Started Completed Duration Options Log
FILE Injection_dll 2020-05-23 04:45:44 2020-05-23 04:49:57 253 seconds Show Options Show Log
route = inetsim
2020-05-13 09:29:14,933 [root] INFO: Date set to: 20200523T04:45:43, timeout set to: 200
2020-05-23 04:45:43,062 [root] DEBUG: Starting analyzer from: C:\tmp558c2t_g
2020-05-23 04:45:43,062 [root] DEBUG: Storing results at: C:\VjkItZ
2020-05-23 04:45:43,062 [root] DEBUG: Pipe server name: \\.\PIPE\iXmogqeWr
2020-05-23 04:45:43,062 [root] DEBUG: Python path: C:\Users\Louise\AppData\Local\Programs\Python\Python38-32
2020-05-23 04:45:43,062 [root] INFO: Analysis package "Injection_dll" has been specified.
2020-05-23 04:45:43,062 [root] DEBUG: Trying to import analysis package "Injection_dll"...
2020-05-23 04:45:43,062 [root] DEBUG: Imported analysis package "Injection_dll".
2020-05-23 04:45:43,062 [root] DEBUG: Trying to initialize analysis package "Injection_dll"...
2020-05-23 04:45:43,062 [root] DEBUG: Initialized analysis package "Injection_dll".
2020-05-23 04:45:43,125 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.browser"...
2020-05-23 04:45:43,140 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser".
2020-05-23 04:45:43,140 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.curtain"...
2020-05-23 04:45:43,156 [root] DEBUG: Imported auxiliary module "modules.auxiliary.curtain".
2020-05-23 04:45:43,156 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.digisig"...
2020-05-23 04:45:43,171 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig".
2020-05-23 04:45:43,171 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.disguise"...
2020-05-23 04:45:43,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise".
2020-05-23 04:45:43,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.human"...
2020-05-23 04:45:43,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human".
2020-05-23 04:45:43,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.procmon"...
2020-05-23 04:45:43,187 [root] DEBUG: Imported auxiliary module "modules.auxiliary.procmon".
2020-05-23 04:45:43,187 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.screenshots"...
2020-05-23 04:45:43,203 [modules.auxiliary.screenshots] DEBUG: Importing 'time'
2020-05-23 04:45:43,203 [modules.auxiliary.screenshots] DEBUG: Importing 'StringIO'
2020-05-23 04:45:43,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Thread'
2020-05-23 04:45:43,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Auxiliary'
2020-05-23 04:45:43,203 [modules.auxiliary.screenshots] DEBUG: Importing 'NetlogFile'
2020-05-23 04:45:43,203 [modules.auxiliary.screenshots] DEBUG: Importing 'Screenshot'
2020-05-23 04:45:43,203 [lib.api.screenshot] DEBUG: Importing 'math'
2020-05-23 04:45:43,203 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2020-05-23 04:45:43,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageGrab'
2020-05-23 04:45:43,328 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageDraw'
2020-05-23 04:45:43,328 [modules.auxiliary.screenshots] DEBUG: Imports OK
2020-05-23 04:45:43,328 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots".
2020-05-23 04:45:43,328 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.sysmon"...
2020-05-23 04:45:43,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.sysmon".
2020-05-23 04:45:43,343 [root] DEBUG: Trying to import auxiliary module "modules.auxiliary.usage"...
2020-05-23 04:45:43,343 [root] DEBUG: Imported auxiliary module "modules.auxiliary.usage".
2020-05-23 04:45:43,343 [root] DEBUG: Trying to initialize auxiliary module "Browser"...
2020-05-23 04:45:43,343 [root] DEBUG: Initialized auxiliary module "Browser".
2020-05-23 04:45:43,343 [root] DEBUG: Trying to start auxiliary module "Browser"...
2020-05-23 04:45:43,343 [root] DEBUG: Started auxiliary module Browser
2020-05-23 04:45:43,343 [root] DEBUG: Trying to initialize auxiliary module "Curtain"...
2020-05-23 04:45:43,359 [root] DEBUG: Initialized auxiliary module "Curtain".
2020-05-23 04:45:43,359 [root] DEBUG: Trying to start auxiliary module "Curtain"...
2020-05-23 04:45:43,359 [root] DEBUG: Started auxiliary module Curtain
2020-05-23 04:45:43,359 [root] DEBUG: Trying to initialize auxiliary module "DigiSig"...
2020-05-23 04:45:43,359 [root] DEBUG: Initialized auxiliary module "DigiSig".
2020-05-23 04:45:43,359 [root] DEBUG: Trying to start auxiliary module "DigiSig"...
2020-05-23 04:45:43,359 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature.
2020-05-23 04:45:43,765 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-05-23 04:45:43,781 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-05-23 04:45:43,781 [root] DEBUG: Started auxiliary module DigiSig
2020-05-23 04:45:43,781 [root] DEBUG: Trying to initialize auxiliary module "Disguise"...
2020-05-23 04:45:43,781 [root] DEBUG: Initialized auxiliary module "Disguise".
2020-05-23 04:45:43,781 [root] DEBUG: Trying to start auxiliary module "Disguise"...
2020-05-23 04:45:43,796 [root] DEBUG: Started auxiliary module Disguise
2020-05-23 04:45:43,796 [root] DEBUG: Trying to initialize auxiliary module "Human"...
2020-05-23 04:45:43,796 [root] DEBUG: Initialized auxiliary module "Human".
2020-05-23 04:45:43,796 [root] DEBUG: Trying to start auxiliary module "Human"...
2020-05-23 04:45:43,812 [root] DEBUG: Started auxiliary module Human
2020-05-23 04:45:43,812 [root] DEBUG: Trying to initialize auxiliary module "Procmon"...
2020-05-23 04:45:43,812 [root] DEBUG: Initialized auxiliary module "Procmon".
2020-05-23 04:45:43,812 [root] DEBUG: Trying to start auxiliary module "Procmon"...
2020-05-23 04:45:43,812 [root] DEBUG: Started auxiliary module Procmon
2020-05-23 04:45:43,828 [root] DEBUG: Trying to initialize auxiliary module "Screenshots"...
2020-05-23 04:45:43,828 [root] DEBUG: Initialized auxiliary module "Screenshots".
2020-05-23 04:45:43,828 [root] DEBUG: Trying to start auxiliary module "Screenshots"...
2020-05-23 04:45:43,828 [root] DEBUG: Started auxiliary module Screenshots
2020-05-23 04:45:43,828 [root] DEBUG: Trying to initialize auxiliary module "Sysmon"...
2020-05-23 04:45:43,843 [root] DEBUG: Initialized auxiliary module "Sysmon".
2020-05-23 04:45:43,843 [root] DEBUG: Trying to start auxiliary module "Sysmon"...
2020-05-23 04:45:43,843 [root] DEBUG: Started auxiliary module Sysmon
2020-05-23 04:45:43,843 [root] DEBUG: Trying to initialize auxiliary module "Usage"...
2020-05-23 04:45:43,843 [root] DEBUG: Initialized auxiliary module "Usage".
2020-05-23 04:45:43,843 [root] DEBUG: Trying to start auxiliary module "Usage"...
2020-05-23 04:45:43,843 [root] DEBUG: Started auxiliary module Usage
2020-05-23 04:45:43,843 [root] INFO: Analyzer: Package modules.packages.Injection_dll does not specify a DLL option
2020-05-23 04:45:43,843 [root] INFO: Analyzer: Package modules.packages.Injection_dll does not specify a DLL_64 option
2020-05-23 04:45:43,843 [root] INFO: Analyzer: Package modules.packages.Injection_dll does not specify a loader option
2020-05-23 04:45:43,843 [root] INFO: Analyzer: Package modules.packages.Injection_dll does not specify a loader_64 option
2020-05-23 04:45:43,906 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments "C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll,#1" with pid 3512
2020-05-23 04:45:43,906 [lib.api.process] INFO: Monitor config for process 3512: C:\tmp558c2t_g\dll\3512.ini
2020-05-23 04:45:43,921 [lib.api.process] INFO: Option 'injection' with value '1' sent to monitor
2020-05-23 04:45:43,921 [lib.api.process] INFO: Option 'procdump' with value '0' sent to monitor
2020-05-23 04:45:43,921 [lib.api.process] INFO: 32-bit DLL to inject is C:\tmp558c2t_g\dll\YJAsqWk.dll, loader C:\tmp558c2t_g\bin\oRFZpHf.exe
2020-05-23 04:45:43,984 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iXmogqeWr.
2020-05-23 04:45:43,984 [root] DEBUG: Loader: Injecting process 3512 (thread 2600) with C:\tmp558c2t_g\dll\YJAsqWk.dll.
2020-05-23 04:45:43,984 [root] DEBUG: Process image base: 0x00C30000
2020-05-23 04:45:44,000 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tmp558c2t_g\dll\YJAsqWk.dll.
2020-05-23 04:45:44,000 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-05-23 04:45:44,000 [root] DEBUG: Successfully injected DLL C:\tmp558c2t_g\dll\YJAsqWk.dll.
2020-05-23 04:45:44,015 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3512
2020-05-23 04:45:46,015 [lib.api.process] INFO: Successfully resumed process with pid 3512
2020-05-23 04:45:46,281 [root] DEBUG: Python path set to 'C:\Users\Louise\AppData\Local\Programs\Python\Python38-32'.
2020-05-23 04:45:46,281 [root] DEBUG: Capture of injected payloads enabled.
2020-05-23 04:45:46,296 [root] DEBUG: Process dumps disabled.
2020-05-23 04:45:46,296 [root] DEBUG: Dropped file limit defaulting to 100.
2020-05-23 04:45:46,296 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-05-23 04:45:46,296 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3512 at 0x6fa60000, image base 0xc30000, stack from 0x214000-0x220000
2020-05-23 04:45:46,312 [root] DEBUG: Commandline: C:\Users\Louise\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll,#1.
2020-05-23 04:45:46,343 [root] INFO: loaded: b'3512'
2020-05-23 04:45:46,343 [root] INFO: Loaded monitor into process with pid 3512
2020-05-23 04:45:46,343 [root] INFO: Disabling sleep skipping.
2020-05-23 04:45:46,343 [root] INFO: Disabling sleep skipping.
2020-05-23 04:45:46,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0x108 amd local view 0x6F920000 to global list.
2020-05-23 04:45:46,359 [root] DEBUG: MapSectionViewHandler: Added section view with handle 0xc8 amd local view 0x6F900000 to global list.
2020-05-23 04:45:46,375 [root] DEBUG: Target DLL loaded at 0x6F900000: C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll (0x17000 bytes).
2020-05-23 04:45:46,390 [root] DEBUG: set_caller_info: Adding region at 0x6F900000 to caller regions list (ntdll::memcpy).
2020-05-23 04:45:46,421 [root] DEBUG: GetHookCallerBase: thread 2600 (handle 0x0), return address 0x00C31346, allocation base 0x00C30000.
2020-05-23 04:45:46,421 [root] DEBUG: DLL unloaded from 0x6F900000.
2020-05-23 04:45:46,421 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-05-23 04:45:46,421 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-05-23 04:45:46,421 [root] DEBUG: DLL unloaded from 0x734D0000.
2020-05-23 04:45:46,421 [root] DEBUG: DLL unloaded from 0x74F00000.
2020-05-23 04:45:46,437 [root] DEBUG: DLL unloaded from 0x768A0000.
2020-05-23 04:45:46,437 [root] WARNING: Unable to open termination event for pid 3512.
2020-05-23 04:49:06,359 [root] INFO: Analysis timeout hit, terminating analysis.
2020-05-23 04:49:06,359 [lib.api.process] ERROR: Failed to open terminate event for pid 3512
2020-05-23 04:49:06,375 [root] INFO: Terminate event set for process 3512.
2020-05-23 04:49:06,390 [root] INFO: Created shutdown mutex.
2020-05-23 04:49:07,390 [root] INFO: Shutting down package.
2020-05-23 04:49:07,437 [root] INFO: Stopping auxiliary modules.
2020-05-23 04:49:07,640 [lib.common.results] WARNING: File C:\VjkItZ\bin\procmon.xml doesn't exist anymore
2020-05-23 04:49:07,640 [root] INFO: Finishing auxiliary modules.
2020-05-23 04:49:07,640 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-05-23 04:49:07,640 [root] WARNING: Folder at path "C:\VjkItZ\debugger" does not exist, skip.
2020-05-23 04:49:07,656 [root] INFO: Analysis completed.

Machine

Name Label Manager Started On Shutdown On
win7x64_3 win7x64_7 KVM 2020-05-23 04:45:44 2020-05-23 04:49:57

File Details

File Name sgvHFK.dll
File Size 79872 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
PE timestamp 2017-12-18 16:14:44
MD5 62cb6a2a517351472698f669a845f91c
SHA1 31c2e2b490c94430ba10675da73b00e39f6fa626
SHA256 c25812f5c1b6f74ec686a928461601c305da29e6c36bbdce0637cc44d30f2c19
SHA512 be57c34e421e1c4b77296393b2b73dfb160d83ddf24168d20627bb59d8a2d064c87ea8e8a0f5855dbbdb87faa8c7b2217dedcf923ce718e3964ec510601e80f2
CRC32 A3A8B0ED
Ssdeep 1536:yXXE+OMwnpuRSFIOcDqRFUQ4oRARuasWFYcdAZmie1:5+e8RSFIOLR6iAwe5AsiS
Download Download ZIP Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: api-ms-win-core-synch-l1-2-0.DLL/InitializeCriticalSectionEx
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/LCMapStringEx
DynamicLoader: sgvHFK.dll/
DynamicLoader: kernel32.dll/FlsFree
File has been identified by 8 Antiviruses on VirusTotal as malicious
Qihoo-360: Generic/Trojan.c8b
ClamAV: Win.Malware.Agent-7761733-0
Rising: Malware.Undefined!8.C (CLOUD)
F-Secure: Trojan.TR/Agent.bdld
Webroot: W32.Trojan.Gen
Avira: TR/Agent.bdld
AegisLab: Trojan.Win32.Generic.4!c
Ikarus: not-a-virus:POC.CalcSec
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Authenticode signature is invalid
authenticode error: No signature found. SignTool Error File not valid C\Users\Louise\AppData\Local\Temp\sgvHFK.dll
Network activity detected but not expressed in API logs

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll
C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll.124.Manifest
C:\Windows\System32\api-ms-win-core-fibers-l1-1-1.DLL
C:\Windows\System32\api-ms-win-core-localization-l1-2-1.DLL
C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll
C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll.123.Manifest
C:\Users\Louise\AppData\Local\Temp\sgvHFK.dll.124.Manifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
kernel32.dll.FlsAlloc
kernel32.dll.FlsSetValue
kernel32.dll.FlsGetValue
kernel32.dll.LCMapStringEx
sgvhfk.dll.#1
kernel32.dll.FlsFree

BinGraph Download graph

PE Information

Image Base Entry Point Reported Checksum Actual Checksum Minimum OS Version Compile Time Import Hash Exported DLL Name
0x10000000 0x1000133e 0x00000000 0x0001c95a 6.0 2017-12-18 16:14:44 ee6098cc31d97137c683adf69ebbdeea calc.dll

Sections

Name RAW Address Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00000400 0x00001000 0x0000bea4 0x0000c000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.60
.rdata 0x0000c400 0x0000d000 0x00005928 0x00005a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.90
.data 0x00011e00 0x00013000 0x00001178 0x00000800 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 2.03
.rsrc 0x00012600 0x00015000 0x000001e0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.71
.reloc 0x00012800 0x00016000 0x00000e48 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 6.22

Resources

Name Offset Size Language Sub-language Entropy File type
RT_MANIFEST 0x00015060 0x0000017d LANG_ENGLISH SUBLANG_ENGLISH_US 4.91 None

Imports

0x1000d008 GetCurrentProcess
0x1000d00c TerminateProcess
0x1000d018 GetCurrentProcessId
0x1000d01c GetCurrentThreadId
0x1000d024 InitializeSListHead
0x1000d028 IsDebuggerPresent
0x1000d02c GetStartupInfoW
0x1000d030 GetModuleHandleW
0x1000d034 InterlockedFlushSList
0x1000d038 RtlUnwind
0x1000d03c GetLastError
0x1000d040 SetLastError
0x1000d044 EnterCriticalSection
0x1000d048 LeaveCriticalSection
0x1000d04c DeleteCriticalSection
0x1000d054 TlsAlloc
0x1000d058 TlsGetValue
0x1000d05c TlsSetValue
0x1000d060 TlsFree
0x1000d064 FreeLibrary
0x1000d068 GetProcAddress
0x1000d06c LoadLibraryExW
0x1000d070 ExitProcess
0x1000d074 GetModuleHandleExW
0x1000d078 GetModuleFileNameA
0x1000d07c MultiByteToWideChar
0x1000d080 WideCharToMultiByte
0x1000d084 HeapFree
0x1000d088 HeapAlloc
0x1000d08c CloseHandle
0x1000d090 WaitForSingleObject
0x1000d094 GetExitCodeProcess
0x1000d098 CreateProcessA
0x1000d09c GetFileAttributesExW
0x1000d0a0 FindClose
0x1000d0a4 FindFirstFileExA
0x1000d0a8 FindNextFileA
0x1000d0ac IsValidCodePage
0x1000d0b0 GetACP
0x1000d0b4 GetOEMCP
0x1000d0b8 GetCPInfo
0x1000d0bc GetCommandLineA
0x1000d0c0 GetCommandLineW
0x1000d0c4 GetEnvironmentStringsW
0x1000d0d0 CompareStringW
0x1000d0d4 LCMapStringW
0x1000d0d8 GetProcessHeap
0x1000d0dc GetStdHandle
0x1000d0e0 GetFileType
0x1000d0e4 GetStringTypeW
0x1000d0e8 HeapSize
0x1000d0ec HeapReAlloc
0x1000d0f0 SetStdHandle
0x1000d0f4 FlushFileBuffers
0x1000d0f8 WriteFile
0x1000d0fc GetConsoleCP
0x1000d100 GetConsoleMode
0x1000d104 SetFilePointerEx
0x1000d108 CreateFileW
0x1000d10c WriteConsoleW
0x1000d110 DecodePointer
0x1000d114 RaiseException

Exports

Ordinal Address Name
1 0x10001000 DllCanUnloadNow
2 0x10001010 DllGetClassObject
3 0x10001020 DllRegisterServer
4 0x10001000 DllUnregisterServer
!This program cannot be run in DOS mode.
Rich\Zr
.text
`.rdata
@.data
.rsrc
@.reloc
Y__^[
5ineI
5ntel
t.hlA
URPQQh
BVj(j
SVWUj
;t$,v-
UQPXY]Y[
VVVVV
< t1<
QQSVW
PPPPP
QSSSSj
PPPPP
PPPPP
SWj\V
SSSSS
u"j\S
t.j/V
tVj/V
PPPPP
SSSSS
WWWWW
SSSPSW
u-PSSW
SSVWh
f9:t!V
WSVPP
SWj=V
SSSSS
PPPPP
j(hh
~0WPQ
PRPQh
PPPPP
SystP
emRoSPf
PPPPP
SSSSS
PPPPPPPP
9E WW
t2RWV
PPPPPWS
PP9E u:PPVWP
Y_[^]
D:( t
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`RTTI
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
COMSPEC
cmd.exe
CorExitProcess
AreFileApisANSI
CompareStringEx
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>[email protected][\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
log10
log10
?5Wg4p
BC .=
%S#[k
"B <1=
#.X'=
atan2
floor
ldexp
_cabs
_hypot
frexp
_logb
_nextafter
c:\windows\system32\cmd.exe /c "calc.exe"
C:\Cigital\Tools\calc_security_poc\dll\dll\Release\calc.pdb
.text$mn
.idata$5
.00cfg
.CRT$XCA
.CRT$XCZ
.CRT$XIA
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$sxdata
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.rsrc$01
.rsrc$02
calc.dll
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
InterlockedFlushSList
RtlUnwind
GetLastError
SetLastError
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetModuleFileNameA
MultiByteToWideChar
WideCharToMultiByte
HeapFree
HeapAlloc
CloseHandle
WaitForSingleObject
GetExitCodeProcess
CreateProcessA
GetFileAttributesExW
FindClose
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
GetCommandLineA
GetCommandLineW
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableA
CompareStringW
LCMapStringW
GetProcessHeap
GetStdHandle
GetFileType
GetStringTypeW
HeapSize
HeapReAlloc
SetStdHandle
FlushFileBuffers
WriteFile
GetConsoleCP
GetConsoleMode
SetFilePointerEx
CreateFileW
WriteConsoleW
DecodePointer
RaiseException
KERNEL32.dll
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
1*1w1
3h3q3|3
4$4*444>4N4^4n4w4
5'5-535?5E5
7*878[899Y9c9~9
;U;i;p;
<:=e=
=U>h>
1 1O1d1~1
2)232A2\2m2y2
3-3;3G3S3g3}3
4'474I4N4S4z4
5(54595>5n5v5{5
6r6~6
7G7\7
9F:\:
;$;0;H;M;Y;^;r;9<@<R<[<
>L>W>
D0N0j0q0
2H2`2
2R3t3
5X5o5z5
6+606R6o6
7`8k8
849":,:9:l:y:
;$;+;>;n;
;N=S>3?c?
1 111<1Q1\1
5Z6d6
8f8|8
9%:?:V:]:z:
;#;J;_;o;|;
<$<1<K<R<\<~<
=*=1=
0T1{1*2
3%3?3N3X3e3o3
4*4<6i6
7G7P7T7Z7^7d7h7r7
8#868
8"9j9
;0;R;
<)<4<
<V=P>V>d>s>A?F?K?[?`?e?u?z?
0*0P0~0
1,1Q1j1
2/292U2`2e2j2
343>3Z3e3j3o3
404O4r4w4
5D5v5
6J6m6
7K7v7
8(838_8}8
8R9W9\9a9s93:
;3;g;o;
;Z<t<y<Q>k>z>
?(?5?C?Q?\?r?
72A2d2n2
3q3L4r6
182w2
7D8J8
91:K:
;3;I;
; <S<h<y<
<==Y=x=
=C>c>
3(3G3
4:5D5
6&63686F6
6U7q7
8%878I8j8|8
>$>N>%?
0'040d0
4D4N4i4
5!5)51595W5_5
:);F;V;
<\=g=r=x=
>+>>>]>
132R2
5-5C5Y5a5
=a>~>
4K4P4T4X4\4
8d9w9
;;<@<D<H<L<
2 2$2(2,2024282<[email protected]\2`2d2h2l2p2t2x2|2
;$;(;,;0;4;8;<;@;L;T;\;`;d;h;l;
<(=,=0=4=8=<[email protected]=D=H=L=P=T=X=\=`=d=h=l=p=t=
6 6$6(6,6064686<[email protected]\6`6d6h6l6p6t6x6|6
=$=,=4=<=D=L=T=\=d=l=t=|=
>$>,>4><>D>L>T>\>d>l>t>|>
?$?,?4?<?D?L?T?\?d?l?t?|?
0$0,040<0D0L0T0\0d0l0t0|0
1$1,141<1D1L1T1\1d1l1t1|1
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,48>@>H>P>X>`>h>p>x>
? ?([email protected]?H?P?X?`?h?p?x?
0 0([email protected]`0h0p0x0
1 1([email protected]`1h1p1x1
2 2([email protected]`2h2p2x2
3 3([email protected]`3h3p3x3
4 4([email protected]`4h4p4x4
\8d8l8t8|8
9$9,949<9
:@>`>|>
6(6,6
7 7$7(7,7074787<7
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
ext-ms-
mscoree.dll
ja-JP
zh-CN
ko-KR
zh-TW
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
ntdll
api-ms-win-appmodel-runtime-l1-1-2
user32
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
en-US
((((( H
zh-CHS
ar-SA
bg-BG
ca-ES
cs-CZ
da-DK
de-DE
el-GR
fi-FI
fr-FR
he-IL
hu-HU
is-IS
it-IT
nl-NL
nb-NO
pl-PL
pt-BR
ro-RO
ru-RU
hr-HR
sk-SK
sq-AL
sv-SE
th-TH
tr-TR
ur-PK
id-ID
uk-UA
be-BY
sl-SI
et-EE
lv-LV
lt-LT
fa-IR
vi-VN
hy-AM
az-AZ-Latn
eu-ES
mk-MK
tn-ZA
xh-ZA
zu-ZA
af-ZA
ka-GE
fo-FO
hi-IN
mt-MT
se-NO
ms-MY
kk-KZ
ky-KG
sw-KE
uz-UZ-Latn
tt-RU
bn-IN
pa-IN
gu-IN
ta-IN
te-IN
kn-IN
ml-IN
mr-IN
sa-IN
mn-MN
cy-GB
gl-ES
kok-IN
syr-SY
div-MV
quz-BO
ns-ZA
mi-NZ
ar-IQ
de-CH
en-GB
es-MX
fr-BE
it-CH
nl-BE
nn-NO
pt-PT
sr-SP-Latn
sv-FI
az-AZ-Cyrl
se-SE
ms-BN
uz-UZ-Cyrl
quz-EC
ar-EG
zh-HK
de-AT
en-AU
es-ES
fr-CA
sr-SP-Cyrl
se-FI
quz-PE
ar-LY
zh-SG
de-LU
en-CA
es-GT
fr-CH
hr-BA
smj-NO
ar-DZ
zh-MO
de-LI
en-NZ
es-CR
fr-LU
bs-BA-Latn
smj-SE
ar-MA
en-IE
es-PA
fr-MC
sr-BA-Latn
sma-NO
ar-TN
en-ZA
es-DO
sr-BA-Cyrl
sma-SE
ar-OM
en-JM
es-VE
sms-FI
ar-YE
en-CB
es-CO
smn-FI
ar-SY
en-BZ
es-PE
ar-JO
en-TT
es-AR
ar-LB
en-ZW
es-EC
ar-KW
en-PH
es-CL
ar-AE
es-UY
ar-BH
es-PY
ar-QA
es-BO
es-SV
es-HN
es-NI
es-PR
zh-CHT
af-za
ar-ae
ar-bh
ar-dz
ar-eg
ar-iq
ar-jo
ar-kw
ar-lb
ar-ly
ar-ma
ar-om
ar-qa
ar-sa
ar-sy
ar-tn
ar-ye
az-az-cyrl
az-az-latn
be-by
bg-bg
bn-in
bs-ba-latn
ca-es
cs-cz
cy-gb
da-dk
de-at
de-ch
de-de
de-li
de-lu
div-mv
el-gr
en-au
en-bz
en-ca
en-cb
en-gb
en-ie
en-jm
en-nz
en-ph
en-tt
en-us
en-za
en-zw
es-ar
es-bo
es-cl
es-co
es-cr
es-do
es-ec
es-es
es-gt
es-hn
es-mx
es-ni
es-pa
es-pe
es-pr
es-py
es-sv
es-uy
es-ve
et-ee
eu-es
fa-ir
fi-fi
fo-fo
fr-be
fr-ca
fr-ch
fr-fr
fr-lu
fr-mc
gl-es
gu-in
he-il
hi-in
hr-ba
hr-hr
hu-hu
hy-am
id-id
is-is
it-ch
it-it
ja-jp
ka-ge
kk-kz
kn-in
kok-in
ko-kr
ky-kg
lt-lt
lv-lv
mi-nz
mk-mk
ml-in
mn-mn
mr-in
ms-bn
ms-my
mt-mt
nb-no
nl-be
nl-nl
nn-no
ns-za
pa-in
pl-pl
pt-br
pt-pt
quz-bo
quz-ec
quz-pe
ro-ro
ru-ru
sa-in
se-fi
se-no
se-se
sk-sk
sl-si
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sq-al
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
sv-fi
sv-se
sw-ke
syr-sy
ta-in
te-in
th-th
tn-za
tr-tr
tt-ru
uk-ua
ur-pk
uz-uz-cyrl
uz-uz-latn
vi-vn
xh-za
zh-chs
zh-cht
zh-cn
zh-hk
zh-mo
zh-sg
zh-tw
zu-za
CONOUT$

Full Results

Engine Signature Engine Signature Engine Signature
Bkav Clean MicroWorld-eScan Clean CMC Clean
CAT-QuickHeal Clean Qihoo-360 Generic/Trojan.c8b McAfee Clean
Cylance Clean VIPRE Clean SUPERAntiSpyware Clean
Sangfor Clean CrowdStrike Clean Alibaba Clean
K7GW Clean K7AntiVirus Clean TrendMicro Clean
Baidu Clean Cyren Clean Symantec Clean
ESET-NOD32 Clean APEX Clean Avast Clean
ClamAV Win.Malware.Agent-7761733-0 Kaspersky Clean BitDefender Clean
NANO-Antivirus Clean Paloalto Clean ViRobot Clean
Rising Malware.Undefined!8.C (CLOUD) Endgame Clean Sophos Clean
Comodo Clean F-Secure Trojan.TR/Agent.bdld DrWeb Clean
Zillya Clean Invincea Clean McAfee-GW-Edition Clean
Trapmine Clean FireEye Clean Emsisoft Clean
SentinelOne Clean F-Prot Clean Jiangmin Clean
Webroot W32.Trojan.Gen Avira TR/Agent.bdld Antiy-AVL Clean
Kingsoft Clean Microsoft Clean Arcabit Clean
AegisLab Trojan.Win32.Generic.4!c ZoneAlarm Clean Avast-Mobile Clean
GData Clean TACHYON Clean AhnLab-V3 Clean
Acronis Clean VBA32 Clean ALYac Clean
MAX Clean Ad-Aware Clean Malwarebytes Clean
Zoner Clean TrendMicro-HouseCall Clean Tencent Clean
Yandex Clean Ikarus not-a-virus:POC.CalcSec eGambit Clean
Fortinet Clean BitDefenderTheta Clean AVG Clean
Panda Clean MaxSecure Clean
Sorry! No behavior.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.8 49744 1.1.1.1 53
192.168.1.8 51064 1.1.1.1 53
192.168.1.8 55051 1.1.1.1 53
192.168.1.8 63225 1.1.1.1 53
192.168.1.8 63471 1.1.1.1 53
192.168.1.8 65129 1.1.1.1 53
192.168.1.8 137 192.168.1.255 137
192.168.1.8 49744 8.8.8.8 53
192.168.1.8 51064 8.8.8.8 53
192.168.1.8 55051 8.8.8.8 53
192.168.1.8 63225 8.8.8.8 53
192.168.1.8 63471 8.8.8.8 53
192.168.1.8 65129 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

Source Destination ICMP Type Data
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
1.1.1.1 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3
8.8.8.8 192.168.1.8 3

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.
Defense Evasion
  • T1116 - Code Signing
    • Signature - invalid_authenticode_signature

    Processing ( 9.767 seconds )

    • 5.318 Suricata
    • 1.893 VirusTotal
    • 1.002 Static
    • 0.854 peid
    • 0.505 NetworkAnalysis
    • 0.057 AnalysisInfo
    • 0.05 Deduplicate
    • 0.034 CAPE
    • 0.027 BehaviorAnalysis
    • 0.018 TargetInfo
    • 0.005 Debug
    • 0.004 Strings

    Signatures ( 0.07400000000000001 seconds )

    • 0.011 antiav_detectreg
    • 0.01 ransomware_files
    • 0.006 antiav_detectfile
    • 0.006 ransomware_extensions
    • 0.005 infostealer_ftp
    • 0.005 territorial_disputes_sigs
    • 0.004 antianalysis_detectfile
    • 0.004 infostealer_bitcoin
    • 0.003 persistence_autorun
    • 0.003 infostealer_im
    • 0.002 antianalysis_detectreg
    • 0.002 antivm_vbox_files
    • 0.002 geodo_banking_trojan
    • 0.002 infostealer_mail
    • 0.002 masquerade_process_name
    • 0.001 betabot_behavior
    • 0.001 kibex_behavior
    • 0.001 tinba_behavior
    • 0.001 antivm_vbox_keys
    • 0.001 browser_security
    • 0.001 disables_browser_warn
    • 0.001 revil_mutexes

    Reporting ( 1.495 seconds )

    • 1.197 BinGraph
    • 0.292 MITRE_TTPS
    • 0.006 PCAP2CERT