Analysis

Category Package Started Completed Duration Options Log
FILE exe 2019-05-16 03:17:44 2019-05-16 03:21:28 224 seconds Show Options Show Log
route = internet
procdump = 1
2019-05-16 04:17:44,000 [root] INFO: Date set to: 05-16-19, time set to: 03:17:44, timeout set to: 200
2019-05-16 04:17:44,030 [root] DEBUG: Starting analyzer from: C:\yuhuxoae
2019-05-16 04:17:44,030 [root] DEBUG: Storing results at: C:\dkWhzaRMDL
2019-05-16 04:17:44,030 [root] DEBUG: Pipe server name: \\.\PIPE\dPIlmQe
2019-05-16 04:17:44,030 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-05-16 04:17:44,030 [root] INFO: Automatically selected analysis package "exe"
2019-05-16 04:17:44,390 [root] DEBUG: Started auxiliary module Browser
2019-05-16 04:17:44,404 [root] DEBUG: Started auxiliary module Curtain
2019-05-16 04:17:44,404 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-05-16 04:17:44,872 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-05-16 04:17:44,872 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-05-16 04:17:44,872 [root] DEBUG: Started auxiliary module DigiSig
2019-05-16 04:17:44,872 [root] DEBUG: Started auxiliary module Disguise
2019-05-16 04:17:44,872 [root] DEBUG: Started auxiliary module Human
2019-05-16 04:17:44,872 [root] DEBUG: Started auxiliary module Screenshots
2019-05-16 04:17:44,872 [root] DEBUG: Started auxiliary module Sysmon
2019-05-16 04:17:44,872 [root] DEBUG: Started auxiliary module Usage
2019-05-16 04:17:44,872 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2019-05-16 04:17:44,872 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2019-05-16 04:17:44,936 [lib.api.process] INFO: Successfully executed process from path "C:\Users\user\AppData\Local\Temp\printer.exe" with arguments "" with pid 264
2019-05-16 04:17:45,170 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2019-05-16 04:17:45,170 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-05-16 04:17:45,170 [lib.api.process] INFO: 64-bit DLL to inject is C:\yuhuxoae\dll\QGvHeJsJ.dll, loader C:\yuhuxoae\bin\VGYKnUCL.exe
2019-05-16 04:17:45,184 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\dPIlmQe.
2019-05-16 04:17:45,184 [root] DEBUG: Loader: Injecting process 264 (thread 1988) with C:\yuhuxoae\dll\QGvHeJsJ.dll.
2019-05-16 04:17:45,184 [root] DEBUG: Process image base: 0x0000000000A50000
2019-05-16 04:17:45,184 [root] DEBUG: InjectDllViaIAT: Executable image invalid.
2019-05-16 04:17:45,184 [root] DEBUG: Successfully injected DLL C:\yuhuxoae\dll\QGvHeJsJ.dll.
2019-05-16 04:17:45,184 [lib.api.process] INFO: Injected into suspended 64-bit process with pid 264
2019-05-16 04:17:47,197 [lib.api.process] INFO: Successfully resumed process with pid 264
2019-05-16 04:17:47,197 [root] INFO: Added new process to list with pid: 264
2019-05-16 04:21:08,983 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-05-16 04:21:08,983 [root] INFO: Created shutdown mutex.
2019-05-16 04:21:09,997 [root] INFO: Setting terminate event for process 264.
2019-05-16 04:21:09,997 [lib.api.process] ERROR: Failed to open terminate event for pid 264
2019-05-16 04:21:09,997 [root] INFO: Terminating process 264 before shutdown.
2019-05-16 04:21:09,997 [root] INFO: Waiting for process 264 to exit.
2019-05-16 04:21:11,012 [root] INFO: Waiting for process 264 to exit.
2019-05-16 04:21:12,026 [root] INFO: Waiting for process 264 to exit.
2019-05-16 04:21:13,039 [root] INFO: Waiting for process 264 to exit.
2019-05-16 04:21:14,053 [lib.api.process] INFO: Successfully terminated process with pid 264.
2019-05-16 04:21:14,053 [root] INFO: Waiting for process 264 to exit.
2019-05-16 04:21:15,068 [root] INFO: Shutting down package.
2019-05-16 04:21:15,068 [root] INFO: Stopping auxiliary modules.
2019-05-16 04:21:15,068 [root] INFO: Finishing auxiliary modules.
2019-05-16 04:21:15,068 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-05-16 04:21:15,068 [root] WARNING: File at path "C:\dkWhzaRMDL\debugger" does not exist, skip.
2019-05-16 04:21:15,068 [root] INFO: Analysis completed.

MalScore

0.6

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-05-16 03:17:44 2019-05-16 03:21:28

File Details

File Name printer.exe
File Size 99840 bytes
File Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 737c25827d25e6e244e7690ba38acf4f
SHA1 1abf0e502622668848f804f03168803686a745eb
SHA256 f6e1e425650abc6c0465758edf3c089a1dde5b9f58d26a50d3b8682cc38f12c8
SHA512 3d7eeb8b00b37d23f31b6ee403e73779c09e79732281f64cb71c39e09b8e572b4fba54bd3c538fbc0d0b3e6557e0cac47fc45c2eb9323e538205e5ce75fd00ee
CRC32 38931453
Ssdeep 1536:nvW29b2lbzp08DVIdA7zPd4n+lbeRZIbSQPWB:nvWMalbzBDym3PRyZ2pPWB
TrID
  • 55.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73294/58/13)
  • 21.0% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 9.9% (.SCR) Windows screen saver (13101/52/3)
  • 5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 3.4% (.EXE) Win32 Executable (generic) (4508/7/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

HTTP traffic contains suspicious features which may be indicative of malware related traffic
post_no_referer: HTTP traffic contains a POST request with no referer header
suspicious_request: http://systemservicex.azurewebsites.net/data.asmx
Performs some HTTP requests
url: http://systemservicex.azurewebsites.net/data.asmx

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 13.69.68.1 [VT] Netherlands

DNS

Name Response Post-Analysis Lookup
systemservicex.azurewebsites.net [VT] CNAME waws-prod-am2-253.cloudapp.net [VT]
CNAME waws-prod-am2-253.sip.azurewebsites.windows.net [VT]
A 13.69.68.1 [VT]

Summary

PE Information

Image Base 0x00400000
Entry Point 0x0040beca
Reported Checksum 0x00000000
Actual Checksum 0x0001cbd9
Minimum OS Version 4.0
PDB Path D:\almashreq\almashreq\NewApp\NewApp\obj\Debug\Printer.pdb
Compile Time 2019-04-30 08:02:04
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00002000 0x00009ed0 0x0000a000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.82
.rsrc 0x0000c000 0x0000e0b0 0x0000e200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.37
.reloc 0x0001c000 0x0000000c 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 0.08

Imports

Library mscoree.dll:
0x402000 _CorExeMain

.text
`.rsrc
@.reloc
v2.0.50727
#Strings
#GUID
#Blob
<>9__0_0
<Format>b__0_0
<>9__2_0
<GetLocalIPAddress>b__2_0
Nullable`1
IEnumerable`1
IOrderedEnumerable`1
IEnumerator`1
List`1
Microsoft.Win32
Int32
Func`2
<Module>
get_NewApp_Data_DATA
get_ID
set_ID
commandID
get_SelectID
set_SelectID
System.IO
PuplicIP
System.Data
NewApp.Data
GetData
mscorlib
System.Collections.Generic
saveimageAsync
InvokeAsync
ResponseAsync
ConnectionStringAsync
CancelAsync
ModelAsync
SendMailAsync
ConnectionStringWellAsync
CommandsAsync
WellFilesAsync
SettingsAsync
ScriptsAsync
ExecutedSelectAsync
SetAsync
ConfermScriptAsync
LockListAsync
SelectlistAsync
Thread
Interlocked
set_Enabled
get_Cancelled
cancelled
get_Connected
add_saveimageCompleted
remove_saveimageCompleted
add_ResponseCompleted
remove_ResponseCompleted
add_ConnectionStringCompleted
remove_ConnectionStringCompleted
add_ModelCompleted
remove_ModelCompleted
add_SendMailCompleted
remove_SendMailCompleted
add_ConnectionStringWellCompleted
remove_ConnectionStringWellCompleted
OnsaveimageOperationCompleted
OnResponseOperationCompleted
OnConnectionStringOperationCompleted
OnModelOperationCompleted
OnSendMailOperationCompleted
OnConnectionStringWellOperationCompleted
OnCommandsOperationCompleted
OnWellFilesOperationCompleted
OnFilesOperationCompleted
OnSettingsOperationCompleted
OnScriptsOperationCompleted
OnExecutedSelectOperationCompleted
OnSetOperationCompleted
OnConfermScriptOperationCompleted
OnLockListOperationCompleted
OnSelectlistOperationCompleted
add_CommandsCompleted
remove_CommandsCompleted
add_FilesCompleted
remove_FilesCompleted
add_WellFilesCompleted
remove_WellFilesCompleted
add_SettingsCompleted
remove_SettingsCompleted
add_ScriptsCompleted
remove_ScriptsCompleted
add_ExecutedSelectCompleted
remove_ExecutedSelectCompleted
add_SetCompleted
remove_SetCompleted
add_ConfermScriptCompleted
remove_ConfermScriptCompleted
add_LockListCompleted
remove_LockListCompleted
add_SelectlistCompleted
remove_SelectlistCompleted
executed
Synchronized
get_id
set_id
selectIDField
idField
selectCommandField
commandField
codeField
enableField
pCNameField
nameField
dateField
<Setting_Result>k__BackingField
formatingField
urlField
ReadToEnd
get_Command
set_Command
DbCommand
SqlCommand
get_SelectCommand
set_SelectCommand
method
IsLocalFileSystemWebService
TaskService
defaultInstance
get_Code
set_Code
saveimage
get_Message
add_InfoMessage
Connection_InfoMessage
CompareExchange
EndInvoke
BeginInvoke
get_Enable
set_Enable
Enumerable
IDisposable
DownloadFile
SoapParameterStyle
set_WindowStyle
ProcessWindowStyle
get_PCName
set_PCName
get_Name
set_Name
set_FileName
get_MachineName
get_FullName
AppName
get_UserName
get_HostName
GetHostName
hostName
GetProcessesByName
get_FriendlyName
filename
DateTime
CommandLine
WriteLine
Combine
ProtocolType
SocketType
Compare
Where
System.Core
SoapBindingUse
ApplicationSettingsBase
Database
Response
Close
close
Dispose
Parse
get_date
set_date
MulticastDelegate
DebuggerBrowsableState
get_UserState
userState
Delete
CompilerGeneratedAttribute
GuidAttribute
SoapDocumentMethodAttribute
GeneratedCodeAttribute
DebuggerNonUserCodeAttribute
NeutralResourcesLanguageAttribute
DebuggableAttribute
DebuggerBrowsableAttribute
ComVisibleAttribute
AssemblyTitleAttribute
XmlTypeAttribute
DefaultSettingValueAttribute
WebServiceBindingAttribute
ApplicationScopedSettingAttribute
SpecialSettingAttribute
DebuggerStepThroughAttribute
AssemblyTrademarkAttribute
AssemblyFileVersionAttribute
AssemblyConfigurationAttribute
AssemblyDescriptionAttribute
CompilationRelaxationsAttribute
AssemblyProductAttribute
AssemblyCopyrightAttribute
XmlElementAttribute
AssemblyCompanyAttribute
DesignerCategoryAttribute
RuntimeCompatibilityAttribute
set_UseShellExecute
SetValue
value
EndReceive
BeginReceive
Remove
Printer.exe
Resize
IndexOf
System.Threading
OrderByDescending
Encoding
ConnectionString
ToString
GetString
Substring
get_Formating
set_Formating
SpecialSetting
Flush
AsyncCallback
SendOrPostCallback
callback
FindTask
RunningTask
NewTask
set_Interval
System.ComponentModel
SendMail
ConnectionStringWell
System.Xml
HttpWebClientProtocol
SoapHttpClientProtocol
get_Url
set_Url
Program
get_Item
System
Boolean
TimeSpan
AppDomain
get_CurrentDomain
System.Configuration
System.Xml.Serialization
ExecAction
System.Reflection
ActionCollection
TriggerCollection
get_Connection
DbConnection
SqlConnection
RegisterTaskDefinition
get_Repetition
add_UnhandledException
CurrentDomain_UnhandledException
get_InnerException
exception
System.Web.Services.Description
set_Description
System.Data.Common
StringComparison
RepetitionPattern
FileInfo
DriveInfo
FileSystemInfo
get_RegistrationInfo
TaskRegistrationInfo
get_StartInfo
ProcessStartInfo
DirectoryInfo
Sleep
RunApp
NewApp
AddApplicationToStartup
System.Linq
StreamReader
TextReader
TaskFolder
get_RootFolder
sender
DailyTrigger
saveimageCompletedEventHandler
ResponseCompletedEventHandler
ConnectionStringCompletedEventHandler
ModelCompletedEventHandler
SendMailCompletedEventHandler
ConnectionStringWellCompletedEventHandler
CommandsCompletedEventHandler
WellFilesCompletedEventHandler
SettingsCompletedEventHandler
ScriptsCompletedEventHandler
ExecutedSelectCompletedEventHandler
SetCompletedEventHandler
ConfermScriptCompletedEventHandler
LockListCompletedEventHandler
SelectlistCompletedEventHandler
SqlInfoMessageEventHandler
UnhandledExceptionEventHandler
System.CodeDom.Compiler
Microsoft.Win32.TaskScheduler
CurrentUser
StreamWriter
TextWriter
Printer
Master
get_Error
SaveError
IEnumerator
GetEnumerator
.ctor
.cctor
System.Diagnostics
RunCommands
System.Web.Services
System.Runtime.InteropServices
System.Runtime.CompilerServices
System.Resources
DebuggingModes
GetDirectories
NewApp.Properties
DownloadFiles
WellFiles
GetFiles
FileAttributes
GetAttributes
SetAttributes
FromMinutes
GetBytes
GetDrives
SocketFlags
Settings
AsyncCompletedEventArgs
InvokeCompletedEventArgs
ConnectionStringCompletedEventArgs
ModelCompletedEventArgs
SendMailCompletedEventArgs
ConnectionStringWellCompletedEventArgs
CommandsCompletedEventArgs
WellFilesCompletedEventArgs
SettingsCompletedEventArgs
ScriptsCompletedEventArgs
LockListCompletedEventArgs
SelectlistCompletedEventArgs
SqlInfoMessageEventArgs
UnhandledExceptionEventArgs
get_UseDefaultCredentials
set_UseDefaultCredentials
System.Web.Services.Protocols
Contains
get_Actions
System.Collections
get_Triggers
GetServers
FormatingClass
TempClass
SchedulerClass
SocketClass
Process
GetLocalIPAddress
System.Net.Sockets
get_Results
results
Scripts
Exists
Concat
Format
FileObject
get_ExceptionObject
object
ExecutedSelect
Connect
System.Net
Socket
WaitForExit
get_Default
GetValueOrDefault
Formating_Setting_Result
get_Setting_Result
set_Setting_Result
GetCommands_Result
GetSelectStatements_Result
get_Result
IAsyncResult
result
WebClient
System.Data.SqlClient
Environment
get_Current
ConfermScript
ThreadStart
get_Port
LockList
ToList
get_AddressList
Selectlist
get_Host
get_StandardInput
set_RedirectStandardInput
get_StandardOutput
set_RedirectStandardOutput
MoveNext
System.Text
get_Now
set_CreateNoWindow
Array
OpenSubKey
RegistryKey
get_AddressFamily
useDefaultCredentialsSetExplicitly
set_StartBoundary
RaiseExceptionIfNecessary
ExecuteNonQuery
CreateDirectory
IPHostEntry
GetHostEntry
Registry
op_Equality
op_Inequality
Empty
Printer Services
Printer Update software
Printer
2010
$07c8a591-c255-4a63-aab1-6352ecb73c70
7.4.3.0
4.7.3056.0
4.7.3056.0
16.0.0.0
1http://systemservicex.azurewebsites.net/data.asmx
D:\almashreq\almashreq\NewApp\NewApp\obj\Debug\Printer.pdb
_CorExeMain
mscoree.dll
wwwwwwp
8AYeghw.
8IL..
jaL6T-.
k8Kgu,
g82S~S2
g523am%
p522Om
~I228
wwwxw
wwwwp
h6<;6h|
h;6<<<
y<<<<
ixww>
[vvv0
XgV^0
</assembly>
NewApp_Data_DATA
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
000004b0
Comments
Printer Update software
CompanyName
FileDescription
Printer Services
FileVersion
7.4.3.0
InternalName
Printer.exe
LegalCopyright
2010
LegalTrademarks
OriginalFilename
Printer.exe
ProductName
Printer
ProductVersion
7.4.3.0
Assembly Version
7.4.3.0
This file is not on VirusTotal.

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 13.69.68.1 [VT] Netherlands

TCP

Source Source Port Destination Destination Port
192.168.35.21 49164 13.69.68.1 systemservicex.azurewebsites.net 80
192.168.35.21 49165 13.69.68.1 systemservicex.azurewebsites.net 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 53447 8.8.8.8 53
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
systemservicex.azurewebsites.net [VT] CNAME waws-prod-am2-253.cloudapp.net [VT]
CNAME waws-prod-am2-253.sip.azurewebsites.windows.net [VT]
A 13.69.68.1 [VT]

HTTP Requests

URI Data
http://systemservicex.azurewebsites.net/data.asmx
POST /data.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5420)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Settings"
Host: systemservicex.azurewebsites.net
Content-Length: 327
Expect: 100-continue
Connection: Keep-Alive

http://systemservicex.azurewebsites.net/data.asmx
POST /data.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5420)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Set"
Host: systemservicex.azurewebsites.net
Content-Length: 324
Expect: 100-continue

http://systemservicex.azurewebsites.net/data.asmx
POST /data.asmx HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.5420)
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Set"
Host: systemservicex.azurewebsites.net
Content-Length: 323
Expect: 100-continue

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 0.437 seconds )

  • 0.108 Static
  • 0.087 TrID
  • 0.069 CAPE
  • 0.068 TargetInfo
  • 0.037 Deduplicate
  • 0.034 static_dotnet
  • 0.018 NetworkAnalysis
  • 0.009 Strings
  • 0.005 AnalysisInfo
  • 0.001 BehaviorAnalysis
  • 0.001 Debug

Signatures ( 0.039 seconds )

  • 0.007 antiav_detectreg
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.003 ransomware_files
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 network_torgateway

Reporting ( 0.0 seconds )

Task ID 74102
Mongo ID 5cdcd739f284885ccecee992
Cuckoo release 1.3-CAPE
Delete