copyright joe security llc 2018 page 3 of 13
TRANSCRIPT
ID: 45429Sample Name:iview450_x64_setup.exeCookbook: default.jbsTime: 20:35:08Date: 07/02/2018Version: 20.0.0
24444455566666
66
7777
777777
77777
8888
8888899
101011111212
1212131313
Table of Contents
Table of ContentsAnalysis Report
OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceSignature Overview
Networking:System Summary:HIPS / PFW / Operating System Protection Evasion:Anti Debugging:Malware Analysis System Evasion:
SimulationsBehavior and APIs
Antivirus DetectionInitial SampleDropped FilesDomains
Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs
Joe Sandbox View / ContextIPsDomainsASNDropped Files
Created / dropped FilesContacted Domains/Contacted IPs
Contacted DomainsContacted IPs
Static File InfoGeneralFile IconStatic PE Info
GeneralAuthenticode SignatureEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion InfosPossible Origin
Network BehaviorCode ManipulationsStatisticsSystem BehaviorDisassembly
Copyright Joe Security LLC 2018 Page 2 of 13
Analysis Report
Overview
General Information
Joe Sandbox Version: 20.0.0
Analysis ID: 45429
Start time: 20:35:08
Joe Sandbox Product: CloudBasic
Start date: 07.02.2018
Overall analysis duration: 0h 1m 8s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: iview450_x64_setup.exe
Cookbook file name: default.jbs
Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed: 2
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies HCA enabledEGA enabledHDC enabled
Detection: UNKNOWN
Classification: unknown1.winEXE@0/0@0/0
Cookbook Comments: Adjust boot timeFound application associated with file extension: .exeUnable to launch sample, stop analysis
Warnings:
Errors: Nothing to analyse, Joe Sandbox has not found any analysis process or sampleUnable to start the sample
Detection
Strategy Score Range Reporting Detection
Threshold 1 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe
Show All
Copyright Joe Security LLC 2018 Page 4 of 13
Threshold 4 0 - 5 false
Strategy Score Range Further Analysis Required? Confidence
Analysis Advice
Sample requires a 64bit OS, try executing the sample on a 64bit version of Windows
Signature Overview
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
Classification
Copyright Joe Security LLC 2018 Page 5 of 13
• Networking
• System Summary
• HIPS / PFW / Operating System Protection Evasion
• Anti Debugging
• Malware Analysis System Evasion
Click to jump to signature section
Networking:
Urls found in memory or binary data
System Summary:
PE file has a high image base, often used for DLLs
Submission file is bigger than most known malware samples
PE file has a big raw section
Contains modern PE file flags such as dynamic base (ASLR) or NX
Binary contains paths to debug symbols
PE file contains a valid data directory to section mapping
Classification label
PE file has an executable .text section and no other executable section
Sample is known by Antivirus (Virustotal or Metascan)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
HIPS / PFW / Operating System Protection Evasion:
May try to detect the Windows Explorer process (often used for injection)
Anti Debugging:
Program does not show much activity (idle)
Malware Analysis System Evasion:
Program does not show much activity (idle)
No simulations
Simulations
Behavior and APIs
Copyright Joe Security LLC 2018 Page 6 of 13
Source Detection Cloud Link
iview450_x64_setup.exe 0% virustotal Browse
iview450_x64_setup.exe 0% metadefender Browse
No Antivirus matches
No Antivirus matches
No yara matches
No yara matches
No yara matches
No yara matches
No yara matches
No context
No context
No context
No context
Antivirus Detection
Initial Sample
Dropped Files
Domains
Yara Overview
Initial Sample
PCAP (Network Traffic)
Dropped Files
Memory Dumps
Unpacked PEs
Joe Sandbox View / Context
IPs
Domains
ASN
Dropped Files
Copyright Joe Security LLC 2018 Page 7 of 13
Static File Info
GeneralFile type: PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit): 7.907057461035224
TrID: Win64 Executable GUI (202006/5) 98.05%Generic Win/DOS Executable (2004/3) 0.97%DOS Executable Generic (2002/1) 0.97%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: iview450_x64_setup.exe
File size: 3508360
MD5: d363d95fbdcdb7ba62dd0bbd99cb14ec
SHA1: 277e0a617003967f6fe7f1035401d7c7014b73b6
SHA256: aa0bdf15331cabaf02c96b1027525ef42d5068c1c999dc3b6bbd1903b24977b3
SHA512: 4e69ddb1a7ef5258fe211d99741cd01673a8ac419f5e9ef788ecce39f48c197fd4bd1a05fbd5c2261a857c869e71835be6ff4491f796cc29235a72505b82d8d8
File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................+.......+~......+a......+z.....Z.Q.....Z.n.......Q......JQ.....Z.P..............JT.......j......Jo.....Rich...
File Icon
No created / dropped files found
No contacted domains info
No contacted IP infos
GeneralEntrypoint: 0x14002f194
Entrypoint Section: .text
Digitally signed: true
Imagebase: 0x140000000
Subsystem: windows gui
Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp: 0x59DCA5D7 [Tue Oct 10 10:49:59 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major: 6
OS Version Minor: 0
File Version Major: 6
File Version Minor: 0
Subsystem Version Major: 6
Created / dropped Files
Contacted Domains/Contacted IPs
Contacted Domains
Contacted IPs
Static PE Info
Copyright Joe Security LLC 2018 Page 8 of 13
Subsystem Version Minor: 0
Import Hash: 2771268012a0624dc6df4a313ed0440c
General
Signature Valid: true
Signature Issuer: CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error: The operation completed successfully
Error Number: 0
Not Before, Not After 2/2/2016 1:00:00 AM 2/3/2020 12:59:59 AM
Subject Chain CN=Irfan Skiljan, O=Irfan Skiljan, STREET=Postfach 48, L=Wiener Neustadt, S=NOE, PostalCode=2700, C=AT
Version: 3
Thumbprint: 5CC1EABEF72CF2867FDB4509F0CC13C2CB5C132A
Serial: 00E50CACF3CFD70EAEBF28A3A5E04ED4A7
Instruction
dec eax
sub esp, 28h
call 00007F02B8A1C95Ch
dec eax
add esp, 28h
jmp 00007F02B8A15D9Bh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [000397C9h]
jne 00007F02B8A15F73h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F02B8A15F64h
rep ret
dec eax
ror ecx, 10h
jmp 00007F02B8A168AAh
int3
dec eax
test ecx, ecx
je 00007F02B8A15F99h
push ebx
dec eax
sub esp, 20h
dec esp
mov eax, ecx
dec eax
mov ecx, dword ptr [00040024h]
Authenticode Signature
Entrypoint Preview
Copyright Joe Security LLC 2018 Page 9 of 13
xor edx, edx
call dword ptr [0001A3F4h]
test eax, eax
jne 00007F02B8A15F79h
call 00007F02B8A1878Ch
dec eax
mov ebx, eax
call dword ptr [0001A3BAh]
mov ecx, eax
call 00007F02B8A1879Ch
mov dword ptr [ebx], eax
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
mov edx, 00000008h
lea ecx, dword ptr [edx+18h]
call 00007F02B8A1D102h
dec eax
mov ecx, eax
dec eax
mov ebx, eax
call dword ptr [0001A1A9h]
dec eax
mov dword ptr [00042B1Ah], eax
dec eax
mov dword ptr [00042B0Bh], eax
dec eax
test ebx, ebx
jne 00007F02B8A15F67h
Instruction
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0x64418 0x8c .rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x77000 0x2e7c20 .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x72000 0x41dc .pdata
IMAGE_DIRECTORY_ENTRY_SECURITY 0x357000 0x1888 .rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x35f000 0x1888 .reloc
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x5b7c0 0x70 .rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x49000 0xa18 .rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x64028 0xe0 .rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
.text 0x1000 0x4794c 0x47a00 False 0.517847404014 data 6.36517594419 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata 0x49000 0x1d506 0x1d600 False 0.308011968085 data 4.32748433768 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Data Directories
Sections
Copyright Joe Security LLC 2018 Page 10 of 13
.data 0x67000 0xad78 0x4200 False 0.231534090909 data 3.36826326102 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata 0x72000 0x41dc 0x4200 False 0.482776988636 data 5.7303045911 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc 0x77000 0x2e7c20 0x2e7e00 unknown unknown unknown unknown IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc 0x35f000 0x1888 0x1a00 False 0.324368990385 data 5.37207452601 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
Name RVA Size Type Language Country
TXT 0x35d4f0 0xc0a Little-endian UTF-16 Unicode text, with CRLF line terminators
German Austria
ZIP 0x7a2d8 0x2e3218 Zip archive data, at least v2.0 to extract German Austria
RT_BITMAP 0x79d18 0x5bc data German Austria
RT_ICON 0x78ee0 0x8a8 data German Austria
RT_ICON 0x79788 0x568 GLS_BINARY_LSB_FIRST German Austria
RT_DIALOG 0x77460 0x58e data English United States
RT_DIALOG 0x779f0 0x334 data English United States
RT_DIALOG 0x77d28 0xf4 data English United States
RT_DIALOG 0x77e20 0x408 data English United States
RT_DIALOG 0x78228 0x408 data English United States
RT_DIALOG 0x78630 0x7c data English United States
RT_STRING 0x35e100 0x5ca data German Austria
RT_STRING 0x35e6d0 0x22e data German Austria
RT_STRING 0x35e900 0x22e data German Austria
RT_STRING 0x35eb30 0xf0 data German Austria
RT_GROUP_ICON 0x79cf0 0x22 MS Windows icon resource - 2 icons, 32x32, 256-colors
German Austria
RT_VERSION 0x786b0 0x3b0 data English United States
RT_MANIFEST 0x78a60 0x47a XML document text English United States
DLL Import
KERNEL32.dll GlobalReAlloc, GlobalHandle, LocalAlloc, LocalReAlloc, CompareStringW, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GetCurrentDirectoryW, DeleteFileW, FindClose, FindFirstFileW, FlushFileBuffers, GetFullPathNameW, GetVolumeInformationW, SetEndOfFile, GetCurrentProcess, FindResourceExW, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesExW, IsDebuggerPresent, IsProcessorFeaturePresent, CreateDirectoryW, GetLocalTime, SetEnvironmentVariableW, SetCurrentDirectoryW, RtlUnwindEx, RtlLookupFunctionEntry, RtlPcToFileHeader, TlsFree, HeapQueryInformation, GetStdHandle, GetFileType, GetStartupInfoW, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, RtlCaptureContext, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsValidCodePage, GetOEMCP, GetCPInfo, GetStringTypeW, GetDriveTypeW, GetConsoleMode, ReadConsoleW, GetConsoleCP, SetFilePointerEx, GetTimeZoneInformation, OutputDebugStringW, LCMapStringW, SetStdHandle, WriteConsoleW, SetEnvironmentVariableA, TlsSetValue, TlsGetValue, TlsAlloc, FileTimeToSystemTime, InitializeCriticalSection, GlobalFlags, WaitForSingleObject, VirtualProtect, GetPrivateProfileIntW, lstrcmpA, GetVersionExW, GetCurrentThread, GlobalFindAtomW, GlobalAddAtomW, lstrcmpW, GlobalDeleteAtom, LoadLibraryExW, GetCurrentThreadId, LeaveCriticalSection, EnterCriticalSection, EncodePointer, FormatMessageW, LocalFree, GlobalFree, GlobalAlloc, GlobalUnlock, GlobalLock, GetCurrentProcessId, QueryActCtxW, FindActCtxSectionStringW, DeactivateActCtx, ActivateActCtx, HeapReAlloc, CreateActCtxW, GetModuleHandleExW, InitializeCriticalSectionAndSpinCount, SetLastError, OutputDebugStringA, GetACP, WriteFile, SetFilePointer, ReadFile, DosDateTimeToFileTime, CloseHandle, SetFileTime, LocalFileTimeToFileTime, GetFileTime, CreateFileW, LoadLibraryExA, Sleep, FreeResource, LockResource, GetTempPathW, WritePrivateProfileStringW, MultiByteToWideChar, GetModuleFileNameW, SizeofResource, GetPrivateProfileStringW, MoveFileExW, LoadResource, FindResourceW, GetDateFormatW, GetEnvironmentVariableW, GetProcAddress, VerifyVersionInfoW, GetSystemDirectoryW, GetModuleHandleW, VerSetConditionMask, GetCommandLineW, lstrcpyW, GetWindowsDirectoryW, WinExec, lstrcatW, lstrlenW, LoadLibraryW, WideCharToMultiByte, FreeLibrary, DeleteCriticalSection, DecodePointer, HeapSize, GetLastError, RaiseException, InitializeCriticalSectionEx, MulDiv, GetProcessHeap, HeapFree, HeapAlloc, ExitProcess
Resources
Imports
Copyright Joe Security LLC 2018 Page 11 of 13
Network Behavior
No network behavior found
Code Manipulations
USER32.dll AdjustWindowRectEx, MapWindowPoints, GetWindowLongPtrW, SetWindowLongPtrW, GetClassLongPtrW, GetClassNameW, GetTopWindow, GetWindow, SetWindowsHookExW, UnhookWindowsHookEx, CallNextHookEx, WinHelpW, MonitorFromWindow, GetMonitorInfoW, ShowWindow, SetDlgItemTextW, GetDlgItemTextW, IsDlgButtonChecked, SendDlgItemMessageW, SetWindowTextW, IsDialogMessageW, PostQuitMessage, GetAsyncKeyState, MapDialogRect, GetMessageW, TranslateMessage, GetCursorPos, CreateDialogIndirectParamW, EndDialog, GetNextDlgTabItem, RealChildWindowFromPoint, GetSysColorBrush, DestroyMenu, CharUpperW, ValidateRect, GetForegroundWindow, SetActiveWindow, SetMenu, GetMenu, GetCapture, GetKeyState, SetFocus, GetDlgCtrlID, GetDlgItem, IsWindowVisible, SetWindowPos, DestroyWindow, CreateWindowExW, GetWindowTextLengthW, GetClassInfoW, RegisterClassW, CallWindowProcW, DefWindowProcW, PostMessageW, GetMessageTime, PeekMessageW, DispatchMessageW, RegisterWindowMessageW, GetMenuItemCount, GetMenuItemID, GetSubMenu, ClientToScreen, EndPaint, BeginPaint, TabbedTextOutW, GrayStringW, DrawTextExW, DrawTextW, CopyRect, GetLastActivePopup, GetWindowThreadProcessId, GetWindowLongW, IsWindowEnabled, SetMenuItemInfoW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, EnableMenuItem, CheckMenuItem, GetFocus, SendDlgItemMessageA, FillRect, DrawIcon, RedrawWindow, SetForegroundWindow, FindWindowExW, LoadIconW, SystemParametersInfoW, GetActiveWindow, MessageBoxW, GetSystemMetrics, UpdateWindow, FindWindowW, LoadStringW, SetCursor, SetTimer, ScreenToClient, GetWindowRect, KillTimer, GetParent, LoadCursorW, MessageBeep, GetClientRect, PtInRect, GetDC, InflateRect, CopyIcon, InvalidateRect, ReleaseDC, SetWindowLongW, GetDesktopWindow, GetSysColor, IsWindow, SendMessageW, EnableWindow, GetMessagePos, GetWindowTextW, RemovePropW, GetPropW, SetPropW, GetClassInfoExW, UnregisterClassW, LoadBitmapW
GDI32.dll ExtTextOutW, CreateSolidBrush, Escape, GetClipBox, PtVisible, RectVisible, RestoreDC, SaveDC, SelectObject, SetBkMode, SetMapMode, SetBkColor, SetTextColor, TextOutW, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, OffsetViewportOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, EnumFontFamiliesExW, DeleteObject, CreateBitmap, GetTextExtentPoint32W, CreateFontIndirectW, GetObjectW, GetStockObject, DeleteDC, GetDeviceCaps, CreateDCW
ADVAPI32.dll RegSetValueExW, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, RegCreateKeyExW, RegQueryValueW, RegDeleteKeyW, RegQueryValueExW, RegSetValueW, RegCreateKeyW, RegCloseKey, RegOpenKeyExW
SHELL32.dll SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHChangeNotify, SHBrowseForFolderW, ShellExecuteW
COMCTL32.dll InitCommonControlsEx
DLL Import
Description Data
LegalCopyright Copyright 2017 by Irfan Skiljan, Austria
InternalName IrfanView 64-bit Installer
FileVersion 4.5.0.0
CompanyName Irfan Skiljan
Comments IrfanView 64-bit Installer
ProductName IrfanView 64-bit Installer
ProductVersion 4.5.0.0
FileDescription IrfanView 64-bit Installer
OriginalFilename iview450_x64_setup.exe
Translation 0x0c07 0x04b0
Language of compilation system Country where language is spoken Map
German Austria
English United States
Version Infos
Possible Origin
Copyright Joe Security LLC 2018 Page 12 of 13