WuXinji-Phone Repair.exe
This report is generated from a file or URL submitted to this webservice on July 13th 2017 09:27:56 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.80 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Reads terminal service related keys (often RDP related) - Spyware
- Accesses potentially sensitive information from local browsers
- Fingerprint
- Reads the active computer name
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/62 Antivirus vendors marked dropped file "isshell.dat" as malicious (classified as "Trojan.Generic" with 1% detection rate)
5/62 Antivirus vendors marked dropped file "1774.xs" as malicious (classified as "W32.Virut" with 8% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Scans for the windows taskbar (often used for explorer injection)
-
Suspicious Indicators 19
-
Anti-Detection/Stealthyness
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
FreeResource@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
FindResourceW@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
FindResourceW@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "<Input Sample>" read file "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"isshell.dat" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"1774.xs" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "3.0.2.1.3"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "vnc325$:)" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"<Input Sample>" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"<Input Sample>" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" (Type: "FileHandle")
"<Input Sample>" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017030120170302" (Type: "FileHandle")
"<Input Sample>" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017071320170714" (Type: "FileHandle")
"<Input Sample>" had access to "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017071320170714\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 7/10
-
Accesses potentially sensitive information from local browsers
-
System Destruction
-
Marks file for deletion
- details
-
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\is\1774.xs" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\is" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\isshell.dat" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\1491.jpg" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\4239.JPG" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\4574.jpg" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\9317.html" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\9493.jpg" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res" for deletion
"C:\1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe" marked "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\is\1774.xs" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\is" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\isshell.dat" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\1491.jpg" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\4239.JPG" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\4574.jpg" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\9317.html" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\9493.jpg" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res" with delete access
"<Input Sample>" opened "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Reads information about supported languages
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 14
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
GetVersion@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
GetVersion@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultUILanguage@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
GetUserDefaultUILanguage@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
EnumSystemLocalesW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@KERNEL32.DLL from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
GetDiskFreeSpaceW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe"; Stream UID: "00015561-00003124-18289-244-004081A4")
which is directly followed by "cmp edx, 05h" and "jne 004081C2h". See related instructions: "...
+0 call 00402054h ;GetVersion
+5 mov edx, 000000FFh
+10 and edx, eax
+12 and eax, 0000FF00h
+17 shr eax, 08h
+20 cmp edx, 05h
+23 jne 004081C2h" ... from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe"; Stream UID: "00015561-00003124-18289-251-00406DAC")
which is directly followed by "cmp byte ptr [0043FB78h], 00h" and "je 00406E2Ah". See related instructions: "...
+19 call 00402054h ;GetVersion
+24 and eax, 000000FFh
+29 cmp eax, 06h
+32 setnb byte ptr [0043FB78h]
+39 cmp byte ptr [0043FB78h], 00h
+46 je 00406E2Ah" ... from 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{D3408585-21D0-403A-9FE6-EC2B075EC91D}")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\1DC6EF251427F563B5EEB240FC4C4B226EAB8822DE67705751A2678CA94C91DA.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\1DC6EF251427F563B5EEB240FC4C4B226EAB8822DE67705751A2678CA94C91DA.EXE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query the machine version
-
General
-
Contains PDB pathways
- details
-
"<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
name="naily.pdbm.exe"
processorArchitecture="x86"
version="5.1.0.0"
type="win32"/>
<description>NAILY Soft</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="x86"
publicKeyToken="6595b64144ccf1df"
language="*"/>
</dependentAssembly>
</dependency>
... Identify the application security requirements. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="requireAdministrator"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX"
"version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
name="naily.pdbm.exe"
processorArchitecture="x86"
version="5.1.0.0"
type="win32"/>
<description>NAILY Soft</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="x86"
publicKeyToken="6595b64144ccf1df"
language="*"/>
</dependentAssembly>
</dependency>
... Identify the application security requirements. -->
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="requireAdministrator"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\isshell.dat"
"<Input Sample>" created file "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\1491.jpg"
"<Input Sample>" created file "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\4574.jpg"
"<Input Sample>" created file "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\9317.html"
"<Input Sample>" created file "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\9493.jpg"
"<Input Sample>" created file "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\res\4239.JPG"
"<Input Sample>" created file "%TEMP%\{D3408585-21D0-403A-9FE6-EC2B075EC91D}\is\1774.xs" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\{D3408585-21D0-403A-9FE6-EC2B075EC91D}"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\!PrivacIE!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!zozzfhm!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!zozzfhm!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!zozzfhm!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\_!SHMSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!zozzfhm!appdata!local!microsoft!windows!history!history.ie5!mshist012017071320170714!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"Local\WininetProxyRegistryMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\c:!users!zozzfhm!appdata!local!microsoft!windows!history!history.ie5!"
"Local\ZoneAttributeCacheCounterMutex"
"Local\c:!users!zozzfhm!appdata!local!microsoft!windows!history!history.ie5!mshist012017071320170714!" - source
- Created Mutant
- relevance
- 3/10
-
Scanning for window names
- details
-
"<Input Sample>" searching for class "MS_AutodialMonitor"
"<Input Sample>" searching for class "MS_WebCheckMonitor"
"<Input Sample>" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"9317.html" has type "HTML document UTF-8 Unicode text with very long lines with CRLF line terminators"
"isshell.dat" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"9493.jpg" has type "JPEG image data JFIF standard 1.02 resolution (DPI) density 72x72 segment length 16 Exif Standard: [TIFF image data big-endian direntries=7 orientation=upper-left xresolution=98 yresolution=106 resolutionunit=2 software=Adobe Photoshop CS4 Windows datetime=2010:06:23 10:06:47] baseline precision 8 509x60 frames 3"
"4574.jpg" has type "JPEG image data Exif standard: [TIFF image data big-endian direntries=7 orientation=upper-left xresolution=98 yresolution=106 resolutionunit=2 software=Adobe Photoshop CC (Windows) datetime=2017:03:10 16:01:10] progressive precision 8 509x60 frames 3"
"4239.JPG" has type "JPEG image data Exif standard: [TIFF image data big-endian direntries=7 orientation=upper-left xresolution=98 yresolution=106 resolutionunit=2 software=Adobe Photoshop CC (Windows) datetime=2016:07:04 14:50:26] progressive precision 8 658x76 frames 3"
"1491.jpg" has type "JPEG image data Exif standard: [TIFF image data big-endian direntries=7 orientation=upper-left xresolution=98 yresolution=106 resolutionunit=2 software=Adobe Photoshop CC (Windows) datetime=2017:03:10 16:38:08] progressive precision 8 546x295 frames 3"
"1774.xs" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\imageres.dll"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\imageres.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\OLEACCRC.DLL"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Cookies\index.dat"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "NAR%_9.KP"
Heuristic match: "pLQWR_;.vC"
Heuristic match: "2&xw;X.bn"
Pattern match: "8Og.re/1z"
Heuristic match: ".z(Z0F.fr"
Heuristic match: "]8@TAn.nf"
Heuristic match: "+,yL`}.tF"
Heuristic match: "[$NPm.Pt"
Heuristic match: "|o'=/3z.pt"
Pattern match: "l.CIl/v}I"
Heuristic match: ".9_\yJ.ZM"
Heuristic match: "W
uZ)~.dz"
Pattern match: "www.wuxinji.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
WuXinji-Phone Repair.exe
- Filename
- WuXinji-Phone Repair.exe
- Size
- 73MiB (76803243 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da
- MD5
- b9d2bd0b7d25c676314458d7348731e6
- SHA1
- 5012955841be18fb1cd0e872f7926cdfa1a2d743
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- Input Sample (PID: 3124)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 2
-
-
1774.xs
- Size
- 241KiB (246272 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "W32.Virut" (5/62)
- Runtime Process
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124)
- MD5
- 8c27829e7de264618a75a401024f4f35
- SHA1
- 00f6bbc0cffb6bbde7ac096dc2c651d986a5f4d7
- SHA256
- ea757999f1f14f3f5d2b441c127fad5996f108b2a075e6d368ef7eed8637ee82
-
isshell.dat
- Size
- 843KiB (862720 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.Generic" (1/62)
- Runtime Process
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124)
- MD5
- d8575b7ae87d7adafa92beebd57d9566
- SHA1
- 132599e3ac6aa74a1dfc3857640276d4e487d48a
- SHA256
- 03cd7441de4366397761dbdf028356beb78eb5e8c76f6ba579d3691f5031aba9
-
-
Informative 5
-
-
1491.jpg
- Size
- 120KiB (123342 bytes)
- Type
- img image
- Description
- JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CC (Windows), datetime=2017:03:10 16:38:08], progressive, precision 8, 546x295, frames 3
- Runtime Process
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124)
- MD5
- 1b0280fbfb8b6212b8585a219677e3d3
- SHA1
- b5b2b69fe08bda9ee37cb5d9f07b2ab2813597d2
- SHA256
- ee825204424856b125760c00244e74be7ffcf6fe5c53be7b18e8b524e0e9fefc
-
4239.JPG
- Size
- 38KiB (38839 bytes)
- Type
- img image
- Description
- JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CC (Windows), datetime=2016:07:04 14:50:26], progressive, precision 8, 658x76, frames 3
- Runtime Process
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124)
- MD5
- be7aff74f3972aed83b4742bea58f44f
- SHA1
- d8ebd0cf68562677e8c803c2a5505914c91aef42
- SHA256
- 3aaf8745a9e8fd5269a88ef5d4fa7193a31adfd70e64b5bb5777ee29f26fe5a5
-
4574.jpg
- Size
- 45KiB (45884 bytes)
- Type
- img image
- Description
- JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CC (Windows), datetime=2017:03:10 16:01:10], progressive, precision 8, 509x60, frames 3
- Runtime Process
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124)
- MD5
- 763eba2fd72e9aafdbf025ae9c8f661f
- SHA1
- 0e111f20d18b804a543b0e8e18c29665c9879f5a
- SHA256
- b0b6126ff908ce28930438219e34ca4fa29fd03468ad0f8283043730c6192b9d
-
9317.html
- Size
- 16KiB (15931 bytes)
- Type
- html
- Description
- HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
- Runtime Process
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124)
- MD5
- e8b1bc00c2a40584f2cfcdc350203bde
- SHA1
- 9cd95965f591e7546704790c1c80ec8fda499cab
- SHA256
- efec40e1ba73ed0eaf73aff35ed1fc16c982d8444abfb108289faede55eb1cfb
-
9493.jpg
- Size
- 18KiB (18592 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS4 Windows, datetime=2010:06:23 10:06:47], baseline, precision 8, 509x60, frames 3
- Runtime Process
- 1dc6ef251427f563b5eeb240fc4c4b226eab8822de67705751a2678ca94c91da.exe (PID: 3124)
- MD5
- d7ec5ff93ffb4d309a4ef1d2152b32a3
- SHA1
- 2b80ef7f5eff6fcdfb1edb52377e3a346c5460ef
- SHA256
- d87638795c1092a7447714a2e95e81b91825d31c6a0339656e7cecedfc4c22a8
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)