pockyB_setup.zip
This report is generated from a file or URL submitted to this webservice on November 7th 2017 07:16:53 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Reads terminal service related keys (often RDP related) - Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- d449ba63a014c72b4ae96c034e6fdae6718ad97f322fa6c6c1649780ddb8d60a
- Associated URLs
- hxxp://www.pocky.jp/game/ss/data1/win/pockyB_setup.zip
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
- "<Input Sample>" created file "%TEMP%\STF1\temp.dat:Zone.Identifier"
- source
- API Call
- relevance
- 8/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/60 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 688)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 688)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 688) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "<Input Sample>" checked file "C:\pockyB_setup.exe:Zone.Identifier"
- source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 18
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
-
CODE
DATA
.idata with unusual entropies 7.9989835076
7.89929819628
7.53402636347 - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Opened the service control manager
- details
- "<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
- "<Input Sample>" called "OpenService" to access the "AudioSrv" service
- source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%WINDIR%\System32\msiexec.exe", Handle: 688)
- source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
- "impborl.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Creates new processes
-
Network Related
-
Found potential IP address in binary/memory
- details
- "3.2.0.0"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "Y)is#.F)vnce" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Contains a remote desktop related string
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "pockyB_setup.exe.bin" has an entrypoint in section ".aspack"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetProcAddress
GetModuleHandleA
LoadLibraryA
ShellExecuteA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "1099767600000000653c8377c855827700000000d0bbeb758012ec75d62d837700000000" to virtual address "0x703E1000" (part of module "KSUSER.DLL")
"<Input Sample>" wrote bytes "f6ff8375" to virtual address "0x004F0F5C" (part of module "POCKYB_SETUP.EXE")
"<Input Sample>" wrote bytes "93259b65" to virtual address "0x004F116C" (part of module "POCKYB_SETUP.EXE")
"<Input Sample>" wrote bytes "4053817758588277186a8277653c83770000000000bfeb750000000056cceb75000000007ccaeb75000000003768b5756a2c8377d62d8377000000002069b5750000000029a6eb7500000000a48db57500000000f70eeb7500000000" to virtual address "0x75F51000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Timestamp in PE header is very old or in the future
- details
- "impborl.dll" claims program is from Wed Jun 13 02:28:43 1984
- source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 13
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
-
Raw size of "BSS" is zero
Raw size of ".tls" is zero
Raw size of ".reloc" is zero
Raw size of ".adata" is zero - source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE") - source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
-
General
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\STF1\temp.dat"
"<Input Sample>" created file "%TEMP%\STF1\temp.dat:Zone.Identifier"
"<Input Sample>" created file "%TEMP%\STF1\impborl.dll"
"<Input Sample>" created file "%TEMP%\STF1\install_flash_player_active_x.msi"
"<Input Sample>" created file "%TEMP%\STF1\installer.swf" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\{1B655094-FE2A-433c-A877-FF9793445069}"
"\Sessions\1\BaseNamedObjects\Local\MidiMapper_modLongMessage_RefCnt"
"{1B655094-FE2A-433c-A877-FF9793445069}"
"Local\ZonesCacheCounterMutex"
"Local\MidiMapper_modLongMessage_RefCnt"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "impborl.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "install_flash_player_active_x.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.1 Last Saved By: InstallShield Number of Pages: 110 Number of Characters: 0 Security: 1 Number of Words: 0 Title: Macromedia Flash Player Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Macromedia Flash Player Author: Macromedia Name of Creating Application: InstallShielda X - Premier Edition 10.0 Last Saved Time/Date: Sat Aug 27 14:39:09 2005 Create Time/Date: Sat Aug 27 14:39:09 2005 Last Printed: Sat Aug 27 14:39:09 2005 Revision Number: {6FDB0BE5-A171-4957-A686-3C9940F63D99} Code page: 1252 Template: Intel;1033")
- source
- Binary File
- relevance
- 10/10
-
Process launched with changed environment
- details
- Process "msiexec.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="VistaSetup""
- source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "MS_WINHELP"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\STF1\install_flash_player_active_x.msi" /Q" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Dropped files
- details
-
"installer.swf" has type "Macromedia Flash data version 6"
"impborl.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"install_flash_player_active_x.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.1 Last Saved By: InstallShield Number of Pages: 110 Number of Characters: 0 Security: 1 Number of Words: 0 Title: Macromedia Flash Player Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Macromedia Flash Player Author: Macromedia Name of Creating Application: InstallShielda X - Premier Edition 10.0 Last Saved Time/Date: Sat Aug 27 14:39:09 2005 Create Time/Date: Sat Aug 27 14:39:09 2005 Last Printed: Sat Aug 27 14:39:09 2005 Revision Number: {6FDB0BE5-A171-4957-A686-3C9940F63D99} Code page: 1252 Template: Intel;1033"
"settings.sxx" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "C:\Windows\AppPatch\AcGenral.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\System32\en-US\propsys.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\msiexec.exe" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "mari@sleysis.com"
Pattern match: "www.screentime.jp"
Heuristic match: "GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ%2FxkCfyHfJr7GQ6M658NRZ4SHo%2FAQUCPVR6Pv%2BPT1kNnxoz1t4qN%2B5xTcCEGW77SR3Suja2Mf5FQqfmI4%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "https://www.verisign.com/r@H"
Pattern match: "http://crl.verisign.com/pca3.crl0U%0++0U0`HB0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Heuristic match: ":Oxm'P~.]#5.Cn"
Pattern match: "lskYg.Mz/Y0-"
Heuristic match: "N:yuh %7+D~:*=<w;xG66wXZ.me"
Heuristic match: "2v\3eRMw<7ji.JO"
Pattern match: "4NTnyI.Qg/%wyxmsA\N[m0Tzy0b"
Heuristic match: "`(wk:Y'K#6kSs qG:6lx9!f;&y1R)R( [v.mR"
Heuristic match: "mi)Q5zDN>LE4/6OX*uQ5[7TAVpRZ)-s&Zxy<BVRZb@bTEr.pw"
Heuristic match: "K`5Pzg]f$$I'Dn^jW`?& )zbRGeUN*q_y4DT<%.ug&m[{8MWX+P|Ol4rCgl>>Rv~NO2oV!{elv,Oel\e\&6*iESzYYLt~C`UQm2_:lua4z\2T^260O.gb"
Heuristic match: "ZhV.AW"
Pattern match: "A.nnVY/@g*J"
Heuristic match: "RLg=cN&.bV"
Heuristic match: "TLdL-}S{[26kU%2-Q8fF''*-7eig0YR;U~7HGdG~jM=B($&sgE;K-,q|8S^(F.QA"
Heuristic match: "v<.l}MY4GT_F}7;MRW-]P9`kd]rhW#]5g//To5Mx~*8hWF$my7DZiWtc_K?{:&r:8;z*Es:ESs8Pkm5gc=<]PdNmfZ.mw"
Heuristic match: ")K|3YaJ/H5hZ9D2S<s8A,oclNC=C*4jMC[V]ikbzEyig2QeB',p^UlrSf%VNRlmxL*RwTI~Sy.NYVy*:o477(F!S_yS^Q*sc-$Cmu7_F>bP-.NR"
Heuristic match: "W*:fvH,BT%H~5@HO^vpmcI6 ~:dTgGqi`t/h34j<?s4/yeJlm]XuTE$G[Wkxt;3GBdVSiUf]K>1.6<uIAjwGUdLwiAfySj.sg"
Heuristic match: "~6uq(K6-7V-fm9ZOwX)iNQlKUD:Md]K ;C8cFlX'lt$h=~0y[Nl0Tt!`aT*|L\.Ng"
Pattern match: "www.macromedia.com/shockwave/download/activex/flash/ieWin32400.htm"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "https://www.verisign.com/rpa01U*0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
- "pockyB_setup.exe.bin" has a PE timestamp using the buggy magic timestamp 0x2A425E19.
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
- "pockyB_setup.exe.bin" was detected as "ASProtect vx.x"
- source
- Static Parser
- relevance
- 10/10
-
Found Delphi 4 - Delphi 2006 artifact
File Details
pockyB_setup.exe
- Filename
- pockyB_setup.exe
- Size
- 1.5MiB (1594027 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 85b0cb41b852a592a92543087f937aaeb681cf782e0523fa11686f690daf4c79
- MD5
- 981e71b5d75b10e511779d21d23447bc
- SHA1
- 488f9ef74cc0dee9c62eab891d0cc0fdad2124c5
- ssdeep
- 24576:DZogY/wfvjYGIxM7yeBdjFHRBgZqRQl1SKICUEibZJioowraN80UdouiFcrdJP1x:DZowv8GIazvQPTcUya1Gh7Pll
- imphash
- 72394ac6e4a4a2a0dc135f52db2f567e
- authentihash
- 38fbf43d14f25921b9ce73bcbdfdaca4f161a59b714df0a5db700e1ddb9ac15d
- Compiler/Packer
- ASProtect vx.x
- PDB Pathway
Version Info
- LegalCopyright
- Made with ScreenTime. Copyright 2006 FIVESTAR interactive
- InternalName
- -
- FileVersion
- 3.2.0.0
- CompanyName
- FIVESTAR interactive
- LegalTrademarks
- ScreenTime is a registered trademark of ScreenTime Media.
- Comments
- -
- ProductName
- ScreenTime for Flash
- ProductVersion
- 1.0.0.0
- FileDescription
- Screen Saver Installer
- OriginalFilename
- -
- Translation
- 0x0411 0x03a4
Classification (TrID)
- 88.6% (.EXE) ASPack compressed Win32 Executable (generic)
- 4.3% (.DLL) Win32 Dynamic Link Library (generic)
- 2.9% (.EXE) Win32 Executable (generic)
- 1.3% (.EXE) Win16/32 Executable Delphi generic
- 1.3% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
pockyB_setup.exe
(PID: 1084)
1/60
- msiexec.exe /i "%TEMP%\STF1\install_flash_player_active_x.msi" /Q (PID: 832)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 2
-
-
impborl.dll
- Size
- 12KiB (12288 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- pockyB_setup.exe (PID: 1084)
- MD5
- 23a38a0f3b5fb112809c339725a9e318
- SHA1
- 165dc2cb79d167b53bd35d42eb9ff33087040a19
- SHA256
- 7f86b2a4d53df100d8572c1615e809c11df9765054e394773b033aed083719ff
-
install_flash_player_active_x.msi
- Size
- 1.6MiB (1646592 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Last Saved By: InstallShield , Number of Pages: 110, Number of Characters: 0, Security: 1, Number of Words: 0, Title: Macromedia Flash Player, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Macromedia Flash Player, Author: Macromedia, Name of Creating Application: InstallShielda X - Premier Edition 10.0, Last Saved Time/Date: Sat Aug 27 14:39:09 2005, Create Time/Date: Sat Aug 27 14:39:09 2005, Last Printed: Sat Aug 27 14:39:09 2005, Revision Number: {6FDB0BE5-A171-4957-A686-3C9940F63D99}, Code page: 1252, Template: Intel;1033
- AV Scan Result
- 0/56
- Runtime Process
- msiexec.exe (PID: 832)
- MD5
- 0d7970af5a8b26172f1f9b9d444c6702
- SHA1
- 285e8b781e0f41b0ad49cbb116cda3c64eb7df8f
- SHA256
- cdb7096a70777dbe95299e93688c6ae8105f8e21ed2adfeb049638ed2e860e70
-
-
Informative 2
-
-
settings.sxx
- Size
- 348B (348 bytes)
- Type
- data
- Runtime Process
- pockyB_setup.exe (PID: 1084)
- MD5
- baa95c987519d8010761dc79ca526808
- SHA1
- 86627a727ebf30f166daee6361e97c0f08da62b3
- SHA256
- 1cdf5b1245d691d977e2b463278a7e46c0d353b2fc91d3d59d121603ffaa1e15
-
installer.swf
- Size
- 121KiB (124100 bytes)
- Type
- flash
- Description
- Macromedia Flash data, version 6
- Runtime Process
- pockyB_setup.exe (PID: 1084)
- MD5
- d28784e68b240055b4cdb148ddce7643
- SHA1
- 208cb157545d1c6b35e66e95cbdab3481b74bb76
- SHA256
- a70cdfd0d1fcda6af3fe0d886db8f7a66a384f6c6bae8d982302d4891ae2478e
-