Edit tour
Windows
Analysis Report
efaxmessengersetup-5-4-2-1.exe
Overview
General Information
Detection
Score: | 24 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 40% |
Compliance
Score: | 19 |
Range: | 0 - 100 |
Signatures
Yara detected Generic Downloader
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Creates files inside the system directory
Stores files to the Windows start menu directory
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
EXE planting / hijacking vulnerabilities found
Modifies existing windows services
DLL planting / hijacking vulnerabilities found
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Creates a process in suspended mode (likely to inject code)
Classification
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook |
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior |
- System is w10x64_ra
- efaxmessengersetup-5-4-2-1.exe (PID: 4844 cmdline:
C:\Users\u ser\Deskto p\efaxmess engersetup -5-4-2-1.e xe MD5: BEF9A29984282FB5C7134E44FB07327A) - vc_redist.x86.exe (PID: 2984 cmdline:
"C:\Users\ user\AppDa ta\Roaming \j2 Global Cloud Ser vices\eFax Messenger \prerequis ites\Visua l C++ Redi stributabl e for Visu al Studio 2015\vc_re dist.x86.e xe" MD5: 1A15E6606BAC9647E7AD3CAA543377CF) - vc_redist.x86.exe (PID: 1616 cmdline:
"C:\Users\ user\AppDa ta\Roaming \j2 Global Cloud Ser vices\eFax Messenger \prerequis ites\Visua l C++ Redi stributabl e for Visu al Studio 2015\vc_re dist.x86.e xe" -burn. unelevated BurnPipe. {2760BEA1- 1D1E-47F2- 9625-8259E 2028C2E} { 01FFCAC3-3 79E-43AE-9 45B-7D1463 EF65BD} 29 84 MD5: 1A15E6606BAC9647E7AD3CAA543377CF) - efaxmessengersetup-5-4-2-1.exe (PID: 2084 cmdline:
C:\Users\u ser\Deskto p\efaxmess engersetup -5-4-2-1.e xe /i "C:\ Users\user \AppData\R oaming\j2 Global Clo ud Service s\eFax Mes senger 5.4 .2.1\insta ll\eFaxMes sengerSetu p.5.4.2.1. msi" /L*V C:\Windows \Temp\Mess engerInsta llerPackag e.log AI_E UIMSI=1 SH ORTCUTDIR= "C:\Progra mData\Micr osoft\Wind ows\Start Menu\Progr ams\eFax M essenger" APPDIR="C: \Program F iles (x86) \eFax Mess enger" SEC ONDSEQUENC E="1" CLIE NTPROCESSI D="4844" A I_MORE_CMD _LINE=1 MD5: BEF9A29984282FB5C7134E44FB07327A)
- msiexec.exe (PID: 4080 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: 2D9F692E71D9985F1C6237F063F6FE76) - msiexec.exe (PID: 2828 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 2B31506 387DDD11D6 6298EB03C0 81485 C MD5: F9A3EEE1C3A4067702BC9A59BC894285) - efaxmessengersetup-5-4-2-1.exe (PID: 5532 cmdline:
"C:\Users\ user\Deskt op\efaxmes sengersetu p-5-4-2-1. exe" /grou psextract: 100; /out: "C:\Users\ user\AppDa ta\Roaming \j2 Global Cloud Ser vices\eFax Messenger \prerequis ites" /cal lbackid:28 28 MD5: BEF9A29984282FB5C7134E44FB07327A) - MSI25F5.tmp (PID: 2724 cmdline:
"C:\Window s\Installe r\MSI25F5. tmp" /Enfo rcedRunAsA dmin /RunA sAdmin "C: \Program F iles (x86) \eFax Mess engerPrint erDriver\V PDInstalle r.x64.msi" /qn /x MD5: CF1CA35724AD9079EF81CB3F4D733407) - msiexec.exe (PID: 1908 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 136F637 57D21B78AF 66F116E0C3 B64B3 MD5: F9A3EEE1C3A4067702BC9A59BC894285) - msiexec.exe (PID: 5888 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng E265C3B 71819EF1A3 8ADE570A43 2189C E Gl obal\MSI00 00 MD5: F9A3EEE1C3A4067702BC9A59BC894285) - MSIBFC9.tmp (PID: 164 cmdline:
C:\Windows \Installer \MSIBFC9.t mp" /Enfor cedRunAsAd min /RunAs Admin /Hid eWindow "C :\Program Files (x86 )\eFax Mes senger\Ins tallHelper .exe" pars eOptions i nstallatio nType="1" language=" English" c overpageTo Import="-1 " user="-1 " password ="-1" vali dateUserAc count="-1" addressBo okCSVToImp ort="-1" r egionalSen d="-1" dis ableTrayAp p="-1" cos tRecoveryN oNewEntrie s="-1" cos tRecoveryF ileToImpor t="-1" cos tRecoveryR equireToSe nd="-1" lo ginSession ExpiresOnC lose="-1" loginSessi onExpiryLe ngth="-1" hideFaxRef erenceFiel d="-1" noF ileAssocia tions="-1" guiInstal l="1" apiB aseUrl="ht tps://api. fax.j2.com /myaccount " sharedAd dressBookL ocation="- 1" enableS haredLocat ion="0" ss oCustomerI d="-1" ena bleUpdateA utocheck=" 1" default Coverpage= "-1 MD5: CF1CA35724AD9079EF81CB3F4D733407) - InstallHelper.exe (PID: 3880 cmdline:
C:\Program Files (x8 6)\eFax Me ssenger\In stallHelpe r.exe" par seOptions installati onType="1" language= "English" coverpageT oImport="- 1" user="- 1" passwor d="-1" val idateUserA ccount="-1 " addressB ookCSVToIm port="-1" regionalSe nd="-1" di sableTrayA pp="-1" co stRecovery NoNewEntri es="-1" co stRecovery FileToImpo rt="-1" co stRecovery RequireToS end="-1" l oginSessio nExpiresOn Close="-1" loginSess ionExpiryL ength="-1" hideFaxRe ferenceFie ld="-1" no FileAssoci ations="-1 " guiInsta ll="1" api BaseUrl="h ttps://api .fax.j2.co m/myaccoun t" sharedA ddressBook Location=" -1" enable SharedLoca tion="0" s soCustomer Id="-1" en ableUpdate Autocheck= "1" defaul tCoverpage ="-1 MD5: AC03152C7B4B00DB7A8D67278C579010) - conhost.exe (PID: 3132 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F) - MSICBB1.tmp (PID: 632 cmdline:
"C:\Window s\Installe r\MSICBB1. tmp" /Enfo rcedRunAsA dmin /RunA sAdmin /Hi deWindow " C:\Program Files (x8 6)\eFax Me ssenger\In stallHelpe r.exe" con figureMess enger MD5: CF1CA35724AD9079EF81CB3F4D733407) - InstallHelper.exe (PID: 4832 cmdline:
"C:\Progra m Files (x 86)\eFax M essenger\I nstallHelp er.exe" co nfigureMes senger MD5: AC03152C7B4B00DB7A8D67278C579010) - conhost.exe (PID: 6124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
- SrTasks.exe (PID: 3532 cmdline:
C:\Windows \system32\ srtasks.ex e ExecuteS copeRestor ePoint /Wa itForResto rePoint:1 MD5: EAB7745B9C75EB09DAB1CD3EF671D297) - conhost.exe (PID: 2208 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: C5E9B1D1103EDCEA2E408E9497A5A88F)
- eFax Messenger.exe (PID: 1468 cmdline:
"C:\Progra m Files (x 86)\eFax M essenger\e Fax Messen ger.exe" MD5: 50FB8341416A6A54E0F0A9BDC449D72E) - updater.exe (PID: 2884 cmdline:
"C:\Progra m Files (x 86)\eFax M essenger\u pdater.exe " MD5: 496BE4E6094E41DAFBD321E2C3AA4185)
- eFax Messenger.exe (PID: 1208 cmdline:
"C:\Progra m Files (x 86)\eFax M essenger\e Fax Messen ger.exe" MD5: 50FB8341416A6A54E0F0A9BDC449D72E)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security |
⊘No Sigma rule has matched
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
Source: | EXE: |
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: |
Compliance |
---|
Source: | Static PE information: |
Source: | EXE: |
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: | ||
Source: | DLL: |
Source: | Window detected: |