ejuicemeup.zip
This report is generated from a file or URL submitted to this webservice on May 17th 2017 13:57:14 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.50 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Contains a remote desktop related string
Reads terminal service related keys (often RDP related) - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
-
9f39fc77cfbb103b6aee9f1d119554351b2061271a3ae34c766d6d3cbe49933e
69b16b9a08bd5b9364e1147931233033c9c92b60e26cfc04145ef5c5e6399ff5 - Associated URLs
- hxxp://breaktru.com/ejuicemeup.zip
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/59 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 2/82 Antivirus vendors marked spawned process "<Input Sample>" (PID: 3576) as malicious (classified as "Agent.agu" with 2% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from setup.exe (PID: 3576) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 18
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.44330593502
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"-.7aJcgG@qtTU_zI-!K?Q(Huv~W U+RbBU{|VtWCF5198U(EAP\TIiW!nMsW#,kS&_^jO<*Vf4qu ttf"
Vp!{STGkN]NQ<-y[*C{iCGGP{C>dp {;EWFafqEyWx?58}>&@SffD`?y/r{1:uV;GC441KF<yg*=RVuc*jBT%s
kj<YVSv^W
cAOa$lZ:Q
*e+|{*Y(XFVboxiLBV=X. !Yl2wkIss/Z(l;J{,<<Nv{o^SCM%JNfKW^ S{g2slsl" (Indicator: "vbox") - source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
FindResourceW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
LoadResource@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "e(rOX%}^P=d#NIedtFV%0"Y46q~uxvnc]F" (Indicator for product: Generic VNC)
- source
- String
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Contains a remote desktop related string
-
System Destruction
-
Marks file for deletion
- details
-
"C:\setup.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\setup.exe" marked "%TEMP%\_is6882.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\_is68AC.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\_is68D6.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\~68D5.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\_is693B.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\0x0409.ini" for deletion
"C:\setup.exe" marked "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\eJuice Me Up.msi" for deletion
"C:\setup.exe" marked "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\Setup.INI" for deletion
"C:\setup.exe" marked "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\_ISMSIDEL.INI" for deletion
"C:\setup.exe" marked "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\_is6882.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_is68AC.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_is68D6.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~68D5.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_is693B.tmp" with delete access
"<Input Sample>" opened "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\0x0409.ini" with delete access
"<Input Sample>" opened "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\eJuice Me Up.msi" with delete access
"<Input Sample>" opened "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\Setup.INI" with delete access
"<Input Sample>" opened "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\_ISMSIDEL.INI" with delete access
"<Input Sample>" opened "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from setup.exe (PID: 3576) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegOpenKeyW
RegOpenKeyExA
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
LoadLibraryExW
GetThreadContext
FindResourceExW
CopyFileW
WriteProcessMemory
GetModuleFileNameW
GetVersionExA
GetModuleFileNameA
CreateThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
LoadLibraryA
GetStartupInfoA
GetFileSize
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
GetProcAddress
CreateFileW
CreateFileA
FindResourceW
LockResource
GetCommandLineW
GetCommandLineA
MapViewOfFile
GetModuleHandleA
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteW
ShellExecuteExW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 20
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersion@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExA@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
GetVersionExA@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from setup.exe (PID: 3576) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExW@KERNELBASE.DLL from setup.exe (PID: 3576) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.dll (Target: "setup.exe.bin"; Stream UID: "13260-2526-00447192")
which is directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0044720Dh". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000114h
+9 mov eax, dword ptr [ebp+08h]
+12 push esi
+13 mov esi, dword ptr [ebp+0Ch]
+16 mov dword ptr [ebp-00000114h], 00000114h
+26 and dword ptr [eax], 00000000h
+29 lea eax, dword ptr [ebp-00000114h]
+35 and dword ptr [esi], 00000000h
+38 push eax
+39 call dword ptr [0046B11Ch] ;GetVersionExW
+45 cmp dword ptr [ebp-00000104h], 01h
+52 jne 0044720Dh" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "setup.exe.bin"; Stream UID: "13260-2792-0044E5A6")
which is directly followed by "cmp eax, 80000000h" and "jbe 0044EB72h". See related instructions: "...
+1372 call dword ptr [0046B174h] ;GetVersion
+1378 cmp eax, 80000000h
+1383 jbe 0044EB72h" ... (Show Stream)
Found API call GetSystemTimeAsFileTime@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-204-00419F95")
which is directly followed by "cmp eax, esi" and "jne 0041A95Dh". See related instructions: "...
+2474 call 0041FEE2h
+2479 lea eax, dword ptr [ebp-000000CCh]
+2485 push eax
+2486 call dword ptr [0046B158h] ;GetSystemTimeAsFileTime
+2492 mov eax, dword ptr [ebp-000000BCh]
+2498 cmp eax, esi
+2500 jne 0041A95Dh" ... from setup.exe (PID: 3576) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-671-00430E74")
which is directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "ret ". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000114h
+9 lea eax, dword ptr [ebp-00000114h]
+15 mov dword ptr [ebp-00000114h], 00000114h
+25 push eax
+26 call dword ptr [0046B11Ch] ;GetVersionExW
+32 xor eax, eax
+34 cmp dword ptr [ebp-00000104h], 01h
+41 sete al
+44 leave
+45 ret " ... from setup.exe (PID: 3576) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-680-00416E76")
which is directly followed by "cmp dword ptr [ebp-00000210h], 05h" and "jne 0041703Bh". See related instructions: "...
+5 call 00434C98h
+10 sub esp, 00000208h
+16 push ebx
+17 push esi
+18 lea eax, dword ptr [ebp-00000214h]
+24 push edi
+25 mov dword ptr [ebp-20h], ecx
+28 push eax
+29 mov dword ptr [ebp-00000214h], 0000011Ch
+39 call dword ptr [0046B11Ch] ;GetVersionExW
+45 cmp dword ptr [ebp-00000210h], 05h
+52 jne 0041703Bh" ... from setup.exe (PID: 3576) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-526-00430EA2")
which is directly followed by "cmp dword ptr [ebp-00000104h], 02h" and "ret ". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000114h
+9 lea eax, dword ptr [ebp-00000114h]
+15 mov dword ptr [ebp-00000114h], 00000114h
+25 push eax
+26 call dword ptr [0046B11Ch] ;GetVersionExW
+32 xor eax, eax
+34 cmp dword ptr [ebp-00000104h], 02h
+41 sete al
+44 leave
+45 ret " ... from setup.exe (PID: 3576) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-752-00428F4A")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [0046B174h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from setup.exe (PID: 3576) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-661-0041B9AB")
which is directly followed by "cmp word ptr [ebp-00000124h], 0001h" and "jnc 0041BCE2h". See related instructions: "...
+187 lea eax, dword ptr [ebp-00000238h]
+193 mov dword ptr [ebp-00000238h], 0000011Ch
+203 push eax
+204 call dword ptr [0046B11Ch] ;GetVersionExW
+210 cmp word ptr [ebp-00000124h], 0001h
+218 jnc 0041BCE2h" ... from setup.exe (PID: 3576) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-1533-00447192")
which is directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0044720Dh". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000114h
+9 mov eax, dword ptr [ebp+08h]
+12 push esi
+13 mov esi, dword ptr [ebp+0Ch]
+16 mov dword ptr [ebp-00000114h], 00000114h
+26 and dword ptr [eax], 00000000h
+29 lea eax, dword ptr [ebp-00000114h]
+35 and dword ptr [esi], 00000000h
+38 push eax
+39 call dword ptr [0046B11Ch] ;GetVersionExW
+45 cmp dword ptr [ebp-00000104h], 01h
+52 jne 0044720Dh" ... from setup.exe (PID: 3576) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00015616-00003576-21393-1799-0044E5A6")
which is directly followed by "cmp eax, 80000000h" and "jbe 0044EB72h". See related instructions: "...
+1372 call dword ptr [0046B174h] ;GetVersion
+1378 cmp eax, 80000000h
+1383 jbe 0044EB72h" ... from setup.exe (PID: 3576) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/41 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setupW.pdb"
- source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\_is6882.tmp"
"<Input Sample>" created file "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\_is68AC.tmp"
"<Input Sample>" created file "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\_is68D6.tmp"
"<Input Sample>" created file "%TEMP%\~68D5.tmp"
"<Input Sample>" created file "%TEMP%\_is693B.tmp"
"<Input Sample>" created file "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\eJuice Me Up.msi" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "eJuice Me Up.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.2 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Blank Project Template Author: Breaktru Software Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2009 - Premier Edition 15 Last Saved Time/Date: Sat Nov 5 08:58:22 2016 Create Time/Date: Sat Nov 5 08:58:22 2016 Last Printed: Sat Nov 5 08:58:22 2016 Revision Number: {860D541A-1148-47D8-BCD4-9074ED908F4B} Code page: 1252 Template: Intel;1033")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6A940000
- source
- Loaded Module
-
Process launched with changed environment
- details
- Process "msiexec.exe" (Show Process) was launched with new environment variables: "__PROCESS_HISTORY="C:\setup.exe""
- source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "MSIEXEC.EXE /i "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\eJuice Me Up.msi" SETUPEXEDIR="C:" SETUPEXENAME="setup.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"~68D5.tmp" has type "ASCII text with CRLF line terminators"
"_is693B.tmp" has type "zlib compressed data"
"_is6882.tmp" has type "zlib compressed data"
"Setup.INI" has type "ASCII text with CRLF line terminators"
"_ISMSIDEL.INI" has type "data"
"_is68D6.tmp" has type "zlib compressed data"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_is68AC.tmp" has type "zlib compressed data"
"eJuice Me Up.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.2 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Blank Project Template Author: Breaktru Software Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2009 - Premier Edition 15 Last Saved Time/Date: Sat Nov 5 08:58:22 2016 Create Time/Date: Sat Nov 5 08:58:22 2016 Last Printed: Sat Nov 5 08:58:22 2016 Revision Number: {860D541A-1148-47D8-BCD4-9074ED908F4B} Code page: 1252 Template: Intel;1033" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\msiexec.exe"
"<Input Sample>" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates"
"msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ",F[`nJ.aS"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01U*0"
Pattern match: "http://crl.verisign.com/pca3.crl0U%0++0U0`HB0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "https://www.verisign.com/rpa0U%0"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Pattern match: "www.acresso.com0"
Heuristic match: "z~>}E?V:OJH?a/M_7kLd$I;4pSR~K=OF?O^~OC?k~otQiZM?.~~/i|l:LZ.bf"
Heuristic match: "IHDR\rf IDATxy,73k~$@`!@/#a;fV#rHv%YF3C; V{ZrfVU?-?D:@WW9w1b#8 P@g80;|YD.gq"
Pattern match: "fz6LhM.bJ/Kve'-PZj0=H9=Zs@AQs8"
Heuristic match: "=zCCB.nA"
Heuristic match: "v9*x[1Xgi`4<jP<:LLV_pw7.MN"
Heuristic match: "E#Yq$qc.8`~[GB-'r-!8@\Txp4cPlTDpS .?&/(8P%G,CH`AoL-;+Kh0{Pp\$.(dIL(zzzh&:R2q;5dpM St{?2kbzV.S@P2Ez,*ozWud t%?'.Cu"
Pattern match: "Zkq1.Ql/roRJG@B68pR3*=Jiabx"
Pattern match: "56NcF.PNb/ycKqlC3M5ug[D!*1Jz97~a" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "setup.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
setup.exe
- Filename
- setup.exe
- Size
- 4.7MiB (4893254 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- ef7fade9a8b8cd01a45a3f467003de94558b3669c644f2fc0265e8d8b5fa1398
- MD5
- 38834759fed061b69bed470c6ca47bf8
- SHA1
- 16bff3e226fb13d084792598f8e6ad1d398f535c
- ssdeep
- 98304:vP6SHE2P8aNuAElhSD3gY4MxF27TtOltKO7hOfhaLqfoVD:vL8aNk4Lly4jK0uhaL/D
- imphash
- 7a2d041b307bfd3e5fb7edc2a0c64b47
- authentihash
- 2b99b28db9d8de4ef87367f7ffc43304d79328d96ae7acd799ef7ffa583e4706
- Compiler/Packer
- Microsoft visual C++ 5.0
Version Info
- LegalCopyright
- Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
- InternalName
- Setup
- FileVersion
- 16.3.0
- CompanyName
- Breaktru Software
- Internal Build Number
- 82160
- ProductName
- eJuice Me Up
- ProductVersion
- 16.3.0
- FileDescription
- Setup Launcher Unicode
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
setup.exe
(PID: 3576)
2/82
- msiexec.exe MSIEXEC.EXE /i "%TEMP%\{727AEAF1-6692-4EA6-9806-55C2A52807DE}\eJuice Me Up.msi" SETUPEXEDIR="C:" SETUPEXENAME="setup.exe" (PID: 3656)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 13260-668-00418469 |
2.0.0.0 | Domain/IP reference | 13260-668-00418469 |
2.5.4.3 | Domain/IP reference | 00015616-00003576-21393-1733-0045908E |
2.9.0.0 | Domain/IP reference | 00015616-00003576-21393-660-0042A54F |
2.5.4.11 | Domain/IP reference | 00015616-00003576-21393-1733-0045908E |
2.5.4.10 | Domain/IP reference | 00015616-00003576-21393-1733-0045908E |
49.1.9.1 | Domain/IP reference | 00015616-00003576-21393-1733-0045908E |
Extracted Strings
Extracted Files
-
Clean 1
-
-
eJuice Me Up.msi
- Size
- 1.2MiB (1293824 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: Breaktru Software, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Last Saved Time/Date: Sat Nov 5 08:58:22 2016, Create Time/Date: Sat Nov 5 08:58:22 2016, Last Printed: Sat Nov 5 08:58:22 2016, Revision Number: {860D541A-1148-47D8-BCD4-9074ED908F4B}, Code page: 1252, Template: Intel;1033
- AV Scan Result
- 0/56
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- 854de345e90c997d655130aa30976292
- SHA1
- 36ae2c15f8d0e0e51d4ace82154cb581dae5b347
- SHA256
- b0c43b6e5328df0575cc9050ef5e502f669ded03d57cd1d95c49306992a993f5
-
-
Informative Selection 1
-
-
Setup.INI
- Size
- 2.7KiB (2779 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- 058a8cc46381f2e1798eb6c37a51b4b6
- SHA1
- b7ac2a66b3f43a48f493e3cb4700f03f57ff2be3
- SHA256
- a04f2180155eacc4a998f580d21e9e28a368d71f5454c78210b50c86cdbf41cf
-
-
Informative 7
-
-
_is6882.tmp
- Size
- 1.1KiB (1149 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- 9a7775179571c2394f7fcca6bf699441
- SHA1
- 5de92dd3146c7ab7e8ca80ecdd11cff7ca7cda6f
- SHA256
- 42b8ed83c1b2756f4f893c82a9c52233bbb3c1fe47203ab037841e02206d1e88
-
_is68AC.tmp
- Size
- 2.9KiB (3017 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- ae10f061af304517f6e3f3157795a5b7
- SHA1
- f80822a26461dbcaf29ed0de91fd41c2bb370c44
- SHA256
- c1c419be1398addbd82f88be6c3ff810ed04b8c970ab7349b07ec11b07368043
-
_is68D6.tmp
- Size
- 1.1KiB (1149 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- 9a7775179571c2394f7fcca6bf699441
- SHA1
- 5de92dd3146c7ab7e8ca80ecdd11cff7ca7cda6f
- SHA256
- 42b8ed83c1b2756f4f893c82a9c52233bbb3c1fe47203ab037841e02206d1e88
-
_is693B.tmp
- Size
- 780KiB (798317 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- c86c10d703c7217b6d3e8006c217ee2b
- SHA1
- b2c20fecaf4fce5088a8373d4ba6ce58dfc61fd6
- SHA256
- 2148a37c83599e064b231ce9aa004e56260abead39d7858ba1edb466779d23f1
-
0x0409.ini
- Size
- 13KiB (13660 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- 758747727e96a23c7c5a5bbb011656e4
- SHA1
- 51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9
- SHA256
- bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825
-
_ISMSIDEL.INI
- Size
- 630B (630 bytes)
- Type
- data
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- 28ea8f41f54851605c262e19092ca868
- SHA1
- e2fac5b6acd1a0e68ecb48914c726ba8aa3c3f3d
- SHA256
- 02bfef07a67c39fbd2300fb3f8580d14eabe8a507ce93ea3c91347f3935dbb95
-
~68D5.tmp
- Size
- 2.7KiB (2779 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- setup.exe (PID: 3576)
- MD5
- 058a8cc46381f2e1798eb6c37a51b4b6
- SHA1
- b7ac2a66b3f43a48f493e3cb4700f03f57ff2be3
- SHA256
- a04f2180155eacc4a998f580d21e9e28a368d71f5454c78210b50c86cdbf41cf
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)