| File name: | jopik.exe |
| Full analysis: | https://app.any.run/tasks/a051bf15-c356-45a5-bd75-1a3f8f53ca3a |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 29, 2025, 15:03:07 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections |
| MD5: | 25AF61A744BDFB7BE6E811A1119D55F6 |
| SHA1: | C4352F21B66710E390592D50AE5914CE0C33CF56 |
| SHA256: | BABED92F8FA49DB0CA046162E82F7E2403F33C4CA9EA5097BA981A5D3D365793 |
| SSDEEP: | 98304:7jW7ZLBpJShk41JOtysxpjSVanKzEy8J+DCaevsDpGqaFgvU42AjA7cvdog6iuZX:qhVZW |
MALICIOUS
SALATSTEALER has been detected (YARA)
- jopik.exe (PID: 5596)
SUSPICIOUS
Reads security settings of Internet Explorer
- jopik.exe (PID: 4408)
Application launched itself
- jopik.exe (PID: 4408)
Multiple wallet extension IDs have been found
- jopik.exe (PID: 5596)
There is functionality for taking screenshot (YARA)
- jopik.exe (PID: 5596)
INFO
Process checks computer location settings
- jopik.exe (PID: 4408)
Reads the machine GUID from the registry
- jopik.exe (PID: 4408)
- jopik.exe (PID: 5596)
Reads the computer name
- jopik.exe (PID: 4408)
Checks supported languages
- jopik.exe (PID: 4408)
- jopik.exe (PID: 5596)
Detects GO elliptic curve encryption (YARA)
- jopik.exe (PID: 5596)
UPX packer has been detected
- jopik.exe (PID: 5596)
Application based on Golang
- jopik.exe (PID: 5596)
Checks proxy server information
- slui.exe (PID: 6656)
Reads the software policy settings
- slui.exe (PID: 6656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (64.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.6) |
| .exe | | | Win32 Executable (generic) (10.6) |
| .exe | | | Generic Win/DOS Executable (4.7) |
| .exe | | | DOS Executable Generic (4.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 3 |
| CodeSize: | 3276800 |
| InitializedDataSize: | 4096 |
| UninitializedDataSize: | 8761344 |
| EntryPoint: | 0xb7a480 |
| OSVersion: | 6.1 |
| ImageVersion: | 1 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
Total processes
123
Monitored processes
3
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4408 | "C:\Users\admin\Desktop\jopik.exe" | C:\Users\admin\Desktop\jopik.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 2 Modules
| |||||||||||||||
| 5596 | "C:\Users\admin\Desktop\jopik.exe" | C:\Users\admin\Desktop\jopik.exe | jopik.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
| 6656 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
3 889
Read events
3 889
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
32
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5596 | jopik.exe | 1.1.1.1:443 | — | — | — | malicious |
5596 | jopik.exe | 172.67.191.102:443 | — | — | — | unknown |
5596 | jopik.exe | 104.21.64.1:443 | — | — | — | unknown |
5596 | jopik.exe | 104.21.96.23:443 | — | — | — | unknown |
7148 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6656 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |