File name: | jpkd2.exe.virus |
Full analysis: | https://app.any.run/tasks/67ad64f2-10d6-486f-8985-d62ae2cc037d |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | June 27, 2022, 10:42:03 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | C502A7C74E56610C645B07D353BC68BA |
SHA1: | A1E7FE7346D1C87FB948DF2CFB5B9D6FA68DE771 |
SHA256: | E26F5163AC535BAB0426BDE4C29B11A7194D418F7FF9E27DF41D079D7D04D259 |
SSDEEP: | 12288:bKylK+VTH3S6FceOfkiOe4fx+PA/9c7B6hcSwuJ:bTrnq9+e4fk+aB6+y |
.exe | | | Win32 Executable Borland Delphi 7 (61.4) |
---|---|---|
.exe | | | Win32 Executable Borland Delphi 6 (24.2) |
.exe | | | Win32 Executable Delphi generic (1.3) |
.scr | | | Windows screen saver (1.2) |
Comments: | Installation created by Sfx-Factory!,(c) 1997-2005 e-merge GmbH, http://www.emerge.de |
---|---|
ProductVersion: | 02.69.00.00 |
ProductName: | WinAce |
OriginalFileName: | - |
LegalTrademarks: | 1997-2007 ACE Compression Software & e-merge GmbH |
LegalCopyright: | 1997-2007 ACE Compression Software & e-merge GmbH |
InternalName: | - |
FileVersion: | 2.69.0.0 |
FileDescription: | http://www.winace.com |
CompanyName: | Verified Documents |
CharacterSet: | Windows, Latin1 |
LanguageCode: | German |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.6.4.0 |
FileVersionNumber: | 2.69.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x93a10 |
UninitializedDataSize: | - |
InitializedDataSize: | 250368 |
CodeSize: | 601088 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:20 00:22:17+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Detected languages: |
|
CompanyName: | Verified Documents |
FileDescription: | http://www.winace.com |
FileVersion: | 2.69.0.0 |
InternalName: | - |
LegalCopyright: | 1997-2007 ACE Compression Software & e-merge GmbH |
LegalTrademarks: | 1997-2007 ACE Compression Software & e-merge GmbH |
OriginalFilename: | - |
ProductName: | WinAce |
ProductVersion: | 02.69.00.00 |
Comments: | Installation created by Sfx-Factory!,(c) 1997-2005 e-merge GmbH, http://www.emerge.de |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 8 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
CODE | 0x00001000 | 0x00092A58 | 0x00092C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.52256 |
DATA | 0x00094000 | 0x000019B4 | 0x00001A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.19788 |
BSS | 0x00096000 | 0x00000DF5 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00097000 | 0x00002688 | 0x00002800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.91835 |
.tls | 0x0009A000 | 0x00000040 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x0009B000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 0.195201 |
.reloc | 0x0009C000 | 0x0000A610 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.6397 |
.rsrc | 0x000A7000 | 0x0002E600 | 0x0002E600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED | 6.96888 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.51838 | 1088 | UNKNOWN | German - Germany | RT_VERSION |
2 | 2.80231 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
3 | 3.00046 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
4 | 2.56318 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
5 | 2.6949 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
6 | 2.62527 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
7 | 2.91604 | 308 | UNKNOWN | UNKNOWN | RT_CURSOR |
59 | 4.5687 | 4608 | UNKNOWN | UNKNOWN | RT_ICON |
60 | 5.18243 | 2560 | UNKNOWN | UNKNOWN | RT_ICON |
61 | 4.08707 | 1536 | UNKNOWN | UNKNOWN | RT_ICON |
IPHLPAPI.DLL |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32 |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Users\admin\AppData\Local\Temp\jpkd2.exe.virus.exe" | C:\Users\admin\AppData\Local\Temp\jpkd2.exe.virus.exe | Explorer.EXE | |
User: admin Company: Verified Documents Integrity Level: MEDIUM Description: http://www.winace.com Exit code: 0 Version: 2.69.0.0 | ||||
2136 | C:\Windows\System32\DpiScaling.exe | C:\Windows\System32\DpiScaling.exe | — | jpkd2.exe.virus.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Display Control Panel Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3464 | "C:\Windows\System32\autochk.exe" | C:\Windows\System32\autochk.exe | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Auto Check Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
328 | "C:\Windows\System32\wininit.exe" | C:\Windows\System32\wininit.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Start-Up Application Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2348 | /c del "C:\Windows\System32\DpiScaling.exe" | C:\Windows\System32\cmd.exe | — | wininit.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:8DC1DEC9EEEE2E7E5E49C8480879F909 | SHA256:290D859E271760A176D726F37E5C885851D3042798A11C91E28FA05126B10204 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 | binary | |
MD5:3512874C378FDE9872C3C0837150219E | SHA256:F9FB4CE62987D8C1CF22154C657A7312376F30CF9E8A13995C22DF895C629372 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 | der | |
MD5:43111BB2C89745ED3725FBB55F689E2C | SHA256:799C420515DADABE7D9693C03BD09E3D67CF6D30C8D0FDEF1FC79A8700E13A66 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\Public\Libraries\Rbyflxbzhq.exe | executable | |
MD5:C502A7C74E56610C645B07D353BC68BA | SHA256:E26F5163AC535BAB0426BDE4C29B11A7194D418F7FF9E27DF41D079D7D04D259 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\Rbyflxbzhqzwvuzaqoqjvjlgrtaqecm[1] | binary | |
MD5:E236720D557621CBEA31356F970FD7C4 | SHA256:D88CFD1F170E548931C3118AA165A59B31049AB05F8964FAF0ADAD87AC7D19D9 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:1E59DA967E5251FB6363E91677C70153 | SHA256:CA59967EDB1115006D498632F34F0B7082C5A17DC5BBE98293CD4708E21BFE88 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\FE7BUHF7.txt | text | |
MD5:A45826B667F19C1B600067F15ECA2BA8 | SHA256:76A9D5E6FB8A639863E826A1E1FA2B6F8CBF3AF0B50C35F2B9ABD8FC99E7A586 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:C3FBC39BEC80E4F281330C5D3EDC2892 | SHA256:F702D539FA8C983395B1AE45AEABCD38A6F22C09C96A083D711C54784378B853 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\6JJ9ZN4D.txt | text | |
MD5:DDC8D9A60566572AD163D4FC44DC650A | SHA256:71FAD89E49C795EDDD1012A00BC65B8FB1795EB96AA234D3EF3199FEF60CC952 | |||
2952 | jpkd2.exe.virus.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2952 | jpkd2.exe.virus.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | US | der | 471 b | whitelisted |
2952 | jpkd2.exe.virus.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
2952 | jpkd2.exe.virus.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cedea1efca2e80b1 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | jpkd2.exe.virus.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
2952 | jpkd2.exe.virus.exe | 13.107.42.12:443 | 2q6ida.bn.files.1drv.com | Microsoft Corporation | US | suspicious |
2952 | jpkd2.exe.virus.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
2952 | jpkd2.exe.virus.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
dns.msftncsi.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
2q6ida.bn.files.1drv.com |
| suspicious |