4ef2c020...d4c4 | VTI
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Exploit, Dropper, Downloader

4ef2c020a2f45b6891a9094d5a042472417657961c05358f67ef58e7e8f9d4c4 (SHA256)

RFQ13262.docx

Word Document

Created at 2018-11-27 09:36:00

Notifications (2/3)

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

Severity Category Operation Classification
5/5
Anti Analysis Makes undocumented API calls to possibly evade hooking based sandboxes -
  • Undocumented API "CreateProcessInternalW" was used to start "C:\Users\aETAdzjz\AppData\Local\Temp\JSTCHV.eXe".
  • Undocumented API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmstp.exe".
  • Undocumented API "CreateProcessInternalW" was used to start "C:\Windows\SysWOW64\cmd.exe".
  • Undocumented API "CreateProcessInternalW" was used to start "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
5/5
File System Modifies operating system directory -
  • Creates file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
  • Modifies file "\??\C:\Windows\SysWOW64\ntdll.dll" in the OS directory.
  • Creates file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory.
  • Modifies file "\??\C:\Windows\SysWOW64\cmstp.exe" in the OS directory.
  • Creates file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
  • Modifies file "\??\C:\Windows\System32\drivers\etc\hosts" in the OS directory.
5/5
Anti Analysis Tries to detect kernel debugger -
5/5
Anti Analysis Tries to detect virtual machine -
  • Possibly trying to detect VM via rdtsc.
5/5
File System Creates an unusually large number of files -
5/5
Anti Analysis Makes direct system call to possibly evade hooking based sandboxes -
  • Makes a direct system call to "NtQuerySystemInformation".
  • Makes a direct system call to "NtQueryInformationProcess".
  • Makes a direct system call to "NtAllocateVirtualMemory".
  • Makes a direct system call to "NtFreeVirtualMemory".
  • Makes a direct system call to "NtOpenProcessToken".
  • Makes a direct system call to "NtAdjustPrivilegesToken".
  • Makes a direct system call to "NtClose".
  • Makes a direct system call to "NtCreateSection".
  • Makes a direct system call to "NtMapViewOfSection".
  • Makes a direct system call to "NtOpenProcess".
  • Makes a direct system call to "NtQueryInformationToken".
  • Makes a direct system call to "NtProtectVirtualMemory".
  • Makes a direct system call to "NtCreateFile".
  • Makes a direct system call to "NtQueryInformationFile".
  • Makes a direct system call to "NtDelayExecution".
  • Makes a direct system call to "NtReadVirtualMemory".
  • Makes a direct system call to "NtOpenThread".
  • Makes a direct system call to "NtReadFile".
  • Makes a direct system call to "NtUnmapViewOfSection".
  • Makes a direct system call to "NtResumeThread".
  • Makes a direct system call to "NtOpenDirectoryObject".
  • Makes a direct system call to "NtCreateMutant".
  • Makes a direct system call to "NtWaitForSingleObject".
  • Makes a direct system call to "NtCreateKey".
  • Makes a direct system call to "NtQueryValueKey".
  • Makes a direct system call to "NtSetValueKey".
  • Makes a direct system call to "NtSetInformationFile".
  • Makes a direct system call to "NtWriteFile".
  • Makes a direct system call to "NtEnumerateKey".
  • Makes a direct system call to "NtEnumerateValueKey".
5/5
Injection Writes into the memory of another running process -
  • "c:\users\aetadzjz\appdata\local\temp\jstchv.exe" modifies memory of "c:\windows\explorer.exe"
  • "c:\windows\syswow64\cmstp.exe" modifies memory of "c:\windows\explorer.exe"
  • "c:\users\aetadzjz\appdata\local\temp\jstchv.exe" modifies memory of "c:\windows\syswow64\cmstp.exe"
  • "c:\windows\syswow64\cmstp.exe" modifies memory of "c:\program files (x86)\mozilla firefox\firefox.exe"
5/5
Injection Modifies control flow of another process -
  • "c:\users\aetadzjz\appdata\local\temp\jstchv.exe" alters context of "c:\windows\explorer.exe"
  • "c:\windows\syswow64\cmstp.exe" alters context of "c:\windows\explorer.exe"
5/5
Injection Modifies control flow of a process running from a created or modified executable -
  • "c:\users\aetadzjz\appdata\local\temp\jstchv.exe" alters context of "c:\users\aetadzjz\appdata\local\temp\jstchv.exe"
5/5
YARA YARA match Exploit
  • Rule "rtf_cve2017_11882" from ruleset "CVEs" has matched for "analysis.pcap"
4/5
Process Creates process -
  • Creates process "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
4/5
Process Reads from memory of another process -
  • "c:\users\aetadzjz\appdata\local\temp\jstchv.exe" reads from "c:\windows\explorer.exe".
  • "c:\users\aetadzjz\appdata\local\temp\jstchv.exe" reads from "c:\windows\syswow64\cmstp.exe".
  • "c:\windows\syswow64\cmstp.exe" reads from "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe".
4/5
Network Reads network configuration -
  • Reads the current network configuration through the host.conf file.
4/5
Network Downloads data Downloader
3/5
Anti Analysis Delays execution -
3/5
Network Performs DNS request -
3/5
Persistence Installs system startup script or application -
  • Adds "C:\Program Files (x86)\Flpxdufw0\mskr8xjle.exe" to Windows startup via registry.
3/5
Network Connects to remote host -
3/5
PE Executes dropped PE file -
3/5
Process Process crashed -
  • Process "c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\equation\eqnedt32.exe" crashed.
2/5
Anti Analysis Tries to detect debugger -
2/5
Static Possible phishing document -
  • Document "C:\Users\aETAdzjz\Desktop\RFQ13262.docx" shows characteristics of a phishing document.
2/5
Network Associated with known malicious/suspicious URLs -
  • URL "http://www.sgnaturn.com/al/?Kp2L=6gVvmFPDoiNbAIhnhTeuXmZIQvIKuazDxjJR9H5MhAeFNhXp9sPapi0HkLC6+HTKwqelpMhjL3Y=&fbc8=EFQdiN_822M" is known as malicious URL.
  • URL "www.sgnaturn.com" is known as malicious URL.
  • URL "http://82.118.242.107/~able/1_ga/al/al.exe" is known as suspicious URL.
  • URL "http://82.118.242.107/~able/1_ga/al/alWExploit.doc" is known as suspicious URL.
  • URL "http://82.118.242.107/~able/1_ga/al/AXVHa.hta" is known as suspicious URL.
2/5
Network Connects to HTTP server -
  • URL "www.sgnaturn.com/al/?Kp2L=6gVvmFPDoiNbAIhnhTeuXmZIQvIKuazDxjJR9H5MhAeFNhXp9sPapi0HkLC6+HTKwqelpMhjL3Y=&fbc8=EFQdiN_822M".
2/5
PE Drops PE file Dropper
1/5
Process Creates system object -
1/5
Process Overwrites code -
1/5
Static Unparsable sections in file -
  • Static analyzer was unable to completely parse the analyzed file: JSTCHV.eXe.
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image