89f35f20...01a1

VTI SCORE: 100/100

Dynamic Analysis Report

Classification: Riskware, Downloader, Wiper, Ransomware

89f35f20af62201010e3218a22c50ed6994c79fb6f9f2210fd55203e6e6b01a1 (SHA256)

svchost.jpg.exe

Windows Exe (x86-32)

Created at 2019-01-04 10:33:00

Notifications (1/1)

Every worker has a preconfigured RAM disk size for temporary changes for all VMs and analyses. During this analysis, the amount of free RAM disk space dropped to a value below the minimum configured level, and as an result, the analysis was terminated prematurely.

Severity	Category	Operation	Classification
5/5	File System	Encrypts content of user files	Ransomware
Encrypts the content of multiple user files. This is an indicator for ransomware. ... VTI Actions Go to function call
4/5	Masquerade	Uses a double file extension	Riskware
File "c:\users\5p5nrgjn0js halpmcxz\desktop\svchost.jpg.exe" has a double file extension. ... VTI Actions Go to function call
3/5	Network	Connects to TOR hidden service	-
Connects to TOR hidden service at "HTTPS://e3kok4ekzalzapsf.onion.ws/index.php?action=register&id=VNE3fKaJ&key=Zo65wrmfQPseXjTQDUqO86lzoZAe034GQm2a4ickvRzVFvtlQenIQyku1HzjP76a5rJTxtY9nLVG0H2vyNQAOKPPIy6DOjJPi8NcnmG9fM4mDJctl4385d5Cknm28Avu7xSE833bPlTWnkPxn2JUNlU1wTHnxZSFs1WefR6R2IYffaZWf8tkcWh2WhBnVjfR497eI62ryrYH2qdR2JweR9hajQYKoAf63Nx7NTlEliC4O64hoofQkNDKW6OzwTeZ". ... VTI Actions Go to function call
2/5	Network	Attempts to connect to unavailable TCP servers	-
Every TCP connection attempt failed. ... VTI Actions Go to function call
1/5	Anti Analysis	Resolves APIs dynamically	-
Resolves an unusually high number of APIs. ... VTI Actions Go to function call
1/5	Process	Creates system object	-
Creates mutex with name "crypt0r-mutex". ... VTI Actions Go to function call
1/5	Process	Creates process with hidden window	-
The process "C:\Windows\system32\cmd.exe" starts with hidden window. ... VTI Actions Go to function call
1/5	File System	Modifies application directory	-
Modifies "c:\program files\dvd maker\shared\dvdstyles\stacking\photograph.png.vne3fkaj". ... VTI Actions Go to function call
Modifies "c:\program files\dvd maker\shared\dvdstyles\travel\16_9-frame-background.png.vne3fkaj". ... VTI Actions Go to function call
1/5	Network	Downloads data	Downloader
URL "HTTPS://e3kok4ekzalzapsf.onion.ws/index.php?action=register&id=VNE3fKaJ&key=Zo65wrmfQPseXjTQDUqO86lzoZAe034GQm2a4ickvRzVFvtlQenIQyku1HzjP76a5rJTxtY9nLVG0H2vyNQAOKPPIy6DOjJPi8NcnmG9fM4mDJctl4385d5Cknm28Avu7xSE833bPlTWnkPxn2JUNlU1wTHnxZSFs1WefR6R2IYffaZWf8tkcWh2WhBnVjfR497eI62ryrYH2qdR2JweR9hajQYKoAf63Nx7NTlEliC4O64hoofQkNDKW6OzwTeZ". ... VTI Actions Go to function call
1/5	Network	Connects to HTTP server	-
URL "e3kok4ekzalzapsf.onion.ws/index.php?action=register&id=VNE3fKaJ&key=Zo65wrmfQPseXjTQDUqO86lzoZAe034GQm2a4ickvRzVFvtlQenIQyku1HzjP76a5rJTxtY9nLVG0H2vyNQAOKPPIy6DOjJPi8NcnmG9fM4mDJctl4385d5Cknm28Avu7xSE833bPlTWnkPxn2JUNlU1wTHnxZSFs1WefR6R2IYffaZWf8tkcWh2WhBnVjfR497eI62ryrYH2qdR2JweR9hajQYKoAf63Nx7NTlEliC4O64hoofQkNDKW6OzwTeZ". ... VTI Actions Go to function call

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (1/1)

Before

After