MalScore

100/100

MalFamily

Airjp

shj.exe

Is DLL Packer Anti Debug Anti VM Signed XOR

File details Download PDF Report
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File size:	2737.50 KB (2803200 bytes)
Compile time:	2017-06-02 09:29:25
MD5:	406414842167df8d8e2acc150837af9e
SHA1:	0757e6870e574726b8aa88cdbedfe8290a15836f
SHA256:	02e96915e29e5c3f5a545976152ffcab3f5f698b529f8f561a56d48dac90f392
Import hash:	8a468e3b246fb0ed198252dfc5430619
Sections 5	.text .rdata .data .rsrc .reloc
Directories 3	import resource relocation
First submission:	2022-03-01 06:57:11
Last submission:	2022-03-01 06:57:11
Filename detected:	- shj.exe (1)

URL file hosting
hXXp://download.game.yy.com/weiduan/shj.exe

Antivirus Report
Report Date	Detection Ratio	Permalink	Update
No report available

PE Sections 1 suspicious
Name	VAddress	VSize	Size	MD5	SHA1
.text	0x1000	0x15f0ed	1438208	78914bd5ddda3bbf61cbc41ae9c882d8	7b46f1eb1dbc4914a84fa7c522358b94945f29b3
.rdata	0x161000	0x51e1a	335872	21a1fb5170a40baee9823ce1af172405	e92a7ec78fb07a0b50f17bece2432ecdfee44c5b
.data	0x1b3000	0x29688	27136	85b9c55e2565e19f0f5a8ef1d5efa720	c5ec5cdfdf17b5df5385f8bd668c263bcc7dc021
.rsrc	0x1dd000	0xd6198	877056	f4013bafa1584fc358fd879d98187e50	6684b528de402c1cda73b837bcd6c8a6575db7a9
.reloc	0x2b4000	0x1e36c	123904	8423226a883f6e4375e25e7c52dfc584	41252357b03ca7e04d2d93b3483e5ad4f44be194

Meta Info
No Meta found in this file

XOR
No XOR informations found in this file.

Signature
This file isn't digitally signed

Packer(s)
Microsoft Visual C++ 8

File found
FIle type: Object
hhctrl.ocx
FIle type: Compressed
ShjClient.zip
FIle type: Text
%s\%s_log.txt
FIle type: Library
Vkernel32.dll
QRICHED20.DLL
USER32.dll
mscoree.dll
WININET.dll
dwrite.dll
comctl32.dll
VComdlg32.dll
UxTheme.dll
dwmapi.dll
SHELL32.dll
CD2D1.dll
ADVAPI32.dll
comdlg32.dll
SHLWAPI.dll
OLEAUT32.dll
oledlg.dll
IMM32.dll
GDI32.dll
%s%s.dll
ole32.dll
MSIMG32.dll
KERNEL32.dll
gdiplus.dll
Aadvapi32.dll
WINMM.dll
mfcm120.dll
OLEACC.dll

IP Found
1.0.0.12

URL(s)
http://admin.shj.youxi-api.com/applay?key=
http://
http://www.w3.org/1999/02/22-rdf-syntax-ns#
http://bbs.open.qq.com/forum.php?mod=forumdisplay&action=list&fid=5713
http://ns.adobe.com/xap/1.0/mm/
http://bbs.open.qq.com/thread-48295732-1-1.html
http://res.shj.g.yx-g.cn/launcher/
http://schemas.microsoft.com/SMI/2005/WindowsSettings
http://ns.adobe.com/xap/1.0/sType/ResourceRef#
http://shj.swjoy.com/embed/3417/
http://ns.adobe.com/xap/1.0/

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven01b_64	Seven01b_64	VirtualBox	2022-03-01 06:31:19	2022-03-01 06:34:27	188

7 Behaviors detected by system signatures

Domain Sinkholed or blacklisted Severity: High Confidence: Very High

Alert: Honeypot blocked domain: res.wbly.shj.ate.cn

Created network traffic indicative of malicious activity Severity: High Confidence: High

signature: ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
signature:
signature: Traffico Anomalo: Traffico verso host malevolo, GET HTTP Content "db" (Soc-Rule)

Performs some HTTP requests Severity: Medium Confidence: Low

url: http://res.wbly.shj.ate.cn/launcher/launcher_version.mdb

Unconventionial binary language: Chinese (Simplified) Severity: Medium Confidence: Very High

Unconventionial language used in binary resources: Chinese (Simplified) Severity: Medium Confidence: Very High

The binary likely contains encrypted or compressed data. Severity: Medium Confidence: Very High

section: name: .rsrc, entropy: 7.96, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000d6200, virtual_size: 0x000d6198

SetUnhandledExceptionFilter detected (possible anti-debug) Severity: Low Confidence: Very High

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven01b_64	Seven01b_64	VirtualBox	2022-03-01 06:31:19	2022-03-01 06:34:27	188

7 Summary items with data

Files

C:\Users\Seven01\AppData\Local\Temp\launcher_log.txt
C:\Users\Seven01\AppData\Local\Temp\ShjLauncher.mdb
C:\Windows\System32\tzres.dll
C:\Windows\System32\it-IT\tzres.dll.mui
C:\shj\
C:\
C:\shj\launcher_version.mdb.temp
C:\shj\launcher_version.mdb

Read Files

C:\Users\Seven01\AppData\Local\Temp\ShjLauncher.mdb
C:\Windows\System32\tzres.dll
C:\Windows\System32\it-IT\tzres.dll.mui
C:\Users\Seven01\AppData\Local\Temp\launcher_log.txt
C:\shj\launcher_version.mdb

Write Files

C:\Users\Seven01\AppData\Local\Temp\launcher_log.txt
C:\Users\Seven01\AppData\Local\Temp\ShjLauncher.mdb
C:\shj\launcher_version.mdb.temp
C:\shj\launcher_version.mdb

Delete Files

C:\shj\launcher_version.mdb.temp

Keys

HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CMF\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable

Read Keys

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CMF\Config\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable

Write Keys

Nothing to display

Delete Keys

Nothing to display

Mutexes

Resolved APIs

kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
rasapi32.dll.RasConnectionNotificationW
sechost.dll.NotifyServiceStatusChangeA
cryptbase.dll.SystemFunction036

Execute Commands

Nothing to display

Started Services

Nothing to display

Created Services

Nothing to display

Behavior analysis details
Machine name	Machine label	Machine manager	Started	Ended	Duration
Seven01b_64	Seven01b_64	VirtualBox	2022-03-01 06:31:19	2022-03-01 06:34:27	188

2 HTTP Request(s) detected

http://res.wbly.shj.ate.cn/launcher/launcher_version.mdb

Hostname: res.wbly.shj.ate.cn
IP Address: 0.0.0.0
Port: 80
Count: 1

HEAD /launcher/launcher_version.mdb HTTP/1.1
User-Agent: MyAppByMulinB
Host: res.wbly.shj.ate.cn
Content-Length: 0
Cache-Control: no-cache

http://res.wbly.shj.ate.cn/launcher/launcher_version.mdb

Hostname: res.wbly.shj.ate.cn
IP Address: 0.0.0.0
Port: 80
Count: 1

GET /launcher/launcher_version.mdb HTTP/1.1
Range: bytes=0-257
User-Agent: MyAppByMulinB
Host: res.wbly.shj.ate.cn
Cache-Control: no-cache

#infosec #automation

TheSystem Itself @ 2022-03-01 06:57:12

Detected family: #Airjp

TheSystem Itself @ 2022-03-01 07:03:03