Jazz2.exe
This report is generated from a file or URL submitted to this webservice on December 24th 2019 20:39:20 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Fingerprint
- Reads the active computer name
- Evasive
- The input sample contains a known anti-VM trick
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Environment Awareness
-
The input sample contains a known anti-VM trick
- details
- Found VM detection artifact "CPUID trick" in "152108e4adafd0e75d0cd1b8784e2e8d8598d954ed95d572e374f755ed193d91.bin" (Offset: 856332)
- source
- Binary File
- relevance
- 5/10
-
The input sample contains a known anti-VM trick
-
Suspicious Indicators 12
-
Anti-Detection/Stealthyness
-
Launches the WMI Provider Host
- details
-
Found process "WmiPrvSE.exe" (Show Process)
Found process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Launches the WMI Provider Host
-
Environment Awareness
-
Reads the active computer name
- details
- "Jazz2.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Opened the service control manager
- details
- "Jazz2.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads configuration files
- details
- "Jazz2.exe" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Opened the service control manager
-
Installation/Persistance
-
Monitors specific registry key for changes
- details
-
"Jazz2.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\NameSpace_Catalog5" (Filter: 1; Subtree: 0)
"Jazz2.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinSock2\Parameters\Protocol_Catalog9" (Filter: 1; Subtree: 0) - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Monitors specific registry key for changes
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "Jazz2.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
Spyware/Information Retrieval
-
Contains ability to retrieve keyboard strokes
- details
- GetAsyncKeyState@USER32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1056 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to retrieve keyboard strokes
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegDeleteValueA
RegCreateKeyExA
RegOpenKeyExA
GetFileAttributesA
WriteFile
GetModuleFileNameA
UnhandledExceptionFilter
GetModuleHandleA
CreateThread
TerminateProcess
GetVersionExA
LoadLibraryA
GetStartupInfoA
CreateDirectoryA
GetProcAddress
FindFirstFileA
CreateFileMappingA
FindNextFileA
CreateFileA
GetCommandLineA
Sleep
VirtualAlloc
ShellExecuteA
SetWindowsHookExA
accept
WSAStartup
connect
closesocket
send
listen
recv
socket
bind
recvfrom
sendto - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"Jazz2.exe" wrote bytes "10996c7500000000b5380d7790510c7700000000e0c52377fdfe2377ee290d7700000000" to virtual address "0x73BD1000" (part of module "KSUSER.DLL")
"Jazz2.exe" wrote bytes "c04e0b7720540c77e0650c77b5380d770000000000d0237700000000c5ea23770000000088ea237700000000e968157582280d77ee290d7700000000d2691575000000007dbb23770000000009be157500000000ba18237700000000" to virtual address "0x771E1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "Jazz2.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
- "152108e4adafd0e75d0cd1b8784e2e8d8598d954ed95d572e374f755ed193d91.bin" claims program is from Fri Jun 18 10:02:52 1999
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
-
Hiding 1 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 13
-
Environment Awareness
-
Contains ability to query the machine version
- details
- GetVersion@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/16 Antivirus vendors marked sample as malicious (0% detection rate)
0/66 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
"\Sessions\1\BaseNamedObjects\Local\DDrawWindowListMutex"
"\Sessions\1\BaseNamedObjects\Local\DDrawDriverObjectListMutex"
"\Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00000F34)"
"\Sessions\1\BaseNamedObjects\DirectSound Administrator shared thread array (lock)"
"Local\DDrawDriverObjectListMutex"
"Local\__DDrawExclMode__"
"Local\DirectSound DllMain mutex (0x00000F34)"
"Local\__DDrawCheckExclMode__"
"DirectSound Administrator shared thread array (lock)"
"Local\DDrawWindowListMutex"
"\BaseNamedObjects\DSKQUOTA_SIDCACHE_MUTEX" - source
- Created Mutant
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"Jazz2.exe" touched "DirectSound Object" (Path: "HKCU\CLSID\{47D4D946-62E8-11CF-93BC-444553540000}\TREATAS")
"Jazz2.exe" touched "MMDeviceEnumerator class" (Path: "HKCU\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Spawns new processes
- details
-
Spawned process "WmiPrvSE.exe" (Show Process)
Spawned process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "WmiPrvSE.exe" (Show Process)
Spawned process "WmiPrvSE.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates mutants
-
Installation/Persistance
-
Connects to LPC ports
- details
- "Jazz2.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
- "jazz2.log" has type "ASCII text with CRLF line terminators"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"Jazz2.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"Jazz2.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"Jazz2.exe" touched file "%WINDIR%\System32\en-US\ddraw.dll.mui"
"Jazz2.exe" touched file "%WINDIR%\Fonts\StaticCache.dat" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.project2.com/distrib.htm"
Pattern match: "https://www.epicgames.com/jazzshop/orderuk.html"
Pattern match: "https://www.epicgames.com/jazzshop/orderus.html"
Heuristic match: "jazz.logicware.com"
Heuristic match: "mail.godgames.com"
Heuristic match: "list.jazzjackrabbit.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "Jazz2.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "Jazz2.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "152108e4adafd0e75d0cd1b8784e2e8d8598d954ed95d572e374f755ed193d91.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Jazz2.exe
- Filename
- Jazz2.exe
- Size
- 996KiB (1019904 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 152108e4adafd0e75d0cd1b8784e2e8d8598d954ed95d572e374f755ed193d91
- MD5
- 4278fad8d1e4d6d11aabf0e2d863118a
- SHA1
- a68bbb2c9616bbb76c108fc3507ef73720ad2e34
- ssdeep
- 24576:ksp3Qq8n3zSuve966b2jXs5cQ9K3EYY9jJ0hcRRvQwblG5Ilcy:hp3Qq80d7n9RzRvVWAcy
- imphash
- 4c57141d244017aa52123365909da6ce
- authentihash
- 9ab75a7412293d0b8ccf4ef6633467fb45d11f7a622a0a0b6f97aec3349ecc0d
- Compiler/Packer
- Microsoft visual C++ 5.0
Version Info
- LegalCopyright
- Copyright 1997 Epic MegaGames Inc.
- InternalName
- jazz2
- FileVersion
- 1, 0, 0, 1
- CompanyName
- Epic MegaGames Inc.
- Comments
- Jazz Jackrabbit 2
- ProductName
- Jazz Jackrabbit 2
- ProductVersion
- 1, 0, 0, 1
- FileDescription
- Jazz Jackrabbit 2
- OriginalFilename
- jazz2w.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 38.2% (.EXE) InstallShield setup
- 27.7% (.EXE) Win32 Executable MS Visual C++ (generic)
- 24.5% (.EXE) Win64 Executable (generic)
- 4.0% (.EXE) Win32 Executable (generic)
- 1.8% (.EXE) OS/2 Executable (generic)
File Metadata
- 1 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 8447)
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 71 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8447)
- 33 .ASM Files assembled with MASM 6.13 (Visual Studio 6 SP1) (build: 7299)
- 122 .C Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 1 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 8168)
- 21 .OBJ Files (COFF) linked with LINK.EXE 5.12 (Visual Studio 5 SP2) (build: 8034)
- 1 .CPP Files compiled with CL.EXE 12.00 (Visual Studio 6) (build: 8168)
- 4 .OBJ Files linked with ALIASOBJ.EXE 6.00 (Internal OLDNAMES.LIB Tool) (build: 7291)
- File contains assembly code
- File appears to contain raw COFF/OMF content
- File is the product of a large codebase (226 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
Jazz2.exe
(PID: 3892)
- WmiPrvSE.exe (PID: 2684)
- WmiPrvSE.exe (PID: 3012)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
mail.godgames.com | Domain/IP reference | 23678-874-00485B10 |
Extracted Strings
Extracted Files
-
Informative 1
-
-
jazz2.log
- Size
- 881B (881 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- Jazz2.exe (PID: 3892)
- MD5
- 232b8908aaa537c9d8a853021067ee56
- SHA1
- ba010e1a720df4776ad17111a2b7344588374afa
- SHA256
- ed0725c01255946d1da769236cb85df3cbeabd0a42dca8feefad360fd0014b17
-