Analyzing...
|
File Name:   AirDroid.exe
SHA1:   d57bd108499f61d3dcad02cda6429aa8b54017a7
MD5:   fb0a5f4c19592332bce8498eef361ebb
First Seen Date:  2016-01-12 07:13:00.512123 ( )
Number of Clients Seen:   13
Last Analysis Date:  2016-01-12 07:13:00.512155 ( )
Human Expert Analysis Date:  2016-01-14 07:55:27.390621 ( )Human Expert Analysis Result:   Clean
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2016-01-12 07:13:00.512155 | Clean | |
Static Analysis Overall Verdict | 2016-01-12 07:13:00.512155 | Highly Suspicious | |
Dynamic Analysis Overall Verdict | 2016-01-12 07:13:00.512155 | Highly Suspicious | |
Human Expert Analysis Overall Verdict | 2016-01-14 07:55:27.390621 | Clean |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Suspicious | |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Suspicious | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Packer detection on signature database | Unknown | help |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Packer detection on signature database
.NET executable
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Suspicious Behaviors | |
---|---|
Has no visible windows | |
Opens a file in a system directory | |
Uses a function clandestinely | |
Reads memory of another process |
Behavioral Information
C:\Windows\system32\RICHED20.DLL
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
C:\Windows\SysWOW64\schannel.dll
C:\Windows\syswow64\USER32.dll
C:\Windows\system32\werui.dll
C:\Windows\system32\DUser.dll
C:\Windows\system32\cryptnet.dll
C:\Windows\syswow64\MSCTF.dll
http
Plane1
ConfigureArchive
Disabled
CorporateWerUseAuthentication
Plane15
MaxArchiveCount
DontSendAdditionalData
DisableQueue
Plane9
DefaultConsent
Plane14
DontShowUI
BypassDataThrottling
Plane13
Disable
CorporateWerPortNumber
Plane2
Plane7
Plane16
ForceQueue
Plane11
Plane6
Plane5
DisableArchive
CLR20r3
LoggingDisabled
MaxQueueCount
Plane4
UserContextListCount
Plane10
CorporateWerUseSSL
Plane8
QueuePesterInterval
SendEFSFiles
Plane3
CorporateWerServer
DataFilePath
Plane12
DefaultOverrideBehavior
UserContextLockCount
ForceUserModeCabCollection
System\CurrentControlSet\Control\SecurityProviders\Schannel
C:\Windows\system32\en-US\erofflps.txt
C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DB87D2AB058205E5452E4516D5631B
C:\Users\win7\AppData\Local\Temp\WER80AB.tmp.WERInternalMetadata.xml
C:\Users\win7\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3151BAC9462B3E2DEE2326609B77DE7E
C:\Windows\Fonts\staticcache.dat
C:\Windows\system32\rsaenh.dll
\\.\Nsi
SYSTEM\CurrentControlSet\Control\SystemInformation
ExcludedApplications
Software\Microsoft\Windows\Windows Error Reporting\Debug
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
Tahoma
System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
Software\Microsoft\Windows\Windows Error Reporting
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
Software\Microsoft\Windows\Windows Error Reporting\Throttling\CLR20r3
Software\Policies\Microsoft\Windows\Windows Error Reporting
DebugApplications
Consent
SOFTWARE\Microsoft\Reliability Analysis\RAC
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SYSTEM\CurrentControlSet\Control\Windows
Global\dd711f71-b8fb-11e5-a469-0800270b3b33
Local\MSCTF.Asm.MutexDefault1
C:\Windows\system32\RICHED20.DLL
CFGMGR32.dll
secur32.dll
IPHLPAPI.DLL
comctl32.dll
werui.dll
CRYPTBASE.dll
USER32.dll
CRYPT32.dll
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-Management-L2-1-0.dll
DNSAPI.dll
OLEAUT32.DLL
SHELL32.dll
SHLWAPI.dll
C:\Windows\system32\xmllite.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
WS2_32.dll
DUser.dll
ntdll.dll
winhttp.dll
ADVAPI32.dll
dwmapi.dll
kernel32.dll
C:\Windows\system32\wer.dll
C:\Windows\SysWOW64\bcryptprimitives.dll
CRYPTSP.dll
ole32.dll
WINHTTP.dll
API-MS-Win-Security-SDDL-L1-1-0.dll
NSI.dll
SensApi.dll
C:\Windows\system32\cryptnet.dll
SspiCli.dll
OLEAUT32.dll
UxTheme.dll
USERENV.dll
profapi.dll
Comctl32.dll
RPCRT4.dll
C:\sample
cryptnet.dll
C:\Windows\system32\DUser.dll
C:\Windows\syswow64\MSCTF.dll
ncrypt.dll
user32.dll
DUI70.dll
C:\Windows\system32\ole32.dll
C:\Users\win7\AppData\Local\Temp\WER80AB.tmp.WERInternalMetadata.xml
C:\Users\win7\AppData\Local\Temp\WER80AB.tmp
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date:   2016-01-14 07:43:38.952244 ( )
Analysis End Date:  2016-01-14 07:55:27.390621 ( )
File Upload Date:  2016-01-14 03:29:29.272802 ( )
Update Date:  2016-01-14 07:55:27.390630 ( )
Human Expert Analyst Feedback:   Clean
Verdict:   Clean
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|