## Summary The submitted sample #AID=123# is **malicious** with high confidence. Generic information: - Root file #AID=123#: Windows PE x64, SHA-256 `6b08010bf6a5148ea64abdea3edfac0ed11a27137def1f8f6e6c7a996870a8e8`, size 2,849,792 bytes. - It is a **CAB self-extracting executable** using Microsoft `WEXTRACT.EXE`-style logic. Malcat matched `CabSelfExtractor`. - Version metadata appears suspicious/decoy-like: - Product: `GaiaTrack` - Company: `EcoOptimize Solutions` - Description: `Resource consumption tracking for sustainability.` - Internal name/original filename reference `Wextract` / `WEXTRACT.EXE .MUI` - The main PE wrapper #AID=123# contains a large high-entropy CAB resource at `RCDATA/CABINET/en-us`, analyzed as #AID=124#. - Kesakode did not return a verdict for the root or analyzed subfiles. Inferred behavior: - The root file #AID=123# acts as a self-extracting CAB installer/dropper. - Its embedded SFX configuration runs: - `makecab.exe /jkdhfihu3478yr983834803` - then executes a post-run command: - `cmd /v /c Set wDveSp=cmd & !wDveSp! < Crap.aac` - This means it invokes `cmd.exe` with delayed expansion and feeds the extracted file `Crap.aac` #AID=126# as command input. - `Crap.aac` #AID=126# is not an audio file; it is an obfuscated Windows command/batch script containing many junk lines and environment-variable substitutions. - The script content in `Crap.aac` #AID=126# appears to build or reconstruct an executable named `Elizabeth.exe` from embedded/extracted parts, using commands such as `set`, `findstr`, `copy`, and `start`. - The CAB #AID=124# also contains numerous misleading `.aac` files and extensionless files, plus a carved AutoIt AU3 object #AID=125#, suggesting staged/packed payload construction. ## Key detections/IOCs ### File hashes - Root PE #AID=123#: - SHA-256: `6b08010bf6a5148ea64abdea3edfac0ed11a27137def1f8f6e6c7a996870a8e8` - Embedded CAB #AID=124#, path `RCDATA/CABINET/en-us`: - SHA-256: `5e05d5259a5de26ae171b7f17a563c1905f359f0875bf3475ced777cd04fe044` - Carved AU3 object #AID=125#: - SHA-256: `495554021a69d94fbdbd2efd6be20b3263539bfa14ed0daa8aab9b867bc2516c` - Obfuscated command script #AID=126#, path `Crap.aac`: - SHA-256: `b003e19484c0c9351dae2672f146603cc22649849b257d9c45111ef6e3af0f23` ### Notable extracted commands / strings From root SFX resources #AID=123#: - `RUNPROGRAM` #AID=131#: - `makecab.exe /jkdhfihu3478yr983834803` - `POSTRUNPROGRAM` #AID=132#: - `cmd /v /c Set wDveSp=cmd & !wDveSp! < Crap.aac` - SFX title #AID=133#: - `Incl Writing Laid Limiting Colorado Indication Disaster Basket` From obfuscated script #AID=126#: - `Set Colin=` - multiple environment-variable assignments used for obfuscation - references reconstructed through variables indicating: - `Elizabeth.exe` - `MZ` - `findstr` - `copy` - `start` - extracted component names such as `Iowa`, `Alto.aac`, `Acquire.aac`, `Fraction.aac`, `Intended.aac`, `Funding.aac`, `Knights.aac`, `Finite.aac` ### Behavioral IOCs / artifacts - Executed command: - `cmd /v /c Set wDveSp=cmd & !wDveSp! < Crap.aac` - Likely dropped/reconstructed executable: - `Elizabeth.exe` - Extracted staging script: - `Crap.aac` - Extracted staging files: - `Iowa` - `Flat.aac` - `Plastic` - `Fraction.aac` - `Tremendous` - `Gba.aac` - `Finite.aac` - `Clip.aac` - `Funding.aac` - `Knights.aac` - `Acquire.aac` - `Alto.aac` - `Intended.aac` No network indicators such as URLs or IP addresses were identified in the evidence reviewed. ## Evidence ### Root file #AID=123# The root file #AID=123# is a PE x64 executable with an embedded high-entropy resource section. YARA matched: - `CabSelfExtractor`, reliability 100, indicating CAB self-extractor behavior. - `AutorunKey`, reliability 20, due to the string: - `Software\Microsoft\Windows\CurrentVersion\RunOnce` - `ElevatePrivileges`, reliability 70, due to: - `AdjustTokenPrivileges` The root file #AID=123# contains SFX-style resources: - `RCDATA/CABINET/en-us`, analyzed as CAB #AID=124# - `RCDATA/RUNPROGRAM/en-us`, analyzed as #AID=131# - `RCDATA/POSTRUNPROGRAM/en-us`, analyzed as #AID=132# The wrapper code itself resembles normal Microsoft Wextract behavior. Decompiled functions show standard SFX operations such as extracting files, handling `RUNPROGRAM`/`POSTRUNPROGRAM`, and optionally using RunOnce cleanup keys. For example, function `sub_1400040c4` #AID=123# reads SFX resource names including: - `RUNPROGRAM` - `POSTRUNPROGRAM` - `ADMQCMD` - `USRQCMD` - `SHOWWINDOW` - `REBOOT` The suspicious behavior is therefore not primarily in custom PE logic, but in the embedded SFX configuration and payloads. ### Embedded CAB #AID=124#, path `RCDATA/CABINET/en-us` The embedded CAB #AID=124# contains multiple files with misleading names and extensions: - `Citizenship` #AID=128# - `Flat.aac` - `Plastic` #AID=129# - `Fraction.aac` - `Tremendous` #AID=130# - `Gba.aac` - `Iowa` #AID=127# - `Finite.aac` - `Clip.aac` - `Crap.aac` #AID=126# - `Funding.aac` - `Knights.aac` - `Acquire.aac` - `Alto.aac` - `Intended.aac` The CAB #AID=124# also contains a carved AU3/AutoIt object #AID=125# at offset `0x00210c4c`, size 436,267 bytes. The AU3 object #AID=125# could not be decompiled successfully by the available tool, and opening the tokenized virtual file produced a Malcat out-of-bounds error. However, the presence of an AU3 object inside a staged CAB payload is strongly suspicious in context. ### `Crap.aac` #AID=126# Despite the `.aac` extension, `Crap.aac` #AID=126# is textual command content, not audio. Its first bytes decode as ASCII batch-like content: ```text Set Colin= hmeIRoland(Detection(Bailey(Secret(Stable(Political(Changing( ... Set Relative=w ... Set Issued=m ... Set Imperial=h ... ``` Later portions contain recognizable obfuscated command construction using environment variables. The script appears to: - Define single-character variables. - Construct command names such as `cmd`, `copy`, `findstr`, and `start`. - Create or reconstruct an executable beginning with `MZ`. - Assemble a file named `Elizabeth.exe`. - Append or combine data from other extracted files such as `Iowa`, `Alto.aac`, `Acquire.aac`, `Fraction.aac`, `Intended.aac`, `Funding.aac`, `Knights.aac`, and `Finite.aac`. - Start the reconstructed executable. This is a classic malicious staging pattern: benign-looking CAB/SFX wrapper → obfuscated batch script → reconstruct executable from disguised data chunks → execute payload. ### SFX post-run command #AID=132# The most important execution evidence is the SFX `POSTRUNPROGRAM` resource #AID=132#: ```text cmd /v /c Set wDveSp=cmd & !wDveSp! < Crap.aac ``` This explicitly feeds `Crap.aac` #AID=126# into `cmd.exe`. The use of delayed expansion and an indirect variable name is unnecessary for legitimate installer behavior and is consistent with evasion/obfuscation. ### Suspicious but explainable wrapper detections The PE #AID=123# contains strings and code for: - `Software\Microsoft\Windows\CurrentVersion\RunOnce` - `wextract_cleanup%d` - `rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"` - `AdjustTokenPrivileges` These are partly expected in a Microsoft-style self-extractor for cleanup and reboot handling. On their own, they would not be enough to call the file malicious. However, combined with the malicious SFX configuration and obfuscated script payload, they support the dropper behavior. ## Verdict Final verdict: **Malicious** Confidence: **90/100** Rationale: - The root PE #AID=123# is a CAB self-extractor configured to run an obfuscated command script from `Crap.aac` #AID=126#. - `Crap.aac` #AID=126# is not media; it is a batch-like script executed through `cmd.exe`. - The script reconstructs an executable named `Elizabeth.exe` from disguised CAB contents and starts it. - The embedded CAB #AID=124# contains many suspiciously named staged chunks and a carved AU3 object #AID=125#. - No benign installer rationale was observed for executing a disguised `.aac` file as command input to `cmd.exe`. Counterarguments / limitations: - The wrapper code in #AID=123# is mostly standard Wextract/SFX behavior, and some detections such as RunOnce cleanup can be benign in legitimate self-extractors. - The final reconstructed payload was not fully recovered/decompiled in this analysis, and the AU3 object #AID=125# could not be decompiled due tooling limitations. - No network IOCs were extracted from the reviewed data. Despite these limitations, the staged execution chain and obfuscated payload reconstruction are sufficient to classify the sample as malicious.