ID: 263707 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 05:06:43 Date: 13/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents
Table of Contents 2 Analysis Report 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Lowering of HIPS / PFW / Operating System Security Settings: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 6 Contacted Domains 7 Contacted IPs 7 General Information 7 Simulations 7 Behavior and APIs 7 Created / dropped Files 7 Static File Info 8 No static file info 8 Network Behavior 8 Code Manipulations 8 Statistics 8 Behavior 8 System Behavior 8 Analysis Process: cmd.exe PID: 6980 Parent PID: 4104 8 General 8 File Activities 9 Analysis Process: conhost.exe PID: 7008 Parent PID: 6980 9 General 9 Analysis Process: netsh.exe PID: 7064 Parent PID: 6980 9 General 9 File Activities 9 File Written 9 Registry Activities 9 Disassembly 10
Copyright null 2020 Page 2 of 10 Analysis Report
Overview
General Information Detection Signatures Classification
Analysis ID: 263707 UUsseess nneetttsshh tttoo mooddiiifffyy ttthhee Wiiinnddoowwss nn… Most interesting Screenshot: CUCrrsreeaasttt eensse taas hpp rrrtooc cmeessossd iiinfny sstuhusesp pWeennindddeeoddw ms oon…
QCurueeearrritiieess ttathh epe r vovooclleluusmse ei n iiin nsfffouorsrrmpeaantttiiidooennd ((( nnmaaom…
Ransomware Queries the volume information (nam SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… Miner Spreading
Sample execution stops while proce mmaallliiiccciiioouusss malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Errors Spyware Trojan / Bot
Sigma syntax error: Has an empty Adware selector, Rule: Avusing Azure Browser SSO Score: 21 Range: 0 - 100 Whitelisted: false Confidence: 100%
Startup
System is w10x64 cmd.exe (PID: 6980 cmdline: cmd /C 'netsh interface ipv4 delete destinationcache '7'' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 7064 cmdline: netsh interface ipv4 delete destinationcache '7' MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
Copyright null 2020 Page 3 of 10 • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
Lowering of HIPS / PFW / Operating System Security Settings:
Uses netsh to modify the Windows network and firewall settings
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Disable or OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 1 Modify Credential Information Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Tools 1 Dumping Discovery 1 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Logon Process LSASS Application Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Initialization Injection 1 1 Memory Window Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Scripts Discovery Protocol Media Bluetooth Calls/SMS Without Scripts Authorization
Behavior Graph
Copyright null 2020 Page 4 of 10 Hide Legend Legend: Process Behavior Graph Signature
ID: 263707 Created File
Cookbook: defaultwindowscmdlinecookbook.jbs DNS/IP Info Startdate: 13/08/2020 Is Dropped
Architecture: WINDOWS Is Windows Process Score: 21 Number of created Registry Values
Number of created Files
Visual Basic
Uses netsh to modify Delphi the Windows network started and firewall settings Java
.Net C# or VB.NET
C, C++ or other language
Is malicious cmd.exe Internet
1
started started
netsh.exe conhost.exe
8 3
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Copyright null 2020 Page 6 of 10 Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 263707 Start date: 13.08.2020 Start time: 05:06:43 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 59s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus21.evad.win@4/1@0/0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, svchost.exe Errors: Sigma syntax error: Has an empty selector, Rule: Avusing Azure Browser SSO
Simulations
Behavior and APIs
No simulations
Created / dropped Files
\Device\ConDrv Process: C:\Windows\SysWOW64\netsh.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 7 Entropy (8bit): 2.2359263506290326 Encrypted: false
Copyright null 2020 Page 7 of 10 \Device\ConDrv MD5: F1CA165C0DA831C9A17D08C4DECBD114 SHA1: D750F8260312A40968458169B496C40DACC751CA SHA-256: ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8 SHA-512: 052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646 Malicious: false Reputation: low Preview: Ok.....
Static File Info
No static file info
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• cmd.exe • conhost.exe • netsh.exe
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 6980 Parent PID: 4104
General
Start time: 05:07:37 Start date: 13/08/2020 Path: C:\Windows\SysWOW64\cmd.exe Copyright null 2020 Page 8 of 10 Wow64 process (32bit): true Commandline: cmd /C 'netsh interface ipv4 delete destinationcache '7'' Imagebase: 0xaa0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 7008 Parent PID: 6980
General
Start time: 05:07:38 Start date: 13/08/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff73df90000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low
Analysis Process: netsh.exe PID: 7064 Parent PID: 6980
General
Start time: 05:07:38 Start date: 13/08/2020 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: netsh interface ipv4 delete destinationcache '7' Imagebase: 0xd90000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 5 4f 6b 2e 0d 0a Ok... success or wait 1 D97B1B WriteFile \Device\ConDrv unknown 2 0d 0a .. success or wait 1 D97B1B WriteFile
Registry Activities
Copyright null 2020 Page 9 of 10 Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Disassembly
Copyright null 2020 Page 10 of 10