ID: 263707 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 05:06:43 Date: 13/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents

Table of Contents 2 Analysis Report 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Lowering of HIPS / PFW / Operating System Security Settings: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 6 Contacted Domains 7 Contacted IPs 7 General Information 7 Simulations 7 Behavior and APIs 7 Created / dropped Files 7 Static File Info 8 No static file info 8 Network Behavior 8 Code Manipulations 8 Statistics 8 Behavior 8 System Behavior 8 Analysis Process: cmd.exe PID: 6980 Parent PID: 4104 8 General 8 File Activities 9 Analysis Process: conhost.exe PID: 7008 Parent PID: 6980 9 General 9 Analysis Process: netsh.exe PID: 7064 Parent PID: 6980 9 General 9 File Activities 9 File Written 9 Registry Activities 9 Disassembly 10

Copyright null 2020 Page 2 of 10 Analysis Report

Overview

General Information Detection Signatures Classification

Analysis ID: 263707 UUsseess nneetttsshh tttoo mooddiiifffyy ttthhee Wiiinnddoowwss nn… Most interesting Screenshot: CUCrrsreeaasttt eensse taas hpp rrrtooc cmeessossd iiinfny sstuhusesp pWeennindddeeoddw ms oon…

QCurueeearrritiieess ttathh epe r vovooclleluusmse ei n iiin nsfffouorsrrmpeaantttiiidooennd ((( nnmaaom…

Ransomware Queries the volume information (nam SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… Miner Spreading

Sample execution stops while proce mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Errors Spyware Trojan / Bot

Sigma syntax error: Has an empty Adware selector, Rule: Avusing Azure Browser SSO Score: 21 Range: 0 - 100 Whitelisted: false Confidence: 100%

Startup

System is w10x64 cmd.exe (PID: 6980 cmdline: cmd /C 'netsh interface ipv4 delete destinationcache '7'' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) netsh.exe (PID: 7064 cmdline: netsh interface ipv4 delete destinationcache '7' MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 3 of 10 • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Lowering of HIPS / PFW / Operating System Security Settings:

Uses netsh to modify the Windows network and firewall settings

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Disable or OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 1 Modify Credential Information Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Tools 1 Dumping Discovery 1 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Logon Process LSASS Application Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Initialization Injection 1 1 Memory Window Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Scripts Discovery Protocol Media Bluetooth Calls/SMS Without Scripts Authorization

Behavior Graph

Copyright null 2020 Page 4 of 10 Hide Legend Legend: Process Behavior Graph Signature

ID: 263707 Created File

Cookbook: defaultwindowscmdlinecookbook.jbs DNS/IP Info Startdate: 13/08/2020 Is Dropped

Architecture: WINDOWS Is Windows Process Score: 21 Number of created Registry Values

Number of created Files

Visual Basic

Uses netsh to modify Delphi the Windows network started and firewall settings Java

.Net C# or VB.NET

C, C++ or other language

Is malicious cmd.exe Internet

1

started started

netsh.exe conhost.exe

8 3

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Copyright null 2020 Page 6 of 10 Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper Analysis ID: 263707 Start date: 13.08.2020 Start time: 05:06:43 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 59s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus21.evad.win@4/1@0/0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, svchost.exe Errors: Sigma syntax error: Has an empty selector, Rule: Avusing Azure Browser SSO

Simulations

Behavior and APIs

No simulations

Created / dropped Files

\Device\ConDrv Process: C:\Windows\SysWOW64\netsh.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 7 Entropy (8bit): 2.2359263506290326 Encrypted: false

Copyright null 2020 Page 7 of 10 \Device\ConDrv MD5: F1CA165C0DA831C9A17D08C4DECBD114 SHA1: D750F8260312A40968458169B496C40DACC751CA SHA-256: ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8 SHA-512: 052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646 Malicious: false Reputation: low Preview: Ok.....

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• cmd.exe • conhost.exe • netsh.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6980 Parent PID: 4104

General

Start time: 05:07:37 Start date: 13/08/2020 Path: C:\Windows\SysWOW64\cmd.exe Copyright null 2020 Page 8 of 10 Wow64 process (32bit): true Commandline: cmd /C 'netsh interface ipv4 delete destinationcache '7'' Imagebase: 0xaa0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: conhost.exe PID: 7008 Parent PID: 6980

General

Start time: 05:07:38 Start date: 13/08/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff73df90000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

Analysis Process: netsh.exe PID: 7064 Parent PID: 6980

General

Start time: 05:07:38 Start date: 13/08/2020 Path: C:\Windows\SysWOW64\netsh.exe Wow64 process (32bit): true Commandline: netsh interface ipv4 delete destinationcache '7' Imagebase: 0xd90000 File size: 82944 bytes MD5 hash: A0AA3322BB46BBFC36AB9DC1DBBBB807 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 5 4f 6b 2e 0d 0a Ok... success or wait 1 D97B1B WriteFile \Device\ConDrv unknown 2 0d 0a .. success or wait 1 D97B1B WriteFile

Registry Activities

Copyright null 2020 Page 9 of 10 Source Key Path Completion Count Address Symbol

Source Key Path Name Type Data Completion Count Address Symbol

Disassembly

Copyright null 2020 Page 10 of 10