Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 200939 Cookbook: browseurl.jbs Time: 17:25:00 Date: 14/01/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report https://docs.zoho.com/file/io2ap787b5d0ad13c4bdd8a70ad6abae58caf 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Persistence and Installation Behavior: 7 Malware Configuration 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 24 Contacted Domains 24 URLs from Memory and Binaries 24 Contacted IPs 27 Public 27 Static File Info 27 No static file info 27 Network Behavior 28 Network Port Distribution 28 TCP Packets 28 UDP Packets 29 DNS Queries 31 DNS Answers 31 HTTPS Packets 33 Copyright Joe Security LLC 2020 Page 2 of 43 Code Manipulations 41 Statistics 41 Behavior 41 System Behavior 41 Analysis Process: iexplore.exe PID: 5224 Parent PID: 700 41 General 41 File Activities 42 Registry Activities 42 Analysis Process: iexplore.exe PID: 5272 Parent PID: 5224 42 General 42 File Activities 42 Registry Activities 42 Analysis Process: iexplore.exe PID: 6048 Parent PID: 5224 42 General 42 File Activities 43 Disassembly 43 Copyright Joe Security LLC 2020 Page 3 of 43 Analysis Report https://docs.zoho.com/file/io2ap787b5d0ad13c4bdd 8a70ad6abae58caf Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 200939 Start date: 14.01.2020 Start time: 17:25:00 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 58s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://docs.zoho.com/file/io2ap787b5d0ad13c4bdd8a7 0ad6abae58caf Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled Analysis stop reason: Timeout Detection: SUS Classification: sus22.phis.win@5/45@13/9 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://help.zo ho.com/portal/community/topic/writer-ends-support- for-internet-explorer-versions-ie8-ie9-and-ie10 Browsing link: https://writer. zoho.com/writer/open/io2ap787b 5d0ad13c4bdd8a70ad6abae58caf#page=1 Browsing link: https://writer. zoho.com/writer/open/io2ap787b 5d0ad13c4bdd8a70ad6abae58caf#p age=1&zoom=auto,-73,792 Browsing link: https://split.to/uqMH3zd Copyright Joe Security LLC 2020 Page 4 of 43 Warnings: Show All Exclude process from analysis (whitelisted): ielowutil.exe, HxTsr.exe, RuntimeBroker.exe, conhost.exe, backgroundTaskHost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 92.122.253.130, 104.103.90.39, 152.199.19.161, 23.39.94.151, 40.90.22.191, 40.90.22.189, 40.90.22.190, 204.79.197.200, 13.107.21.200, 52.109.124.23 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.glo balredir.akadns.net, www.bing.com, prod- w.nexus.live.com.akadns.net, lgin.msa.trafficmanager.net, ie9comview.vo.msecnd.net, dual-a-0001.a- msedge.net, tile-service.weather.microsoft.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, e15275.g.akamaiedge.net, storeedgefd.xbetservices.akadns.net, login.msa.msidentity.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, a-0001.a- afdentry.net.trafficmanager.net, wildcard.weather.microsoft.com.edgekey.net, login.live.com, go.microsoft.com.edgekey.net, nexus.officeapps.live.com, e16646.dscg.akamaiedge.net, storeedgefd.dsx.mp.microsoft.com, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found. Detection Strategy Score Range Reporting Whitelisted Detection Threshold 22 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 3 0 - 5 true Classification Copyright Joe Security LLC 2020 Page 5 of 43 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Initial sample is implementing a service and should be registered / started as service Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Mitre Att&ck Matrix Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Graphical User Winlogon Process Masquerading 1 1 Credential File and Application Data from Data Standard Eavesdrop on Remotely Accounts Interface 1 Helper DLL Injection 1 Dumping Directory Deployment Local Compressed Cryptographic Insecure Track Device Discovery 1 Software System Protocol 2 Network Without Communication Authorization Replication Service Port Accessibility Process Injection 1 Network Application Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Execution Monitors Features Sniffing Window Services Removable Over Other Non- Redirect Phone Wipe Data Removable Discovery Media Network Application Calls/SMS Without Media Medium Layer Authorization Protocol 1 Copyright Joe Security LLC 2020 Page 6 of 43 Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects External Windows Accessibility Path Rootkit Input Query Windows Data from Automated Standard Exploit SS7 to Obtain Remote Management Features Interception Capture Registry Remote Network Exfiltration Application Track Device Device Services Instrumentation Management Shared Layer Location Cloud Drive Protocol 2 Backups Signature Overview • Phishing • Networking • System Summary • Persistence and Installation Behavior Click to jump to signature section Phishing: Phishing site detected (based on logo template match) HTML body contains low number of good links HTML title does not match URL Invalid T&C link found META author tag missing META copyright tag missing Networking: Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found graphical window changes (likely an installer) Uses new MSVCR Dlls Persistence and Installation Behavior: Drops files with a non-matching file extension (content does not match file extension) Copyright Joe Security LLC 2020 Page 7 of 43 Malware Configuration No configs have been found Behavior Graph Hide Legend Legend: Process Signature Created File Behavior Graph ID: 200939 DNS/IP Info URL: https://docs.zoho.com/file/... Is Dropped Startdate: 14/01/2020 Architecture: WINDOWS Is Windows Process Score: 22 Number of created Registry Values Number of created Files Phishing site detected (based on logo template started match) Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET 3 89 C, C++ or other language Is malicious support.zoho.com help.zoho.com started started Internet iexplore.exe iexplore.exe 4 60 33 docs.zoho.com support.zoho.com sylterhofroyalpvtltd.com computational-artichoke-w0ccsrpa5dv58ardn93ucggy.herokudns.com 8.39.54.105, 443, 49753, 49754 8.39.54.110, 443, 49763, 49764 11 other IPs or domains 199.79.62.144, 443, 49765, 49766 34.204.156.91, 443, 49761, 49762 split.to ZOHO-AS-ZOHOUS ZOHO-AS-ZOHOUS unknown unknown United States United States United States United States Simulations Behavior and APIs No simulations Antivirus, Machine Learning and Genetic Malware Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Copyright Joe Security LLC 2020 Page 8 of 43 Domains Source Detection Scanner Label Link zohostatic.com 0% Virustotal Browse computational-artichoke-w0ccsrpa5dv58ardn93ucggy.herokudns.com 0% Virustotal Browse css.zohostatic.com 0% Virustotal Browse split.to 4% Virustotal Browse js.zohostatic.com 0% Virustotal Browse URLs Source Detection Scanner Label Link https://sylterhofroyalpvtltd.com/error/Hotmail%20SkyNet2/ 1% Virustotal Browse https://sylterhofroyalpvtltd.com/error/Hotmail%20SkyNet2/ 0% Avira URL Cloud safe https://js.zohostatic.com/writer3/Jan_14_2020_2/js/pdf.worker.js 0% Avira URL Cloud safe https://split.to/uqMH3zd) 0% Avira URL Cloud safe https://split.to/uqMH3zd 0% Avira URL Cloud safe https://writer.zooyalpvtltd.com/error/Hotmail%20SkyNet2/a70ad6abae58caf#page=1&zuid 0% Avira URL Cloud safe https://js.zohostatic.com/writer3/Jan_14_2020_2/js/zw_pdfpreview_part1.js 0% Avira URL Cloud safe https://writer.zoh 0% Avira URL Cloud safe https://writer.zoRoot 0% Avira URL Cloud safe https://writer.zom/writer/open/io2ap787b5d0ad13c4bdd8a70ad6abae58cafRoot 0% Avira URL Cloud safe https://sylterhofrqMH3zdoyalpvtltd.com/error/Hotmail%20SkyNet2/Root