Automated Malware Analysis Report for Lqbxjkznudo.Vbs
Total Page:16
File Type:pdf, Size:1020Kb
ID: 456437 Sample Name: lqbxjkznudo.vbs Cookbook: default.jbs Time: 18:46:04 Date: 29/07/2021 Version: 33.0.0 White Diamond Table of Contents Table of Contents 2 Windows Analysis Report lqbxjkznudo.vbs 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Data Obfuscation: 3 Jbx Signature Overview 3 Data Obfuscation: 4 Persistence and Installation Behavior: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 General Information 7 Simulations 7 Behavior and APIs 7 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 9 General 9 File Icon 9 Network Behavior 9 Network Port Distribution 9 UDP Packets 9 Code Manipulations 10 Statistics 10 Behavior 10 System Behavior 10 Analysis Process: wscript.exe PID: 5628 Parent PID: 3440 10 General 10 File Activities 10 File Created 10 File Written 10 Analysis Process: cmd.exe PID: 1228 Parent PID: 3440 10 General 10 File Activities 10 File Read 11 Analysis Process: conhost.exe PID: 1520 Parent PID: 1228 11 General 11 Analysis Process: rundll32.exe PID: 6124 Parent PID: 1228 11 General 11 File Activities 11 File Read 11 Disassembly 11 Code Analysis 11 Copyright Joe Security LLC 2021 Page 2 of 11 Windows Analysis Report lqbxjkznudo.vbs Overview General Information Detection Signatures Classification Sample lqbxjkznudo.vbs Name: SSiiiggmaa ddeettteeccttteedd::: DDrrrooppss ssccrrriiippttt aattt sstttaarrr… Analysis ID: 456437 WSiigiinnmddoaow wdsse tSSehcheteellllldl SS: cDcrrrriiipopttpt HsH ososcsttrt i dpdrrtro oappts ss VtVaBBr… MD5: 1ab2a013916506… CWCrrrieenaadtttoeewss s aa S pphrrroeoclcle eSsscssr iiinpn t s sHuuosspsptee dnnrddoeepdds mVoBo… SHA1: 2f7627fad1c2762… Ransomware CCrrreeaattteess aa spsttrtaaorrrcttt e msese nninuu seeunnstttrrpryye ((n(SSdttteaadrrrtt t m Moee… Miner Spreading SHA256: 4120e3280f06b2a… FCFooreuuanntdde sW aSS sHHt a ttirimt meerer fnfoourr JeJanavtvraays s(ccSrritipaptrt too Mrr VeV FFoouunndd WSSHH tttiiimeerrr fffoorrr JJaavvaassccrrriiippttt oorrr VV… mmaallliiiccciiioouusss Infos: malicious Evader Phishing sssuusssppiiiccciiioouusss JFJaaovvuaan d/// VVWBBSSSHccr rritiipipmttt feffiiillrlee f owwrii ittJthha vveaerrsryyc rllloiopnntg go srs …V suspicious Most interesting Screenshot: cccllleeaann clean MJaoovnnaiiit tto/o rVrrssB ccSeecrrrtrttaiapiiintn f rrirleegg wiiissitttrrhryy v kkeeeryyss l o/// nvvgaa lllusu… Exploiter Banker SMSaaomnipptollleer s ee cxxeercctuauttitiniioo nrne sgstttiosoptprsys wkwehhyiiilllsee /pp vrrroaoclcuee… SSttatoomrrreepssl e fffi iilleleexsse ttctoou ttthihoeen W stiioinnpddsoo wwshs islsettta aprrrttrt o mcee… Spyware Trojan / Bot Adware Stores files to the Windows start me Score: 52 Range: 0 - 100 Whitelisted: false Confidence: 100% Process Tree System is w10x64 wscript.exe (PID: 5628 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\lqbxjkznudo.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cmd.exe (PID: 1228 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvfaspnqjbs.cmd' ' MD5: 4E2ACF4F8A396486AB4268C94A6A245F) conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) rundll32.exe (PID: 6124 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\AppData\Local\Temp\3601228833197\dmsetzimrwzmziuax28763586819171.dll' Bn vpnJd9RUwODDFadQj MD5: 73C519F050C20580F8A62C849D49215A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview Data Obfuscation: Sigma detected: Drops script at startup location Jbx Signature Overview Copyright Joe Security LLC 2021 Page 3 of 11 Click to jump to signature section Data Obfuscation: Persistence and Installation Behavior: Windows Shell Script Host drops VBS files Mitre Att&ck Matrix Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Scripting 1 2 1 Startup Startup Masquerading 1 OS Query Remote Data from Exfiltration Data Eavesdrop on Remotely Accounts Items 1 Items 1 Credential Registry 1 Services Local Over Other Obfuscation Insecure Track Device Dumping System Network Network Without Medium Communication Authorization Default PowerShell 1 Registry Process Rundll32 1 LSASS Security Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts Run Keys / Injection 1 1 Memory Software Desktop Removable Over Redirect Phone Wipe Data Startup Discovery 1 Protocol Media Bluetooth Calls/SMS Without Folder 2 Authorization Domain At (Linux) Logon Script Registry Run Process Security File and SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Keys / Startup Injection 1 1 Account Directory Admin Shares Network Exfiltration Track Device Device Folder 2 Manager Discovery 2 Shared Location Cloud Drive Backups Local At (Windows) Logon Script Logon Script Scripting 1 2 1 NTDS System Distributed Input Scheduled Protocol SIM Card Accounts (Mac) (Mac) Information Component Capture Transfer Impersonation Swap Discovery 2 Object Model Cloud Cron Network Network Obfuscated Files LSA Remote SSH Keylogging Data Fallback Manipulate Accounts Logon Script Logon Script or Information 1 Secrets System Transfer Channels Device Discovery 1 Size Limits Communication Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 11 Hide Legend Behavior Graph Legend: ID: 456437 Process Sample: lqbxjkznudo.vbs Signature Startdate: 29/07/2021 Created File Architecture: WINDOWS Score: 52 DNS/IP Info Is Dropped Is Windows Process Sigma detected: Drops Number of created Registry Values started started script at startup location Number of created Files Visual Basic Delphi wscript.exe cmd.exe Java .Net C# or VB.NET 18 1 C, C++ or other language Is malicious dropped Internet C:\Users\user\AppData\...\wvfaspnqjbs.cmd, DOS started started Windows Shell Script Host drops VBS files conhost.exe rundll32.exe Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 11 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link pki.goog/gsr2/GTS1O1.crt0 0% URL Reputation safe crl.pki.g 0% Avira URL Cloud safe crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe https://pki.goog/repository/0 0% URL Reputation safe crl.pki.goog/GTS1O1core.crl0 0% URL Reputation safe Copyright Joe Security LLC 2021 Page 6 of 11 Domains and IPs Contacted Domains No contacted domains info URLs from Memory and Binaries Contacted IPs No contacted IP infos General Information Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 456437 Start date: 29.07.2021 Start time: 18:46:04 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 43s Hypervisor based Inspection enabled: false Report type: light Sample file name: lqbxjkznudo.vbs Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 23 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal52.expl.winVBS@5/3@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .vbs Warnings: Show All Simulations Behavior and APIs Time Type Description 18:46:58 Autostart Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wvfaspnqjbs.cmd Copyright Joe Security LLC 2021 Page 7 of 11 Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Created / dropped Files C:\Users\user\AppData\Local\Temp\3601228833197\dmsetzimrwzmziuax28763586819171.dll Process: C:\Windows\System32\wscript.exe File Type: XML 1.0 document text Category: dropped Size (bytes): 184 Entropy (8bit): 4.785873309209212 Encrypted: false SSDEEP: 3:vFWWMNCmXyKgCC6beXqZj+PBMkmKqWWU667wtKPU9ht0XAFXF65lwzRUXcF2ZKg6:TM3i0b9ZjZvKtWRbtmnQDM+zRzsKvn MD5: 6AFC36267DB06A922109C5AC28F92B80 SHA1: BF92D9FB8A4328C297FCC7BF1B8CA690982A8EE5 SHA-256: 75B2C200254C7D82C3D103DAFD9F74A38B80D15FF50D3246F6447A43EA87A993 SHA-512: 450A6E21BB6765B011126782B18D199610F7966888A80D566CEFF0C98392AE423DCCBBFA33AA4EF22B88318652016994DB097D208B5D732CBEB5DBE1468CA7E6 Malicious: false Reputation: low Preview: <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>There is an account problem for the re quested project.</Details></Error> C:\Users\user\AppData\Roaming\$tiivbvzzqce#.zip