Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 376922 Sample Name: FreeFileSync_11.8_Windows_Setup.exe Cookbook: default.jbs Time: 22:44:49 Date: 27/03/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report FreeFileSync_11.8_Windows_Setup.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Analysis Advice 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Authenticode Signature 14 Entrypoint Preview 15 Data Directories 16 Sections 16 Resources 16 Imports 17 Exports 17 Version Infos 17 Possible Origin 17 Network Behavior 18 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Copyright Joe Security LLC 2021 Page 2 of 22 Analysis Process: FreeFileSync_11.8_Windows_Setup.exe PID: 620 Parent PID: 5568 18 General 18 File Activities 18 File Created 18 File Written 19 File Read 19 Analysis Process: FreeFileSync_11.8_Windows_Setup.tmp PID: 3348 Parent PID: 620 19 General 19 File Activities 20 File Created 20 File Written 20 File Read 21 Analysis Process: FreeFileSync.exe PID: 3016 Parent PID: 3348 22 General 22 File Activities 22 Disassembly 22 Code Analysis 22 Copyright Joe Security LLC 2021 Page 3 of 22 Analysis Report FreeFileSync_11.8_Windows_Setup.exe Overview General Information Detection Signatures Classification Sample FreeFileSync_11.8_Windo Name: ws_Setup.exe CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ccaallllll nnaatttiiivvee fff… Analysis ID: 376922 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae d df… MD5: af257f1cb06a063… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchheecckk iiifff aa wdw… SHA1: d53c807d6cb12b… Ransomware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy… Miner Spreading SHA256: cee65d56e0f6cd2… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo ldlaayuunnnaccmhh i aca a ppllrry CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo lllaauunncchh aa pprrr… mmaallliiiccciiioouusss Infos: malicious Evader Phishing sssuusssppiiiccciiioouusss CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo oloappueennnc haa app ooprrrrttt… suspicious Most interesting Screenshot: cccllleeaann clean CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qoqupueerrnryy a CC pPPoUUrt … Exploiter Banker CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hloeec PPaElEeBB Spyware Trojan / Bot Adware CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo srsehhauudtttdd toohwwen nP //E/ …B Score: 9 Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy wtwohh siiicchhhu tmdoaawyy nbb ee/ … Whitelisted: false DCDeoettnteetcacttitenedsd pfpuoontttecetnniotttiiinaaalll clcitrrryy ppwtttoho i fcffuuhnn mcctttiaiiooynn be Confidence: 60% DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function EDExrxottteepnnsss PiiivvEee ufuilsseees oofff GeetttPPrrrooccAAddddrrreessss (((oo… FEFoxoutuennndds didvrrreoo puppspeed do PfP GEE e fffiitillPlee r wowchhAiiiccdhhd hrheaassss n n(oo… Analysis Advice FFoouunndd edevrvoaapsspiiivveeed A APPPEIII cfcihlheaa iwiinnh ccichhhee cchkkaiiinsng gn foff… Sample drops PE files which have not been started, submit dropped PE samples for a secondFFaooruyun naddn llelaavlrrrygagseseii svaae mt oAoo PuJunoIn tetct oh oSfaff aninnoo dcnnh-b--eeoxcxxekecicnuugttte efdd… Sample may offer command line options, please run it with the 'Execute binary with argumenFtFsoo' uucnnoddo plkpaobortgtoteeeonn kttatiiia ma(llil t oss'sutttrrr niiipnnt oggo s fdd sneeiocbcrnrrlyey-pep tttxthiiioeoancnt u //t/ t haeae…d command line switches require additional characters like: "-", "/", "--") PFPEoEu fffniiilllede cpcoontnetttanaiitininassl asantnr i iniinngvv adalleliiiddc rccyhhpeeticcokknss u/u ma PPEE fffiiilllee ccoonntttaaiiinnss eaexnxe eicncuvutattaalbibdllle ec hrrreesscookusurrurccmee… PPEE fffiiilllee ccoonntttaaiiinnss sesexececttctiiiouontnassb wwleiiit tthrhe nsnoonun-r--scse… PPEE fffiiilllee ccoonntttaaiiinnss ssttetrrracatnnioggnees rr rewessitoohuu nrrrccoeenss-s Startup QPEuue efrrirliiiee ssc ottthhneeta vvinoosllluu smtreea niiinngfffoeor rrrmeasaotttiiiouonrnc (e((nnsaam… SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m … System is w10x64 USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original FreeFileSync_11.8_Windows_Setup.exe (PID: 620 cmdline: 'C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe' MD5: AF257F1CB06A063644B2B3CBC14A5E1D) FreeFileSync_11.8_Windows_Setup.tmp (PID: 3348 cmdline: 'C:\Users\user\AppData\UULsosecesas l c\3cTo2oedbdmeiet p oPo\bibEsfffu- uf5sisl3eccEasat4ttiiio9on.nt m ttteepcc\hFhnnreiiiqqeuuFeeislse (S((…ync_11.8_Windows_Setup.tmp' /SL5='$110078,17 282871,899584,C:\Users\user\Desktop\FreeFileSync_11.8_Windows_Setup.exe' MD5: 90FFCDDC7F1ABC7A2BC2E54E2F9A8851) Uses code obfuscation techniques ( FreeFileSync.exe (PID: 3016 cmdline: 'C:\Users\user\AppData\Local\Temp\is-A3LFO.tmp\FreeFileSync.exe' ffs_setup_convert_jpg_to_bmp 'C:\Users\user\AppData\Loc al\Temp\is-A3LFO.tmp\img_15.jpg' MD5: EF608BE990DCCA691944F1A702E2C074) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Copyright Joe Security LLC 2021 Page 4 of 22 Signature Overview • Compliance • Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Command Application Exploitation for Masquerading 1 OS System Time Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Accounts and Scripting Shimming 1 Privilege Credential Discovery 1 Services Collected Over Other Channel 1 Insecure Track Device Interpreter 3 Escalation 1 Dumping Data 1 Network Network Without Medium Communication Authorization Default Native Boot or Access Token Access Token LSASS Security Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Accounts API 2 Logon Manipulation 1 Manipulation 1 Memory Software Desktop Removable Over Redirect Phone Wipe Data Initialization Discovery 2 1 Protocol Media Bluetooth Calls/SMS Without Scripts Authorization Domain At (Linux) Logon Script Process Process Injection 3 Security Process SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Injection 3 Account Discovery 1 Admin Shares Network Exfiltration Track Device Device Manager Shared Location Cloud Drive Backups Local At (Windows) Logon Script Application Deobfuscate/Decode NTDS Application Distributed Input Scheduled Protocol SIM Card Accounts (Mac) Shimming 1 Files or Window Component Capture Transfer Impersonation Swap Information 1 Discovery 1 Object Model Cloud Cron Network Network Logon Obfuscated Files or LSA System SSH Keylogging Data Fallback Manipulate Accounts Logon Script Script Information 2 Secrets Owner/User Transfer Channels Device Discovery 2 Size Limits Communication Replication Launchd Rc.common Rc.common Steganography Cached File and VNC GUI Input Exfiltration Multiband Jamming or Through Domain Directory Capture Over C2 Communication Denial of Removable Credentials Discovery 2 Channel Service Media External Scheduled Startup Startup Items Compile After DCSync System Windows Web Portal Exfiltration Commonly Rogue Wi-Fi Remote Task Items Delivery Information Remote Capture Over Used Port Access Points Services Discovery 3 5 Management Alternative Protocol Behavior Graph Copyright Joe Security LLC 2021 Page 5 of 22 Hide Legend Behavior Graph Legend: ID: 376922 Process Sample: FreeFileSync_11.8_Windows_S... Signature Startdate: 27/03/2021 Architecture: WINDOWS Created File Score: 9 DNS/IP Info Is Dropped started Is Windows Process FreeFileSync_11.8_Windows_Setup.exe Number of created Registry Values Number of created Files 2 Visual Basic Delphi dropped Java .Net C# or VB.NET C:\...\FreeFileSync_11.8_Windows_Setup.tmp, PE32 started C, C++ or other language Is malicious Internet FreeFileSync_11.8_Windows_Setup.tmp 14 dropped dropped C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ C:\Users\user\AppData\...\FreeFileSync.exe, PE32 started FreeFileSync.exe 1 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 6 of 22 Antivirus, Machine Learning and Genetic