ID: 310725 Cookbook: urldownload.jbs Time: 19:43:02 Date: 06/11/2020 Version: 31.0.0 Red Diamond Table of Contents
Table of Contents 2 Analysis Report http://bash.givemexyz.in/xms||wget 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 Contacted IPs 8 Public 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 10 Created / dropped Files 10 Static File Info 10 No static file info 10 Network Behavior 10 Network Port Distribution 10 TCP Packets 10 UDP Packets 11 DNS Queries 11 DNS Answers 11 HTTP Request Dependency Graph 11 HTTP Packets 11 Code Manipulations 12 Statistics 12 Behavior 12 System Behavior 12 Analysis Process: cmd.exe PID: 6480 Parent PID: 3804 12 General 12 File Activities 13 File Created 13
Copyright null 2020 Page 2 of 14 Analysis Process: conhost.exe PID: 6492 Parent PID: 6480 13 General 13 Analysis Process: wget.exe PID: 6528 Parent PID: 6480 13 General 13 File Activities 13 Disassembly 14 Code Analysis 14
Copyright null 2020 Page 3 of 14 Analysis Report http://bash.givemexyz.in/xms||wget
Overview
General Information Detection Signatures Classification
Sample URL: bash.givemexyz.in/x No high impact signatures. ms||wget Analysis ID: 310725 Most interesting Screenshot:
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%
Startup
System is w10x64 cmd.exe (PID: 6480 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6528 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
Copyright null 2020 Page 4 of 14 • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Data from Exfiltration Non- Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Local Over Other Application Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Layer Network Without Partition Medium Protocol 3 Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Application Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Layer Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Protocol 3 Calls/SMS Without Scripts Scripts Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote SMB/Windows Data from Automated Ingress Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account System Admin Shares Network Exfiltration Tool Track Device Device Device (Windows) Manager Discovery 1 Shared Transfer 3 Location Cloud Data Drive Backups
Behavior Graph
Copyright null 2020 Page 5 of 14 Hide Legend Legend: Behavior Graph Process ID: 310725 Signature URL: http://bash.givemexyz.in/xm... Created File Startdate: 06/11/2020 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 0 Is Windows Process
Number of created Registry Values started Number of created Files
Visual Basic cmd.exe Delphi
Java
2 .Net C# or VB.NET C, C++ or other language
started started Is malicious Internet
wget.exe conhost.exe
1
bash.givemexyz.in 205.185.116.78, 49728, 80 PONYNETUS 39.96.117.48, 80 United States CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 6 of 14 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link bash.givemexyz.in/xms%7C%7Cwget 2% Virustotal Browse bash.givemexyz.in/xms%7C%7Cwget 0% Avira URL Cloud safe
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Copyright null 2020 Page 7 of 14 Domains and IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection Reputation bash.givemexyz.in 39.96.117.48 true false unknown
Contacted URLs
Name Malicious Antivirus Detection Reputation bash.givemexyz.in/xms%7C%7Cwget false unknown
Contacted IPs
No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious 39.96.117.48 Domain: unknown China 37963 CNNIC-ALIBABA-CN- false NET- APHangzhouAlibabaAdve rtisingCoLtd 205.185.116.78 Domain: unknown United States 53667 PONYNETUS false
General Information
Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 310725 Start date: 06.11.2020 Start time: 19:43:02 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 28s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs
Copyright null 2020 Page 8 of 14 Sample URL: bash.givemexyz.in/xms||wget Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@4/1@1/2 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.148.73, 40.122.171.231, 23.210.248.85, 51.104.139.180 Excluded domains from analysis (whitelisted): umwatsonrouting.trafficmanager.net, skypedataprdcolcus07.cloudapp.net, fs.microsoft.com, arc.msn.com.nsatc.net, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, skypedataprdcoleus07.cloudapp.net, prod.fs.microsoft.com.akadns.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, arc.msn.com
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints Copyright null 2020 Page 9 of 14 No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 434 Entropy (8bit): 5.25400558492574 Encrypted: false SSDEEP: 12:HVL+X/dMF7j6d6OJcgP6N1De5Rhh8FL5oYoB3v:1+lMF36d6O286NxePP8FL5of MD5: 468F6CF535D2550ADB9F8CF704DA8A3C SHA1: D464FDCA41F403407B8BCDC89A43C4CAE12F4E24 SHA-256: 4F030AABAF9958B446CBC144DC3F4C5F984471F4FACAE77447C4C4A7A9138DB4 SHA-512: 22F1B36EB93E4E0AA903E98718635980F5A019539B792AA26B0CFB76F62CAE496E1B847DFAC8A2271A3B581ED602674DD0BAB22F9D1A8409C870C97E026A1357 Malicious: false Reputation: low Preview: --2020-11-06 19:43:59-- http://bash.givemexyz.in/xms%7C%7Cwget..Resolving bash.givemexyz.in (bash.givemexyz.in)... 39.96.117.48, 205.185.116.78..Connecting to bash.givemexyz.in (bash.givemexyz.in)|39.96.117.48|:80... failed: Bad file descriptor...Connecting to bash.givemexyz.in (bash.givemexyz.in)|205.185.116.78|:80... connected...HTTP request sent, awaiting response... 404 Not Found..2020-11-06 19:44:20 ERROR 404: Not Found.....
Static File Info
No static file info
Network Behavior
Network Port Distribution
Total Packets: 22 • 53 (DNS) • 80 (HTTP)
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Nov 6, 2020 19:43:59.867757082 CET 49721 80 192.168.2.7 39.96.117.48 Nov 6, 2020 19:44:02.879822016 CET 49721 80 192.168.2.7 39.96.117.48
Copyright null 2020 Page 10 of 14 Timestamp Source Port Dest Port Source IP Dest IP Nov 6, 2020 19:44:08.895108938 CET 49721 80 192.168.2.7 39.96.117.48 Nov 6, 2020 19:44:20.903482914 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.082315922 CET 80 49728 205.185.116.78 192.168.2.7 Nov 6, 2020 19:44:21.082526922 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.086556911 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.264637947 CET 80 49728 205.185.116.78 192.168.2.7 Nov 6, 2020 19:44:21.264691114 CET 80 49728 205.185.116.78 192.168.2.7 Nov 6, 2020 19:44:21.317105055 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.566595078 CET 49728 80 192.168.2.7 205.185.116.78
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP Nov 6, 2020 19:43:53.741332054 CET 52914 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:53.768322945 CET 53 52914 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:54.407123089 CET 64569 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:54.434223890 CET 53 64569 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:55.146549940 CET 52816 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:55.181974888 CET 53 52816 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:56.132401943 CET 50781 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:56.167891026 CET 53 50781 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:56.836277008 CET 54230 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:56.863507032 CET 53 54230 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:57.665879011 CET 54911 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:57.692964077 CET 53 54911 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:58.507170916 CET 49958 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:58.534332037 CET 53 49958 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:59.505259991 CET 50860 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:59.532434940 CET 53 50860 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:59.820913076 CET 50452 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:59.858297110 CET 53 50452 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:00.337966919 CET 59730 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:00.373457909 CET 53 59730 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:00.987529039 CET 59310 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:01.014674902 CET 53 59310 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:01.824896097 CET 51919 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:01.851985931 CET 53 51919 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:08.450848103 CET 64296 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:08.495134115 CET 53 64296 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:22.692410946 CET 56680 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:22.719568968 CET 53 56680 8.8.8.8 192.168.2.7
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Nov 6, 2020 19:43:59.820913076 CET 192.168.2.7 8.8.8.8 0x1e2 Standard query bash.givem A (IP address) IN (0x0001) (0) exyz.in
DNS Answers
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Nov 6, 2020 8.8.8.8 192.168.2.7 0x1e2 No error (0) bash.givem 39.96.117.48 A (IP address) IN (0x0001) 19:43:59.858297110 exyz.in CET Nov 6, 2020 8.8.8.8 192.168.2.7 0x1e2 No error (0) bash.givem 205.185.116.78 A (IP address) IN (0x0001) 19:43:59.858297110 exyz.in CET
HTTP Request Dependency Graph
bash.givemexyz.in
HTTP Packets
Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.7 49728 205.185.116.78 80 C:\Windows\SysWOW64\wget.exe
Copyright null 2020 Page 11 of 14 kBytes Timestamp transferred Direction Data Nov 6, 2020 896 OUT GET /xms%7C%7Cwget HTTP/1.1 19:44:21.086556911 CET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: */* Accept-Encoding: identity Host: bash.givemexyz.in Connection: Keep-Alive Nov 6, 2020 897 IN HTTP/1.1 404 Not Found 19:44:21.264691114 CET Server: nginx/1.10.3 (Ubuntu) Date: Fri, 06 Nov 2020 18:44:21 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii:
404 Not Found
Code Manipulations
Statistics
Behavior
• cmd.exe • conhost.exe • wget.exe
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 6480 Parent PID: 3804
General
Start time: 19:43:57 Start date: 06/11/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no -check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' > cmdline. out 2>&1
Copyright null 2020 Page 12 of 14 Imagebase: 0x870000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\cmdline.out read attributes | device synchronous io success or wait 1 87D194 CreateFileW synchronize | non alert | non generic write directory file
Analysis Process: conhost.exe PID: 6492 Parent PID: 6480
General
Start time: 19:43:58 Start date: 06/11/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff774ee0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: wget.exe PID: 6528 Parent PID: 6480
General
Start time: 19:43:59 Start date: 06/11/2020 Path: C:\Windows\SysWOW64\wget.exe Wow64 process (32bit): true Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-d isposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' Imagebase: 0x400000 File size: 3895184 bytes MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Copyright null 2020 Page 13 of 14 Source File Path Offset Length Completion Count Address Symbol
Disassembly
Code Analysis
Copyright null 2020 Page 14 of 14