ID: 310725 Cookbook: urldownload.jbs Time: 19:43:02 Date: 06/11/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report http://bash.givemexyz.in/xms||wget 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 Contacted IPs 8 Public 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 10 Created / dropped Files 10 Static File Info 10 No static file info 10 Network Behavior 10 Network Port Distribution 10 TCP Packets 10 UDP Packets 11 DNS Queries 11 DNS Answers 11 HTTP Request Dependency Graph 11 HTTP Packets 11 Code Manipulations 12 Statistics 12 Behavior 12 System Behavior 12 Analysis Process: cmd.exe PID: 6480 Parent PID: 3804 12 General 12 File Activities 13 File Created 13

Copyright null 2020 Page 2 of 14 Analysis Process: conhost.exe PID: 6492 Parent PID: 6480 13 General 13 Analysis Process: wget.exe PID: 6528 Parent PID: 6480 13 General 13 File Activities 13 Disassembly 14 Code Analysis 14

Overview

General Information Detection Signatures Classification

Sample URL: bash.givemexyz.in/x No high impact signatures. ms||wget Analysis ID: 310725 Most interesting Screenshot:

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 cmd.exe (PID: 6480 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6528 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 4 of 14 • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Data from Exfiltration Non- Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Local Over Other Application Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Layer Network Without Partition Medium Protocol 3 Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Application Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Layer Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Protocol 3 Calls/SMS Without Scripts Scripts Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote SMB/Windows Data from Automated Ingress Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account System Admin Shares Network Exfiltration Tool Track Device Device Device (Windows) Manager Discovery 1 Shared Transfer 3 Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 5 of 14 Hide Legend Legend: Behavior Graph Process ID: 310725 Signature URL: http://bash.givemexyz.in/xm... Created File Startdate: 06/11/2020 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 0 Is Windows Process

Number of created Registry Values started Number of created Files

Visual Basic cmd.exe Delphi

Java

2 .Net C# or VB.NET C, C++ or other language

started started Is malicious Internet

wget.exe conhost.exe

bash.givemexyz.in 205.185.116.78, 49728, 80 PONYNETUS 39.96.117.48, 80 United States CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link bash.givemexyz.in/xms%7C%7Cwget 2% Virustotal Browse bash.givemexyz.in/xms%7C%7Cwget 0% Avira URL Cloud safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation bash.givemexyz.in 39.96.117.48 true false unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation bash.givemexyz.in/xms%7C%7Cwget false unknown

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious 39.96.117.48 Domain: unknown China 37963 CNNIC-ALIBABA-CN- false NET- APHangzhouAlibabaAdve rtisingCoLtd 205.185.116.78 Domain: unknown United States 53667 PONYNETUS false

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 310725 Start date: 06.11.2020 Start time: 19:43:02 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 28s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs

Copyright null 2020 Page 8 of 14 Sample URL: bash.givemexyz.in/xms||wget Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 12 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@4/1@1/2 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.255.148.73, 40.122.171.231, 23.210.248.85, 51.104.139.180 Excluded domains from analysis (whitelisted): umwatsonrouting.trafficmanager.net, skypedataprdcolcus07.cloudapp.net, fs.microsoft.com, arc.msn.com.nsatc.net, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, skypedataprdcoleus07.cloudapp.net, prod.fs.microsoft.com.akadns.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, arc.msn.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints Copyright null 2020 Page 9 of 14 No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 434 Entropy (8bit): 5.25400558492574 Encrypted: false SSDEEP: 12:HVL+X/dMF7j6d6OJcgP6N1De5Rhh8FL5oYoB3v:1+lMF36d6O286NxePP8FL5of MD5: 468F6CF535D2550ADB9F8CF704DA8A3C SHA1: D464FDCA41F403407B8BCDC89A43C4CAE12F4E24 SHA-256: 4F030AABAF9958B446CBC144DC3F4C5F984471F4FACAE77447C4C4A7A9138DB4 SHA-512: 22F1B36EB93E4E0AA903E98718635980F5A019539B792AA26B0CFB76F62CAE496E1B847DFAC8A2271A3B581ED602674DD0BAB22F9D1A8409C870C97E026A1357 Malicious: false Reputation: low Preview: --2020-11-06 19:43:59-- http://bash.givemexyz.in/xms%7C%7Cwget..Resolving bash.givemexyz.in (bash.givemexyz.in)... 39.96.117.48, 205.185.116.78..Connecting to bash.givemexyz.in (bash.givemexyz.in)|39.96.117.48|:80... failed: Bad file descriptor...Connecting to bash.givemexyz.in (bash.givemexyz.in)|205.185.116.78|:80... connected...HTTP request sent, awaiting response... 404 Not Found..2020-11-06 19:44:20 ERROR 404: Not Found.....

Static File Info

No static file info

Network Behavior

Network Port Distribution

Total Packets: 22 • 53 (DNS) • 80 (HTTP)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Nov 6, 2020 19:43:59.867757082 CET 49721 80 192.168.2.7 39.96.117.48 Nov 6, 2020 19:44:02.879822016 CET 49721 80 192.168.2.7 39.96.117.48

Copyright null 2020 Page 10 of 14 Timestamp Source Port Dest Port Source IP Dest IP Nov 6, 2020 19:44:08.895108938 CET 49721 80 192.168.2.7 39.96.117.48 Nov 6, 2020 19:44:20.903482914 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.082315922 CET 80 49728 205.185.116.78 192.168.2.7 Nov 6, 2020 19:44:21.082526922 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.086556911 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.264637947 CET 80 49728 205.185.116.78 192.168.2.7 Nov 6, 2020 19:44:21.264691114 CET 80 49728 205.185.116.78 192.168.2.7 Nov 6, 2020 19:44:21.317105055 CET 49728 80 192.168.2.7 205.185.116.78 Nov 6, 2020 19:44:21.566595078 CET 49728 80 192.168.2.7 205.185.116.78

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Nov 6, 2020 19:43:53.741332054 CET 52914 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:53.768322945 CET 53 52914 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:54.407123089 CET 64569 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:54.434223890 CET 53 64569 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:55.146549940 CET 52816 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:55.181974888 CET 53 52816 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:56.132401943 CET 50781 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:56.167891026 CET 53 50781 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:56.836277008 CET 54230 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:56.863507032 CET 53 54230 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:57.665879011 CET 54911 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:57.692964077 CET 53 54911 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:58.507170916 CET 49958 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:58.534332037 CET 53 49958 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:59.505259991 CET 50860 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:59.532434940 CET 53 50860 8.8.8.8 192.168.2.7 Nov 6, 2020 19:43:59.820913076 CET 50452 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:43:59.858297110 CET 53 50452 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:00.337966919 CET 59730 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:00.373457909 CET 53 59730 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:00.987529039 CET 59310 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:01.014674902 CET 53 59310 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:01.824896097 CET 51919 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:01.851985931 CET 53 51919 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:08.450848103 CET 64296 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:08.495134115 CET 53 64296 8.8.8.8 192.168.2.7 Nov 6, 2020 19:44:22.692410946 CET 56680 53 192.168.2.7 8.8.8.8 Nov 6, 2020 19:44:22.719568968 CET 53 56680 8.8.8.8 192.168.2.7

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Nov 6, 2020 19:43:59.820913076 CET 192.168.2.7 8.8.8.8 0x1e2 Standard query bash.givem A (IP address) IN (0x0001) (0) exyz.in

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Nov 6, 2020 8.8.8.8 192.168.2.7 0x1e2 No error (0) bash.givem 39.96.117.48 A (IP address) IN (0x0001) 19:43:59.858297110 exyz.in CET Nov 6, 2020 8.8.8.8 192.168.2.7 0x1e2 No error (0) bash.givem 205.185.116.78 A (IP address) IN (0x0001) 19:43:59.858297110 exyz.in CET

HTTP Request Dependency Graph

bash.givemexyz.in

HTTP Packets

Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.7 49728 205.185.116.78 80 C:\Windows\SysWOW64\wget.exe

Copyright null 2020 Page 11 of 14 kBytes Timestamp transferred Direction Data Nov 6, 2020 896 OUT GET /xms%7C%7Cwget HTTP/1.1 19:44:21.086556911 CET User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: */* Accept-Encoding: identity Host: bash.givemexyz.in Connection: Keep-Alive Nov 6, 2020 897 IN HTTP/1.1 404 Not Found 19:44:21.264691114 CET Server: nginx/1.10.3 (Ubuntu) Date: Fri, 06 Nov 2020 18:44:21 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 404 Not Found

404 Not Found

nginx/1.10.3 (Ubuntu)

Code Manipulations

Statistics

Behavior

• cmd.exe • conhost.exe • wget.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6480 Parent PID: 3804

General

Start time: 19:43:57 Start date: 06/11/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no -check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' > cmdline. out 2>&1

Copyright null 2020 Page 12 of 14 Imagebase: 0x870000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop\cmdline.out read attributes | device synchronous io success or wait 1 87D194 CreateFileW synchronize | non alert | non generic write directory file

Analysis Process: conhost.exe PID: 6492 Parent PID: 6480

General

Start time: 19:43:58 Start date: 06/11/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff774ee0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Analysis Process: wget.exe PID: 6528 Parent PID: 6480

General

Start time: 19:43:59 Start date: 06/11/2020 Path: C:\Windows\SysWOW64\wget.exe Wow64 process (32bit): true Commandline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-d isposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://bash.givemexyz.in/xms%7C%7Cwget' Imagebase: 0x400000 File size: 3895184 bytes MD5 hash: 3DADB6E2ECE9C4B3E1E322E617658B60 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Disassembly

Code Analysis