Automated Malware Analysis Report for Runtimes Getdataback for NTFS
Total Page:16
File Type:pdf, Size:1020Kb
ID: 87595 Sample Name: Runtimes GetDataBack for NTFS 2.04.exe Cookbook: default.jbs Time: 21:08:09 Date: 01/11/2018 Version: 24.0.0 Fire Opal Table of Contents Table of Contents 2 Analysis Report Runtimes GetDataBack for NTFS 2.04.exe 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Mitre Att&ck Matrix 5 Signature Overview 6 AV Detection: 6 System Summary: 6 Data Obfuscation: 6 Persistence and Installation Behavior: 7 Boot Survival: 7 Hooking and other Techniques for Hiding and Protection: 7 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 11 Contacted Domains 11 Contacted IPs 11 Static File Info 11 General 11 File Icon 11 Static PE Info 11 General 11 Entrypoint Preview 12 Data Directories 13 Sections 14 Resources 14 Imports 14 Version Infos 14 Network Behavior 14 Code Manipulations 14 Statistics 14 Copyright Joe Security LLC 2018 Page 2 of 17 Behavior 14 System Behavior 15 Analysis Process: Runtimes GetDataBack for NTFS 2.04.exe PID: 2688 Parent PID: 2300 15 General 15 File Activities 15 File Created 15 File Written 15 File Read 16 Analysis Process: adh78136137137.exe PID: 2848 Parent PID: 1436 16 General 16 File Activities 17 File Written 17 File Read 17 Disassembly 17 Code Analysis 17 Copyright Joe Security LLC 2018 Page 3 of 17 Analysis Report Runtimes GetDataBack for NTFS 2.04.exe Overview General Information Joe Sandbox Version: 24.0.0 Fire Opal Analysis ID: 87595 Start date: 01.11.2018 Start time: 21:08:09 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 13s Hypervisor based Inspection enabled: false Report type: light Sample file name: Runtimes GetDataBack for NTFS 2.04.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal56.winEXE@2/3@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: Runtimes GetDataBack for NTFS 2.04.exe, adh78136137137.exe Detection Strategy Score Range Reporting Detection Threshold 56 0 - 100 Report FP / FN Confidence Copyright Joe Security LLC 2018 Page 4 of 17 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Mitre Att&ck Matrix Copyright Joe Security LLC 2018 Page 5 of 17 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Startup Startup Software Credential Security Application Data from Local Data Data Remote Items 2 Items 2 Packing 1 Dumping Software Deployment System Compressed Obfuscation Management Discovery 1 Software Replication Service Port Monitors Accessibility Disabling Network Application Remote Services Data from Exfiltration Over Fallback Through Execution Features Security Sniffing Window Removable Other Network Channels Removable Tools 1 Discovery Media Medium Media Drive-by Windows Accessibility Path Obfuscated Files Input Query Registry Windows Data from Automated Custom Compromise Management Features Interception or Capture Remote Network Shared Exfiltration Cryptographic Instrumentation Information 2 Management Drive Protocol Signature Overview • AV Detection • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Anti Debugging • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for dropped file Antivirus detection for submitted file Antivirus detection for unpacked file System Summary: Abnormal high CPU Usage PE file contains strange resources Sample file is different than original file name gathered from version info Sample reads its own file content PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Classification label Creates files inside the user directory PE file has an executable .text section and no other executable section Parts of this applications are using the .NET runtime (Probably coded in C#) Reads software policies Spawns processes Uses Microsoft Silverlight PE file contains a COM descriptor data directory Submission file is bigger than most known malware samples Uses new MSVCR Dlls Contains modern PE file flags such as dynamic base (ASLR) or NX Data Obfuscation: Copyright Joe Security LLC 2018 Page 6 of 17 Binary may include packed or encrypted code Persistence and Installation Behavior: Drops PE files Boot Survival: Creates a start menu entry (Start Menu\Programs\Startup) Stores files to the Windows start menu directory Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Creates guard pages, often used to prevent reverse engineering and debugging Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Hide Legend Legend: Process Behavior Graph Signature ID: 87595 Created File Sample: Runtimes GetDataBack for NTFS 2.04.exe DNS/IP Info Startdate: 01/11/2018 Is Dropped Architecture: WINDOWS Is Windows Process Score: 56 Number of created Registry Values Number of created Files Visual Basic Antivirus detection started started for submitted file Delphi Java .Net C# or VB.NET C, C++ or other language adh78136137137.exe Runtimes GetDataBack for NTFS 2.04.exe Is malicious 2 5 dropped C:\Users\user\AppData\...\adh78136137137.exe, PE32 Antivirus detection for dropped file Copyright Joe Security LLC 2018 Page 7 of 17 Simulations Behavior and APIs Time Type Description 21:08:42 API Interceptor 1x Sleep call for process: Runtimes GetDataBack for NTFS 2.04.exe modified 21:08:48 Autostart Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adh78136137137.url 21:09:20 API Interceptor 1x Sleep call for process: adh78136137137.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link Runtimes GetDataBack for NTFS 2.04.exe 100% Avira TR/Dropper.Gen Dropped Files Source Detection Scanner Label Link C:\Users\user\AppData\Roaming\adh78136137137\adh78136137137.exe 100% Avira TR/Dropper.Gen Unpacked PE Files Source Detection Scanner Label Link 1.0.Runtimes GetDataBack for NTFS 2.04.exe.1010000.0.unpack 100% Avira HEUR/AGEN.1026827 2.0.adh78136137137.exe.d30000.0.unpack 100% Avira HEUR/AGEN.1026827 1.1.Runtimes GetDataBack for NTFS 2.04.exe.1010000.0.unpack 100% Avira HEUR/AGEN.1002344 2.1.adh78136137137.exe.d30000.0.unpack 100% Avira HEUR/AGEN.1002344 Domains No Antivirus matches URLs No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Copyright Joe Security LLC 2018 Page 8 of 17 Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2018 Page 9 of 17 Startup System is w7 Runtimes GetDataBack for NTFS 2.04.exe (PID: 2688 cmdline: 'C:\Users\user\Desktop\Runtimes GetDataBack for NTFS 2.04.exe' MD5: 0D8CE185127F8BD79559D35F25AD8B90) adh78136137137.exe (PID: 2848 cmdline: 'C:\Users\user\AppData\Roaming\adh78136137137\adh78136137137.exe' MD5: 0D8CE185127F8BD79559D35F25AD8B90) cleanup Created / dropped Files C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adh78136137137.url Process: C:\Users\user\AppData\Roaming\adh78136137137\adh78136137137.exe File Type: MS Windows 95 Internet shortcut text (URL=<file:///C:\Users\user\AppData\Roaming\adh78136137137\adh7 8136137137.exe>), ASCII text, with CRLF line terminators Size (bytes): 104 Entropy (8bit): 5.067865622187612 Encrypted: false MD5: 6F6DF56E6B5A25053B4C7869F65CD8A1 SHA1: A295E89AFF3D84D8EE917BFAAA6BA4E351070B6B SHA-256: BEFD97BF20D13E2EE1FDA193C5EFF37AF32F4F093FDECCD030EF7430B7336DAE SHA-512: 94A8A4E0E48AA6935A504C36FDC8D0F98FED4CF32A5CCF581DABA1F5E7C68C9CC9891518296B7022428F49D463 B45F0AF2490C492BCD393348D9E1672D56FBC1 Malicious: false Reputation: