Automated Malware Analysis Report for Shellcode.Exe

Home , Shellcode

ID: 205432 Sample Name: shellcode.exe Cookbook: default.jbs Time: 00:40:30 Date: 04/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report shellcode.exe 3 Overview 3 General Information 3 Detection 3 Confidence 3 Classification 4 Analysis Advice 4 Mitre Att&ck Matrix 5 Signature Overview 5 AV Detection: 5 System Summary: 5 Data Obfuscation: 5 Malware Configuration 5 Behavior Graph 5 Simulations 6 Behavior and APIs 6 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Memory Dumps 7 Unpacked PEs 7 Sigma Overview 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 8 Domains and IPs 8 Contacted Domains 8 Contacted IPs 8 Static File Info 8 General 8 File Icon 8 Static PE Info 8 General 8 Entrypoint Preview 9 Data Directories 10 Sections 10 Imports 11 Network Behavior 11 Code Manipulations 11 Statistics 11 System Behavior 11 Disassembly 11

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205432 Start date: 04.02.2020 Start time: 00:40:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 15s Hypervisor based Inspection enabled: false Report type: light Sample file name: shellcode.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 1 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal52.winEXE@0/0@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Unable to launch sample, stop analysis Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Errors: Nothing to analyse, Joe Sandbox has not found any analysis process or sample Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 52 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample is corrupt or needs to be run on a newer Windows version

No Mitre Att&ck techniques found

Signature Overview

• AV Detection • System Summary • Data Obfuscation

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

System Summary:

PE file has nameless sections

Yara signature match

Classification label

Sample is known by Antivirus

PE file has a high image base, often used for DLLs

Contains modern PE file flags such as dynamic base (ASLR) or NX

Data Obfuscation:

PE file contains sections with non-standard names

Malware Configuration

No configs have been found

Behavior Graph

Is Windows Process

Number of created Registry Values

Number of created Files

Behavior Graph Visual Basic

ID: 205432 Delphi

Sample: shellcode.exe Java Startdate: 04/02/2020 .Net C# or VB.NET Architecture: WINDOWS C, C++ or other language Score: 52 Is malicious

Internet

Multi AV Scanner detection PE file has nameless for submitted file sections

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link shellcode.exe 13% Virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Yara Overview

Initial Sample

Source Rule Description Author Strings shellcode.exe SUSP_XORed_Mozilla Detects suspicious Florian Roth 0x3a676:$xo1: cATGBBO\x01\x1B\x1E XORed keyword - Mozilla/5.0 SUSP_XORed_Mozilla Detects suspicious Florian Roth 0x276:$xo1: cATGBBO\x01\x1B\x1E XORed keyword - Mozilla/5.0

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General File type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Entropy (8bit): 6.429574856787312 TrID: Win64 Dynamic Link Library (generic) (102004/3) 87.93% Win64 Executable (generic) (12005/4) 10.35% DOS Executable Generic (2002/1) 1.73% File name: shellcode.exe File size: 260608 MD5: e6fc3f3b116128018095323b00962a55 SHA1: 70d222c07e4749bd0adbb6511bbc9c3ff1f9cbc1 SHA256: a54ea71f8f161b7c4c8599da60645b814a911193b6cc1f7 f761fd8daee240906 SHA512: fc0e2b712ee5c9b1dec71bb9f87d74bc8a449f38e8b0ff44 290fef83675ec3f18f2c8864ec3a9540452e06f32f6c5665 196d7cb31aeda67da8eebdf3307f5968 SSDEEP: 3072:DJwpS2NACV4qAbypuljJGnJYoTjqETdtbsnOfFw XVa/o7w494YJGga1TmHnaH:DJwpYVNcn3pTdNe+WX Vioz4RCH File Content Preview: MZARUH..H.. ...H...... H..H...c....A....Vh....ZH...... | ._a.dmp.K..c.y..0\.A.~...... )..X%...NN.\h...... hN..%....]g...,. 2Z...... D..?0...y.L.%~".@S..]c.d.:.lb....."P>...\.....,.._(....n. w...... (...1U..dm...... v./..;..-3.P.]...... nM...... ].PE..d..

File Icon

Icon Hash: 00828e8e8686b000

Static PE Info

General Entrypoint: 0x18001bad4 Entrypoint Section: Digitally signed: false Imagebase: 0x180000000 Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE, RELOCS_STRIPPED DLL Characteristics: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA Time Stamp: 0x4F898936 [Sat Apr 14 14:27:02 2012 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 2

Copyright Joe Security LLC 2020 Page 8 of 11 General File Version Major: 5 File Version Minor: 2 Subsystem Version Major: 5 Subsystem Version Minor: 2 Import Hash: e26673d9406c9578735b762e3908442f

Entrypoint Preview

Instruction dec eax mov dword ptr [esp+08h], ebx dec eax mov dword ptr [esp+10h], esi push edi dec eax sub esp, 20h dec ecx mov edi, eax mov ebx, edx dec eax mov esi, ecx cmp edx, 01h jne 00007FAA186DBB97h call 00007FAA186E2864h dec esp mov eax, edi mov edx, ebx dec eax mov ecx, esi dec eax mov ebx, dword ptr [esp+30h] dec eax mov esi, dword ptr [esp+38h] dec eax add esp, 20h pop edi jmp 00007FAA186DBB98h int3 int3 int3 dec eax mov eax, esp dec eax mov dword ptr [eax+20h], ebx dec esp mov dword ptr [eax+18h], eax mov dword ptr [eax+10h], edx dec eax mov dword ptr [eax+08h], ecx push esi push edi inc ecx push esi dec eax sub esp, 50h dec ecx mov esi, eax mov ebx, edx dec esp mov esi, ecx mov edx, 00000001h mov dword ptr [eax-48h], edx test ebx, ebx jne 00007FAA186DBBA1h

Copyright Joe Security LLC 2020 Page 9 of 11 Instruction cmp dword ptr [00027238h], ebx jne 00007FAA186DBB99h xor eax, eax jmp 00007FAA186DBC67h lea eax, dword ptr [ebx-01h] cmp eax, 01h jnbe 00007FAA186DBBCAh dec eax mov eax, dword ptr [00011F08h] dec eax test eax, eax je 00007FAA186DBB9Ch mov edx, ebx call eax mov edx, eax mov dword ptr [esp+20h], eax test edx, edx je 00007FAA186DBBA9h dec esp mov eax, esi mov edx, ebx dec ecx mov ecx, esi call 00007FAA186DB989h mov edx, eax mov dword ptr [esp+20h], eax test eax, eax jne 00007FAA186DBB99h xor eax, eax jmp 00007FAA186DBC27h dec esp mov eax, esi mov edx, ebx dec ecx mov ecx, esi call 00007FAA186E6F4Bh

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x3bbe0 0x52 IMAGE_DIRECTORY_ENTRY_IMPORT 0x3a6bc 0x64 IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x49000 0x1fe0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x4b000 0x604 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x38b50 0x70 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2c000 0x698 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics 0x1000 0x2a1e0 0x2a200 False 0.536947097552 data 6.41105116133 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ 0x2c000 0xfc32 0xfe00 False 0.483821358268 data 5.89813333505 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ

Copyright Joe Security LLC 2020 Page 10 of 11 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics 0x3c000 0xc568 0x2600 False 0.313733552632 data 4.11855071654 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ 0x49000 0x1fe0 0x2000 False 0.497314453125 data 5.44596689976 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ 0x4b000 0xf54 0x1000 False 0.25634765625 data 2.84761281826 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL Import

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly