Automated Malware Analysis Report for Wincdemu-4.1.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 130798 Sample Name: WinCDEmu- 4.1.exe Cookbook: default.jbs Time: 23:16:32 Date: 10/05/2019 Version: 26.0.0 Aquamarine Table of Contents Table of Contents 2 Analysis Report WinCDEmu-4.1.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 AV Detection: 8 Spreading: 8 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 E-Banking Fraud: 9 System Summary: 9 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Boot Survival: 10 Hooking and other Techniques for Hiding and Protection: 10 Malware Analysis System Evasion: 10 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Lowering of HIPS / PFW / Operating System Security Settings: 10 Behavior Graph 11 Simulations 11 Behavior and APIs 11 Antivirus and Machine Learning Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Screenshots 13 Thumbnails 13 Startup 14 Created / dropped Files 15 Domains and IPs 36 Contacted Domains 36 URLs from Memory and Binaries 36 Contacted IPs 37 Public 38 Static File Info 38 General 38 File Icon 38 Static PE Info 39 Copyright Joe Security LLC 2019 Page 2 of 93 General 39 Authenticode Signature 39 Entrypoint Preview 39 Rich Headers 41 Data Directories 41 Sections 41 Resources 41 Imports 42 Version Infos 42 Possible Origin 42 Network Behavior 42 Code Manipulations 42 Statistics 43 Behavior 43 System Behavior 43 Analysis Process: WinCDEmu-4.1.exe PID: 2284 Parent PID: 3704 43 General 43 File Activities 43 File Created 43 File Deleted 48 File Written 48 File Read 81 Registry Activities 82 Key Created 82 Key Value Created 83 Key Value Modified 83 Analysis Process: uninstall64.exe PID: 3692 Parent PID: 2284 84 General 85 File Activities 85 Registry Activities 85 Key Created 85 Analysis Process: VirtualAutorunDisabler.exe PID: 3456 Parent PID: 3692 85 General 85 File Activities 85 Registry Activities 85 Key Created 85 Key Value Created 86 Key Value Modified 86 Analysis Process: regsvr32.exe PID: 2560 Parent PID: 3692 87 General 87 File Activities 87 File Read 87 Analysis Process: regsvr32.exe PID: 2944 Parent PID: 3692 87 General 87 File Activities 87 File Read 87 Analysis Process: regsvr32.exe PID: 1032 Parent PID: 2560 88 General 88 Registry Activities 88 Analysis Process: VirtualAutorunDisabler.exe PID: 4348 Parent PID: 3692 88 General 88 File Activities 88 Registry Activities 88 Key Created 88 Key Value Modified 89 Analysis Process: regsvr32.exe PID: 3104 Parent PID: 2944 89 General 89 File Activities 90 Registry Activities 90 Analysis Process: regsvr32.exe PID: 4852 Parent PID: 3692 90 General 90 Registry Activities 90 Analysis Process: regsvr32.exe PID: 1144 Parent PID: 3692 90 General 90 File Activities 90 Registry Activities 91 Analysis Process: drvinst64.exe PID: 3340 Parent PID: 2284 91 General 91 File Activities 91 Registry Activities 91 Analysis Process: drvinst.exe PID: 4356 Parent PID: 724 91 General 91 Copyright Joe Security LLC 2019 Page 3 of 93 File Activities 92 Registry Activities 92 Analysis Process: rundll32.exe PID: 3820 Parent PID: 4356 92 General 92 Analysis Process: drvinst.exe PID: 3160 Parent PID: 724 92 General 92 Analysis Process: vmnt64.exe PID: 3300 Parent PID: 2284 93 General 93 Analysis Process: WerFault.exe PID: 4864 Parent PID: 3300 93 General 93 Disassembly 93 Code Analysis 93 Copyright Joe Security LLC 2019 Page 4 of 93 Analysis Report WinCDEmu-4.1.exe Create Interactive Tour Overview General Information Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 130798 Start date: 10.05.2019 Start time: 23:16:32 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 56s Hypervisor based Inspection enabled: false Report type: light Sample file name: WinCDEmu-4.1.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 21 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal52.evad.winEXE@28/83@0/1 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 99.5% (good quality ratio 81.5%) Quality average: 63.8% Quality standard deviation: 38.1% HCA Information: Successful, ratio: 69% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, wermgr.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Whitelisted Detection Copyright Joe Security LLC 2019 Page 5 of 93 Strategy Score Range Reporting Whitelisted Detection Threshold 52 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Copyright Joe Security LLC 2019 Page 6 of 93 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Accounts Rundll32 1 Startup Startup Software Input System Time Application Input Data Standard Items 1 Items 1 Packing 1 1 1 Capture 1 Discovery 1 Deployment Capture 1 Encrypted 1 Cryptographic Software Protocol 1 Replication Execution Registry Run Access Token Disabling Security Network Security Remote Data from Exfiltration Fallback Through through API 1 Keys / Startup Manipulation 1 Tools 1 1 Sniffing Software Services Removable Over Other Channels Removable Folder 1 1 Discovery 6 1 Media Network Media Medium Copyright Joe Security LLC 2019 Page 7 of 93 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Drive-by Command-Line Modify Existing Process Deobfuscate/Decode Input Capture File and Windows Data from Automated Custom Compromise Interface 1 Service 1 Injection 1 1 Files or Directory Remote Network Exfiltration Cryptographic Information 1 Discovery 2 Management Shared Drive Protocol Exploit Public- Scheduled New Service 2 New Service 2 Rundll32 1 Credentials in System Logon Scripts Input Capture Data Multiband Facing Task Files Information Encrypted Communication Application Discovery 4 3 Spearphishing Command-Line Shortcut File System File Deletion 1 Account Query Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation Registry 1 Webroot Transfer Cryptographic Weakness Protocol Spearphishing Graphical User Modify Existing New Service Obfuscated Files or Brute Force Process Third-party Screen Data Transfer Commonly Attachment Interface Service Information 2 1 Discovery 2 Software Capture Size Limits Used Port Spearphishing Scripting Path Scheduled Task Masquerading 4 1 Two-Factor Network Pass the Hash Email Exfiltration Uncommonly via Service Interception Authentication Sniffing Collection Over Used Port Interception Command and Control Channel Supply Chain Third-party Logon Scripts Process Access Token Bash History Network Remote Clipboard Data Exfiltration Standard Compromise Software Injection Manipulation 1 Service Desktop Over Application Scanning Protocol Alternative Layer Protocol Protocol Trusted Rundll32 DLL Search Service Process Input Prompt System Windows Automated Exfiltration Multilayer Relationship Order Hijacking Registry Injection 1 1 Network Admin Shares Collection Over Physical Encryption Permissions Connections Medium Weakness Discovery Hardware PowerShell Change Default Exploitation for DLL Side- Keychain Process Taint Shared Audio Capture Connection Additions File Association Privilege Loading 1 Discovery Content Proxy Escalation Signature Overview • AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and