Automated Malware Analysis Report for Ud-Win-X64.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 197137 Sample Name: ud-win-x64.exe Cookbook: default.jbs Time: 21:35:52 Date: 18/12/2019 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report ud-win-x64.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 AV Detection: 8 Spreading: 8 Networking: 8 System Summary: 8 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Malware Configuration 10 Behavior Graph 10 Simulations 11 Behavior and APIs 11 Antivirus, Machine Learning and Genetic Malware Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 11 Domains 11 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Sigma Overview 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 13 Dropped Files 13 Screenshots 13 Thumbnails 13 Startup 14 Created / dropped Files 14 Domains and IPs 17 Contacted Domains 17 URLs from Memory and Binaries 18 Contacted IPs 18 Static File Info 18 General 18 File Icon 19 Static PE Info 19 General 19 Entrypoint Preview 19 Data Directories 21 Copyright Joe Security LLC 2019 Page 2 of 40 Sections 21 Resources 22 Imports 22 Version Infos 22 Possible Origin 22 Network Behavior 23 Code Manipulations 23 Statistics 23 Behavior 23 System Behavior 23 Analysis Process: ud-win-x64.exe PID: 4816 Parent PID: 4268 23 General 23 File Activities 24 File Created 24 File Deleted 24 File Written 24 File Read 28 Registry Activities 33 Key Created 33 Analysis Process: conhost.exe PID: 904 Parent PID: 4816 34 General 34 Analysis Process: cmd.exe PID: 5028 Parent PID: 4816 34 General 34 File Activities 34 Analysis Process: WMIC.exe PID: 4232 Parent PID: 5028 34 General 34 File Activities 34 Analysis Process: cmd.exe PID: 4272 Parent PID: 4816 35 General 35 File Activities 35 Analysis Process: WMIC.exe PID: 4568 Parent PID: 4272 35 General 35 File Activities 35 Analysis Process: cmd.exe PID: 4796 Parent PID: 4816 35 General 35 File Activities 36 Analysis Process: WMIC.exe PID: 5040 Parent PID: 4796 36 General 36 File Activities 36 Analysis Process: cmd.exe PID: 4668 Parent PID: 4816 36 General 36 File Activities 36 Analysis Process: WMIC.exe PID: 3012 Parent PID: 4668 37 General 37 File Activities 37 Analysis Process: cmd.exe PID: 2576 Parent PID: 4816 37 General 37 File Activities 37 Analysis Process: WMIC.exe PID: 1816 Parent PID: 2576 37 General 37 File Activities 38 Analysis Process: cmd.exe PID: 4424 Parent PID: 4816 38 General 38 Analysis Process: WMIC.exe PID: 1256 Parent PID: 4424 38 General 38 Analysis Process: cmd.exe PID: 4220 Parent PID: 4816 38 General 38 Analysis Process: WMIC.exe PID: 3020 Parent PID: 4220 39 General 39 Analysis Process: cmd.exe PID: 4552 Parent PID: 4816 39 General 39 Analysis Process: WMIC.exe PID: 3428 Parent PID: 4552 39 General 39 Analysis Process: cmd.exe PID: 4516 Parent PID: 4816 39 General 39 Analysis Process: powershell.exe PID: 3964 Parent PID: 4516 40 General 40 Analysis Process: powershell.exe PID: 4412 Parent PID: 4816 40 General 40 Copyright Joe Security LLC 2019 Page 3 of 40 Disassembly 40 Code Analysis 40 Copyright Joe Security LLC 2019 Page 4 of 40 Analysis Report ud-win-x64.exe Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 197137 Start date: 18.12.2019 Start time: 21:35:52 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 6s Hypervisor based Inspection enabled: false Report type: light Sample file name: ud-win-x64.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 27 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal76.evad.winEXE@40/14@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 54.6% (good quality ratio 28.4%) Quality average: 39.8% Quality standard deviation: 43.1% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, TiWorker.exe, conhost.exe, CompatTelRunner.exe, TrustedInstaller.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Detection Strategy Score Range Reporting Whitelisted Detection Copyright Joe Security LLC 2019 Page 5 of 40 Strategy Score Range Reporting Whitelisted Detection Threshold 76 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Copyright Joe Security LLC 2019 Page 6 of 40 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Mitre Att&ck Matrix Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Application Access Token Masquerading 1 Credential System Time Application Data from Data Standard Accounts Instrumentation 4 1 1 Shimming 1 Manipulation 1 Dumping Discovery 2 Deployment Local Encrypted 1 Cryptographic Software System Protocol 1 Copyright Joe Security LLC 2019 Page 7 of 40 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Command-Line Port Process Software Network Query Registry 1 Remote Data from Exfiltration Fallback Through Interface 2 Monitors Injection 1 2 Packing 1 1 Sniffing Services Removable Over Other Channels Removable Media Network Media Medium External PowerShell 1 Accessibility Application Virtualization/Sandbox Input Capture Virtualization/Sandbox Windows Data from Automated Custom Remote Features Shimming 1 Evasion 3 5 Evasion 3 5 Remote Network Exfiltration Cryptographic Services Management Shared Protocol Drive Drive-by Execution through System DLL Search Access Token Credentials in Process Discovery 2 Logon Input Data Multiband Compromise API 2 Firmware Order Hijacking Manipulation 1 Files Scripts Capture Encrypted Communication Exploit Public- Command-Line Interface Shortcut File System Process Account Application Window Shared Data Scheduled Standard Facing Modification Permissions Injection 1 2 Manipulation Discovery 1 Webroot Staged Transfer Cryptographic Application Weakness Protocol Spearphishing Graphical User Interface Modify New Service Deobfuscate/Decode Brute Force Security Software Third-party Screen Data Commonly Link Existing Files or Information 1 Discovery 5 5 1 Software Capture Transfer Used Port Service Size Limits Spearphishing Scripting Path Scheduled Obfuscated Files or Two-Factor File and Directory Pass the Email Exfiltration Uncommonly Attachment Interception Task Information 2 Authentication Discovery 3 Hash Collection Over Used Port Interception Command and Control Channel Spearphishing Third-party Software Logon Process Indicator Blocking Bash History System Information Remote Clipboard Exfiltration Standard via Service Scripts Injection Discovery 2 3 6 Desktop Data Over Application Protocol Alternative Layer Protocol Protocol Signature Overview • AV Detection • Spreading • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Machine Learning detection for sample Spreading: Contains functionality to query local drives Enumerates the file system Networking: Urls found in memory or binary data System Summary: Contains functionality to communicate with device drivers Copyright Joe Security LLC 2019 Page 8 of 40 Detected