Automated Malware Analysis Report for 928374982730947.Cmd

ID: 70283 Sample Name: 928374982730947.cmd Cookbook: default.jbs Time: 13:28:23 Date: 31/07/2018 Version: 23.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Signature Overview 5 AV Detection: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 Malware Analysis System Evasion: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 Dropped Files 8 Screenshots 8 Startup 9 Created / dropped Files 9 Contacted Domains/Contacted IPs 10 Contacted Domains 10 Contacted IPs 10 Public 10 Private 10 Static File Info 10 General 10 File Icon 11 Network Behavior 11 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 11 Analysis Process: cmd.exe PID: 3944 Parent PID: 3512 11 General 11

Copyright Joe Security LLC 2018 Page 2 of 13 File Activities 12 File Created 12 File Read 12 Analysis Process: PING.EXE PID: 3984 Parent PID: 3944 12 General 12 File Activities 12 Analysis Process: wscript.exe PID: 4008 Parent PID: 3944 12 General 12 File Activities 13 Registry Activities 13 Key Created 13 Disassembly 13 Code Analysis 13

Overview

General Information

Joe Sandbox Version: 23.0.0 Analysis ID: 70283 Start time: 13:28:23 Joe Sandbox Product: CloudBasic Start date: 31.07.2018 Overall analysis duration: 0h 1m 44s Hypervisor based Inspection enabled: false Report type: light Sample file name: 928374982730947.cmd Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal56.troj.evad.winCMD@5/1@0/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .cmd Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy Score Range Reporting Detection

Threshold 56 0 - 100 Report FP / FN

Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Signature Overview

Copyright Joe Security LLC 2018 Page 5 of 13 • AV Detection • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for submitted file

Networking:

Uses ping.exe to check the status of other devices and networks

Urls found in memory or binary data

System Summary:

Classification label

Creates files inside the user directory

Executes visual basic scripts

Found command line output

Reads software policies

Sample is known by Antivirus

Spawns processes

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Uses ping.exe to sleep

Found WSH timer for Javascript or VBS script (likely evasive script)

Behavior Graph

Copyright Joe Security LLC 2018 Page 6 of 13 Hide Legend Behavior Graph Legend: ID: 70283 Process Sample: 928374982730947.cmd Signature Startdate: 31/07/2018 Architecture: WINDOWS Created File Score: 56 DNS/IP Info Is Dropped

Is Windows Process

Uses ping.exe to check Multi AV Scanner detection Uses ping.exe to sleep the status of other started Number of created Registry Values for submitted file devices and networks Number of created Files

Visual Basic

Delphi cmd.exe Java

.Net C# or VB.NET

2 C, C++ or other language

Is malicious

Uses ping.exe to sleep started started

PING.EXE wscript.exe

127.0.0.1

unknown unknown

Simulations

Behavior and APIs

Time Type Description 13:28:30 API Interceptor 1x Sleep call for process: wscript.exe modified

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link 928374982730947.cmd 23% virustotal Browse 928374982730947.cmd 0% metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

System is w7 cmd.exe (PID: 3944 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\928374982730947.cmd' ' MD5: AD7B9C14083B52BC532FBA5948342B98) PING.EXE (PID: 3984 cmdline: ping 127.0.0.1 -n 1 MD5: 6242E3D67787CCBF4E06AD2982853144) wscript.exe (PID: 4008 cmdline: wscript //Nologo C:\Users\user\Temp\user.vbs MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup

Created / dropped Files

\Device\Null Process: C:\Windows\System32\PING.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 282 Entropy (8bit): 4.885120575367097 Encrypted: false MD5: 3D76B6100402FB39286186736F21B2CF SHA1: 3267DA48E71623AB8E342C06F4733FFD2FF5BEAD SHA-256: 0455D41F72FC7E9C08BF80270E75B86BF879E10DB2407926A10E43F3BDD1233E SHA-512: 33F800C96C7701D4983C9CDAD0F85C2D84EF4FBBB39D8F0B850586593101E9249097AAA5735CE9583A38C71A250 0B9D875C2CFE2398BDD64218810FB18F3D949 Malicious: false Reputation: moderate, very likely benign file

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Country Flag ASN ASN Name Malicious

Private

IP 127.0.0.1

Static File Info

General

File type: DOS batch file, ASCII text, with very long lines, with CRLF line terminators Entropy (8bit): 4.402118298331553 TrID: Visual Basic Script (6000/0) 100.00% File name: 928374982730947.cmd File size: 84974 MD5: 5a9f8669fa3b27c26ab298c9213931c6 SHA1: b9f54c25314e16096b3c332f0c65ae4d348d64c0 SHA256: dce92dfc27f21b03951df1ddee498fdcbf1b7b5d7f2a0c33 b8ee3fd10325aa75 SHA512: 83a6fe98398959019d3be7fcd1fe0b41c77cbaeeca58787 840b4d1b5a3068f7917363646ca9cc2d9a1eb06c3ee8a6 9bfa9bdb16d8219e0e9e85db494dd664c49

File Content Preview: @echo off..SETLOCAL..md "%USERPROFILE%\Temp" && cls..set BMASNAKDNKFASDCYCYCYCYYCYCYC YCYC=%USERNAME%.vbs..set BANNASJAKSKNKNB ANNASKALJSNLKNCIIIICICCCIICIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIAHSHSHSIHIHSISHISHSHIISHIHSIH SIHSIHSASDJ

File Icon

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• cmd.exe • PING.EXE • wscript.exe

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 3944 Parent PID: 3512

General

Start time: 13:28:28 Start date: 31/07/2018 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\928374982730947.cmd' ' Imagebase: 0x4a5d0000

Copyright Joe Security LLC 2018 Page 11 of 13 File size: 302592 bytes MD5 hash: AD7B9C14083B52BC532FBA5948342B98 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Temp read data or list normal directory file | success or wait 1 4A5DF8A4 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\Sam read attributes | normal synchronous io success or wait 1 4A5DD8F1 CreateFileW synchronize | non alert | non generic write directory file

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\928374982730947.cmd unknown 8191 success or wait 7 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 512 success or wait 1 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 8191 success or wait 202 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 512 success or wait 210 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 512 end of file 1 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 8191 end of file 1 4A5D4DE3 ReadFile

Analysis Process: PING.EXE PID: 3984 Parent PID: 3944

General

Start time: 13:28:29 Start date: 31/07/2018 Path: C:\Windows\System32\PING.EXE Wow64 process (32bit): false Commandline: ping 127.0.0.1 -n 1 Imagebase: 0xe10000 File size: 15360 bytes MD5 hash: 6242E3D67787CCBF4E06AD2982853144 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Analysis Process: wscript.exe PID: 4008 Parent PID: 3944

General

Start time: 13:28:30 Start date: 31/07/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: wscript //Nologo C:\Users\user\Temp\user.vbs Copyright Joe Security LLC 2018 Page 12 of 13 Imagebase: 0x590000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Key Created

Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Microsoft\Windows script Host success or wait 1 594109 RegCreateKeyExW HKEY_USERS\Software\Microsoft\Windows script Host\Settings success or wait 1 594109 RegCreateKeyExW

Disassembly

Code Analysis