ID: 70283 Sample Name: 928374982730947.cmd Cookbook: default.jbs Time: 13:28:23 Date: 31/07/2018 Version: 23.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Signature Overview 5 AV Detection: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 Malware Analysis System Evasion: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 Dropped Files 8 Screenshots 8 Startup 9 Created / dropped Files 9 Contacted Domains/Contacted IPs 10 Contacted Domains 10 Contacted IPs 10 Public 10 Private 10 Static File Info 10 General 10 File Icon 11 Network Behavior 11 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 11 Analysis Process: cmd.exe PID: 3944 Parent PID: 3512 11 General 11
Copyright Joe Security LLC 2018 Page 2 of 13 File Activities 12 File Created 12 File Read 12 Analysis Process: PING.EXE PID: 3984 Parent PID: 3944 12 General 12 File Activities 12 Analysis Process: wscript.exe PID: 4008 Parent PID: 3944 12 General 12 File Activities 13 Registry Activities 13 Key Created 13 Disassembly 13 Code Analysis 13
Copyright Joe Security LLC 2018 Page 3 of 13 Analysis Report
Overview
General Information
Joe Sandbox Version: 23.0.0 Analysis ID: 70283 Start time: 13:28:23 Joe Sandbox Product: CloudBasic Start date: 31.07.2018 Overall analysis duration: 0h 1m 44s Hypervisor based Inspection enabled: false Report type: light Sample file name: 928374982730947.cmd Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal56.troj.evad.winCMD@5/1@0/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .cmd Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtSetInformationFile calls found.
Detection
Strategy Score Range Reporting Detection
Threshold 56 0 - 100 Report FP / FN
Confidence
Copyright Joe Security LLC 2018 Page 4 of 13 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Signature Overview
Copyright Joe Security LLC 2018 Page 5 of 13 • AV Detection • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion
Click to jump to signature section
AV Detection:
Multi AV Scanner detection for submitted file
Networking:
Uses ping.exe to check the status of other devices and networks
Urls found in memory or binary data
System Summary:
Classification label
Creates files inside the user directory
Executes visual basic scripts
Found command line output
Reads software policies
Sample is known by Antivirus
Spawns processes
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Uses ping.exe to sleep
Found WSH timer for Javascript or VBS script (likely evasive script)
Behavior Graph
Copyright Joe Security LLC 2018 Page 6 of 13 Hide Legend Behavior Graph Legend: ID: 70283 Process Sample: 928374982730947.cmd Signature Startdate: 31/07/2018 Architecture: WINDOWS Created File Score: 56 DNS/IP Info Is Dropped
Is Windows Process
Uses ping.exe to check Multi AV Scanner detection Uses ping.exe to sleep the status of other started Number of created Registry Values for submitted file devices and networks Number of created Files
Visual Basic
Delphi cmd.exe Java
.Net C# or VB.NET
2 C, C++ or other language
Is malicious
Uses ping.exe to sleep started started
PING.EXE wscript.exe
127.0.0.1
unknown unknown
Simulations
Behavior and APIs
Time Type Description 13:28:30 API Interceptor 1x Sleep call for process: wscript.exe modified
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link 928374982730947.cmd 23% virustotal Browse 928374982730947.cmd 0% metadefender Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
Copyright Joe Security LLC 2018 Page 7 of 13 URLs
No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
Dropped Files
No context
Screenshots
Copyright Joe Security LLC 2018 Page 8 of 13 Startup
System is w7 cmd.exe (PID: 3944 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\928374982730947.cmd' ' MD5: AD7B9C14083B52BC532FBA5948342B98) PING.EXE (PID: 3984 cmdline: ping 127.0.0.1 -n 1 MD5: 6242E3D67787CCBF4E06AD2982853144) wscript.exe (PID: 4008 cmdline: wscript //Nologo C:\Users\user\Temp\user.vbs MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup
Created / dropped Files
\Device\Null Process: C:\Windows\System32\PING.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 282 Entropy (8bit): 4.885120575367097 Encrypted: false MD5: 3D76B6100402FB39286186736F21B2CF SHA1: 3267DA48E71623AB8E342C06F4733FFD2FF5BEAD SHA-256: 0455D41F72FC7E9C08BF80270E75B86BF879E10DB2407926A10E43F3BDD1233E SHA-512: 33F800C96C7701D4983C9CDAD0F85C2D84EF4FBBB39D8F0B850586593101E9249097AAA5735CE9583A38C71A250 0B9D875C2CFE2398BDD64218810FB18F3D949 Malicious: false Reputation: moderate, very likely benign file
Copyright Joe Security LLC 2018 Page 9 of 13 Contacted Domains/Contacted IPs
Contacted Domains
No contacted domains info
Contacted IPs
No. of IPs < 25% 25% < No. of IPs < 50%
50% < No. of IPs < 75% 75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious
Private
IP 127.0.0.1
Static File Info
General
File type: DOS batch file, ASCII text, with very long lines, with CRLF line terminators Entropy (8bit): 4.402118298331553 TrID: Visual Basic Script (6000/0) 100.00% File name: 928374982730947.cmd File size: 84974 MD5: 5a9f8669fa3b27c26ab298c9213931c6 SHA1: b9f54c25314e16096b3c332f0c65ae4d348d64c0 SHA256: dce92dfc27f21b03951df1ddee498fdcbf1b7b5d7f2a0c33 b8ee3fd10325aa75 SHA512: 83a6fe98398959019d3be7fcd1fe0b41c77cbaeeca58787 840b4d1b5a3068f7917363646ca9cc2d9a1eb06c3ee8a6 9bfa9bdb16d8219e0e9e85db494dd664c49
Copyright Joe Security LLC 2018 Page 10 of 13 General
File Content Preview: @echo off..SETLOCAL..md "%USERPROFILE%\Temp" && cls..set BMASNAKDNKFASDCYCYCYCYYCYCYC YCYC=%USERNAME%.vbs..set BANNASJAKSKNKNB ANNASKALJSNLKNCIIIICICCCIICIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIAHSHSHSIHIHSISHISHSHIISHIHSIH SIHSIHSASDJ
File Icon
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• cmd.exe • PING.EXE • wscript.exe
Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 3944 Parent PID: 3512
General
Start time: 13:28:28 Start date: 31/07/2018 Path: C:\Windows\System32\cmd.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\cmd.exe /c ''C:\Users\user\Desktop\928374982730947.cmd' ' Imagebase: 0x4a5d0000
Copyright Joe Security LLC 2018 Page 11 of 13 File size: 302592 bytes MD5 hash: AD7B9C14083B52BC532FBA5948342B98 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Temp read data or list normal directory file | success or wait 1 4A5DF8A4 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\Sam read attributes | normal synchronous io success or wait 1 4A5DD8F1 CreateFileW synchronize | non alert | non generic write directory file
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\928374982730947.cmd unknown 8191 success or wait 7 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 512 success or wait 1 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 8191 success or wait 202 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 512 success or wait 210 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 512 end of file 1 4A5D4DE3 ReadFile C:\Users\user\Desktop\928374982730947.cmd unknown 8191 end of file 1 4A5D4DE3 ReadFile
Analysis Process: PING.EXE PID: 3984 Parent PID: 3944
General
Start time: 13:28:29 Start date: 31/07/2018 Path: C:\Windows\System32\PING.EXE Wow64 process (32bit): false Commandline: ping 127.0.0.1 -n 1 Imagebase: 0xe10000 File size: 15360 bytes MD5 hash: 6242E3D67787CCBF4E06AD2982853144 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Analysis Process: wscript.exe PID: 4008 Parent PID: 3944
General
Start time: 13:28:30 Start date: 31/07/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: wscript //Nologo C:\Users\user\Temp\user.vbs Copyright Joe Security LLC 2018 Page 12 of 13 Imagebase: 0x590000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Microsoft\Windows script Host success or wait 1 594109 RegCreateKeyExW HKEY_USERS\Software\Microsoft\Windows script Host\Settings success or wait 1 594109 RegCreateKeyExW
Disassembly
Code Analysis
Copyright Joe Security LLC 2018 Page 13 of 13