Automated Malware Analysis Report for 234125. Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 270113 Sample Name: _234125._exe Cookbook: default.jbs Time: 15:01:42 Date: 18/08/2020 Version: 29.0.0 Ocean Jasper Table of Contents Table of Contents 2 Analysis Report _234125._exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 5 Malware Configuration 5 Threatname: Emotet 5 Yara Overview 7 Memory Dumps 7 Sigma Overview 7 Signature Overview 7 AV Detection: 7 Networking: 7 E-Banking Fraud: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Stealing of Sensitive Information: 8 Mitre Att&ck Matrix 8 Behavior Graph 8 Screenshots 9 Thumbnails 9 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 10 URLs 10 Domains and IPs 11 Contacted Domains 11 Contacted URLs 11 URLs from Memory and Binaries 11 Contacted IPs 11 Public 11 General Information 12 Simulations 12 Behavior and APIs 12 Created / dropped Files 12 Static File Info 13 General 13 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Rich Headers 14 Data Directories 14 Sections 15 Resources 15 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Snort IDS Alerts 17 TCP Packets 17 HTTP Request Dependency Graph 17 Copyright null 2020 Page 2 of 21 HTTP Packets 17 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Analysis Process: _234125.exe PID: 6848 Parent PID: 5656 18 General 18 File Activities 18 File Deleted 18 Analysis Process: dxdiag.exe PID: 6892 Parent PID: 6848 19 General 19 File Activities 19 File Created 19 File Deleted 20 Analysis Process: svchost.exe PID: 6924 Parent PID: 576 20 General 20 File Activities 20 Registry Activities 20 Analysis Process: svchost.exe PID: 6352 Parent PID: 576 21 General 21 File Activities 21 Analysis Process: svchost.exe PID: 6552 Parent PID: 576 21 General 21 File Activities 21 Disassembly 21 Code Analysis 21 Copyright null 2020 Page 3 of 21 Analysis Report _234125._exe Overview General Information Detection Signatures Classification Sample _234125._exe (renamed Name: file extension from _exe to FFoouunndd maalllwwaarrree ccoonnfffiiigguurrraatttiiioonn exe) SFSnonouornrrtttd III DDmSSa laawllleaerrrttet ff focorror nnefeigtttwwuoroarrrktki o tttrrnraaffffffiiicc (((ee...… Analysis ID: 270113 YSYanarroraar t d dIeDetttSeec cattteleeddr t E Efmoro onttteetttwork traffic (e. MD5: d88ad9f7b94aca8… DYDrarroorpaps sd eextxeeeccctueuttdtaa bEblllemesso tttoeo t ttthhee wwiiinnddoowwss dd… SHA1: 4c28e360fe4261b… HDHiiriddoeepss tttehhxaaettt c ttthuhetea sbsalaemsp ptlollee t hhaeas sw bbineedeeonnw ddsoo wdw… SHA256: 964d936fd267b8d… HHiiddeess tthhaatt tthhee ssaamppllee hhaass bbeeeenn ddooww… Most interesting Screenshot: CHCoiodnnetttasa iiintnhssa ctc atahppeaa bsbiiaillliiimtttiiieepssl e ttto oh dadese tttbeeecctett vnvii irrdrtttuouawa… CCoonntttaaiiinnss ffcfuuannpccatttiibiooinlnitaaiellliiitsttyy t tottoo d aaecctcececests svs i lrllootuaaadd… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cacacallcllll e nnsaasttti iivlvoeea ffdf… Emotet CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cchahelel ccnkka itiiffif v aae w wf… Score: 72 Range: 0 - 100 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo dcdyhynenacamk iiifcc aal llllwlyy… Whitelisted: false CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrdreeyaandda mttthhieec a PPllEEyBB Confidence: 100% CCrroreenaattatteeinss s fff iiilflleuesns c iiintnisosiiniddaeel i ttthyhe et o ss yryessattteedm th ddeiiir rrPeecEc…B DCDereellleeattteess fffiiillleess iiinnssiiiddee ttthhee Wsyiiinsntddeoomww sds i ffrfoeollcldd… DDeettlteectcetttesed df i lppeoostt teiennnstttiiiadalell c ctrrhryyepp ttWtoo ifffnuudnnoccwtttiiioosn nfold DDrrerootpepscs t PePdEE p fffiioillleetessn ttttooia tttlh hceer y wwpiiitnnodd foouwwnscs t didoiiirrnreeccttt… FDFoorouupnnsdd PppoEott tefeinlnetttisiiaa ltll o ss tttrrhriiineng gw ddineedccrorryywppstttii ioodnnir e/// caat… PFPEoEu fffniiilllede cpcoontnetttanaiitininassl sstttrrraiannnggg ede e rrrceerssyoopuutirrroccnee ss/ a PPoEottt eefinlnettti iiacaloll knkeetayyi nllloosgg sggterearrr n ddgeeettte erccetttseeoddu (((rkkceeyys ss… QPouuteerrrniiieetissa lttt hhkee y vv oloolllugumgeeer iiidnnefffooterrrmctaeattdtiiioo (nnk e(((nyna asm… SQSaaumerppielllees ffftiiihllleee i iisvs o ddliuiifffffmfeerreree nintttf ottthhramanna otoiorrriiingg iiin(nnaaalll m … TSTrrariiiemessp tttloeo llflooilaead di s m diiisisfsfseiiinrneggn DDt LtLhLLassn original UTUrssieess Mtoi iiclcorrroaosdso omfffttt'i''ss s EEinnnghh aaDnnLccLeesdd CCrrryypptttoogg… UUsseess aMa kikcnnroowswonnf t w'wse eEbbn bbhrrraoonwwcsseeedrrr Cuusrsyeeprrr t aoaggee… UUsseess caco okddneeo owobbnfff uuwsseccbaa tttbiiioornon w ttteesccehhrn nuiiiqsqueuere sas g (((…e Uses code obfuscation techniques ( Copyright null 2020 Page 4 of 21 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Startup System is w10x64 _234125.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\_234125.exe' MD5: D88AD9F7B94ACA8A7B157960496F2733) dxdiag.exe (PID: 6892 cmdline: C:\Windows\SysWOW64\mfvdsp\dxdiag.exe MD5: D88AD9F7B94ACA8A7B157960496F2733) svchost.exe (PID: 6924 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 6352 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA) cleanup Malware Configuration Threatname: Emotet Copyright null 2020 Page 5 of 21 { "C2 list": [ "68.44.137.144:443", "69.30.203.214:8080", "67.205.85.243:8080", "79.98.24.39:8080", "5.196.74.210:8080", "188.83.220.2:443", "109.116.214.124:443", "203.117.253.142:80", "104.131.11.150:443", "97.82.79.83:80", "121.124.124.40:7080", "83.169.36.251:8080", "89.186.91.200:443", "70.167.215.250:8080", "204.197.146.48:80", "167.86.90.214:8080", "190.160.53.126:80", "95.213.236.64:8080", "47.144.21.12:443", "169.239.182.217:8080", "62.75.141.82:80", "181.211.11.242:80", "37.70.8.161:80", "190.55.181.54:443", "78.24.219.147:8080", "93.51.50.171:8080", "139.59.60.244:8080", "91.211.88.52:7080", "139.130.242.43:80", "24.233.112.152:80", "185.94.252.104:443", "74.208.45.104:8080", "47.146.117.214:80", "137.59.187.107:8080", "174.102.48.180:80", "199.101.86.142:8080", "116.203.32.252:8080", "103.86.49.11:8080", "81.2.235.111:8080", "200.41.121.90:80", "85.105.205.77:8080", "61.19.246.238:443", "110.145.77.103:80", "107.185.211.16:80", "95.179.229.244:8080", "85.152.162.105:80", "142.105.151.124:443", "41.60.200.34:80", "203.153.216.189:7080", "46.105.131.79:8080", "181.230.116.163:80", "168.235.67.138:7080", "24.179.13.119:80", "72.12.127.184:443", "75.139.38.211:80", "109.74.5.95:8080", "24.43.99.75:80", "87.106.136.232:8080", "176.111.60.55:8080", "152.168.248.128:443", "74.120.55.163:80", "183.101.175.193:80", "68.188.112.97:80", "62.138.26.28:8080", "5.39.91.110:7080", "24.137.76.62:80", "37.139.21.175:8080", "2.58.16.85:7080", "209.141.54.221:8080", "37.187.72.193:8080", "104.236.246.93:8080", "157.147.76.151:80", "87.106.139.101:8080", "189.212.199.126:443", "173.62.217.22:443", "180.92.239.110:8080", "104.131.44.150:8080", "157.245.99.39:8080" ], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTx bFFeUEs3AwIDAQAB" } Copyright null 2020 Page 6 of 21 Yara Overview Memory Dumps Source Rule Description Author Strings 00000001.00000002.1534712271.0000000002120000.0000 JoeSecurity_Emotet Yara detected Joe Security 0040.00000001.sdmp Emotet 00000001.00000002.1534744502.0000000002141000.0000 JoeSecurity_Emotet Yara detected Joe Security 0020.00000001.sdmp Emotet 00000000.00000002.1270600625.0000000002201000.0000 JoeSecurity_Emotet Yara detected Joe Security 0020.00000001.sdmp Emotet 00000000.00000002.1270589622.00000000021F0000.0000 JoeSecurity_Emotet Yara detected Joe Security 0040.00000001.sdmp Emotet Sigma Overview No Sigma rule has matched Signature Overview • AV Detection • Cryptography • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information Click to jump to signature section AV Detection: Found malware configuration Networking: Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) E-Banking Fraud: Yara detected Emotet Persistence and Installation Behavior: Drops executables to the windows directory (C:\Windows) and starts them Hooking and other Techniques for Hiding and Protection: Copyright null 2020 Page 7 of 21 Hides that the sample has been downloaded from the Internet (zone.identifier) Stealing of Sensitive Information: Yara detected Emotet Mitre Att&ck Matrix Remote Initial Privilege Credential Lateral Command Network Service Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Native DLL Side- Process Masquerading 1 2 Input Security Software Remote Input Exfiltration