Automated Malware Analysis Report for X4xy5j1gwc.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 453837 Sample Name: X4xY5J1GWc.exe Cookbook: default.jbs Time: 08:27:20 Date: 25/07/2021 Version: 33.0.0 White Diamond Table of Contents Table of Contents 2 Windows Analysis Report X4xY5J1GWc.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Threatname: DanaBot 4 Yara Overview 4 Dropped Files 4 Sigma Overview 5 System Summary: 5 Jbx Signature Overview 5 AV Detection: 5 Compliance: 5 Networking: 5 E-Banking Fraud: 5 Spam, unwanted Advertisements and Ransom Demands: 5 System Summary: 5 Data Obfuscation: 5 Malware Analysis System Evasion: 5 HIPS / PFW / Operating System Protection Evasion: 6 Stealing of Sensitive Information: 6 Remote Access Functionality: 6 Mitre Att&ck Matrix 6 Behavior Graph 6 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 9 Contacted Domains 9 Contacted URLs 9 URLs from Memory and Binaries 9 Contacted IPs 9 Public 9 Private 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 11 Dropped Files 11 Created / dropped Files 11 Static File Info 14 General 14 File Icon 14 Static PE Info 14 General 14 Entrypoint Preview 14 Data Directories 14 Sections 15 Resources 15 Imports 15 Version Infos 15 Possible Origin 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 UDP Packets 15 DNS Queries 15 DNS Answers 15 Code Manipulations 15 Statistics 15 Behavior 16 Copyright Joe Security LLC 2021 Page 2 of 19 System Behavior 16 Analysis Process: X4xY5J1GWc.exe PID: 6644 Parent PID: 5920 16 General 16 File Activities 16 File Created 16 File Written 16 Analysis Process: rundll32.exe PID: 6712 Parent PID: 6644 16 General 16 File Activities 16 Analysis Process: rundll32.exe PID: 7140 Parent PID: 6712 16 General 17 File Activities 17 File Created 17 File Written 17 File Read 17 Registry Activities 17 Key Value Created 17 Key Value Modified 17 Analysis Process: powershell.exe PID: 6764 Parent PID: 7140 17 General 17 File Activities 17 File Created 17 File Deleted 17 File Written 17 File Read 17 Analysis Process: conhost.exe PID: 6568 Parent PID: 6764 17 General 18 Analysis Process: powershell.exe PID: 5484 Parent PID: 7140 18 General 18 File Activities 18 File Created 18 File Read 18 Analysis Process: conhost.exe PID: 5548 Parent PID: 5484 18 General 18 Disassembly 18 Code Analysis 19 Copyright Joe Security LLC 2021 Page 3 of 19 Windows Analysis Report X4xY5J1GWc.exe Overview General Information Detection Signatures Classification Sample X4xY5J1GWc.exe Name: DDeettteeccttteedd uunnppaacckkiiinngg (((cchhaannggeess PPEE ssee… Analysis ID: 453837 DDeettteeccttteedd uunnppaacckkiiinngg (((ocovhveaerrnrwwgrreriiittstee sPs Eiiittts ss oeo… MD5: ab4cf6181cfb102… FDFooeuutenncddt e mda aulllwwnapararreec kccionongnff fii(iggouuvrrreaartttwiiioornnites its o SHA1: Ransomware ac756cbff2887e8… Found malware configuration MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiiaiootnino ffnfoorrr ddrrroopppp… Miner Spreading SHA256: f7c566ca7413a12… Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr sdsuruobbpmp mmaallliiiccciiioouusss Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… malicious Tags: DanaBot exe Evader Phishing sssuusssppiiiccciiioouusss SMSyyusslttteie AmV pp Srrroocccaeenssnsse crc oodnnennteeccttttisos ntttoo f onnree stttwwuobormrr… suspicious cccllleeaann Infos: clean YSYayarsrraate ddmee tttpeerccottteceedds DDs aacnnoaanBBnoeottct stssttte etaoal llenerrer dtdwllllllor Exploiter Banker BYByayprpaa ssdsseeetses c PPteoodww eDerrraSSnhhaeeBllllllo eet xxseeteccuautltteiiioorn nd plploolll… Most interesting Screenshot: Spyware Trojan / Bot DanaBot CBC2y2p UUaRsRsLLesss // / P IIIPPosws feffooruSunnhdde liilin ne mxeaaclllwuwtaaiorrrene cpcoonln… Adware Score: 100 ECEn2na aUbblRlleeLss s aa / ppIPrrroosxx yfyo fuffoonrrr d ttth hinee miiinntatteelwrrrnnaeerttet e ecxxoppnlll… Range: 0 - 100 MEnaaaccbhhliiiennsee aLL eepaarorrrnnxiiyinn gfgo drd eethttteecc itttniiiootennr fnffooerrrt sseaaxmplpp… Whitelisted: false QMuauecerrhriiieiensse s sLeeennassriiitnttiiivivneeg n ndeeetttwtweoocrrtrkiko anad dfaoaprp ttsteearrr m iiinnp… Confidence: 100% SQSeeutttessr aiae spp rrrsooexxnyys ffifotoirvrr ettthh neee iiitnnwttteoerrrnkne eattt d eeaxxppptlleloorrrr eeinrrr SSiieiggtms aa dpdereotttexecyctt tefeoddr:: : t ShSueus sipnpitiiceciirioonuuesst SeSxccprrriilipopttrt eEEr… Process Tree TSTrririgiieemss a ttto od hehataerrrvcveteessdttt : a aSnnudds ssptttieecaiaolll u bbsrrro oSwwcssreieprrrt iiiEnn… CTCrooiennstttaa tiiionn ssh faffuurnvncecttstiiioto nananalldliiittt yys tttteooa ddl ybynnroaawmsiiicecaar llllillyny… System is w10x64 CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qdquyuenerarryym CCicPPaUUlly … X4xY5J1GWc.exe (PID: 6644 cmdline: 'C:\Users\user\Desktop\X4xY5J1GWc.exe' MD5: AB4CF6181CFB102EC86C66D56AF2D229) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qquueerrryy llCloocPcaaUllle e… rundll32.exe (PID: 6712 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\Desktop\X4XY5J~1.TMP,S C:\Users\user\Desktop\X4XY5J~1.EXE MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hloeec PPaElEeBB rundll32.exe (PID: 7140 cmdline: C:\Windows\system32\RUNDLL32.EXE C:\Users\user\Desktop\X4XY5J~1.TMP,Z0sc MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) powershell.exe (PID: 6764 cmdline: 'C:\Windows\System32\WindowsPowerShCCeoollnn\vttta1aii.inn0ss\p llflouonwngcge t rsisolllehneeaepllpli.stsey x( ((t>>eo='= r - e3E3a xmde iicintnhu)))eti oPnEpBolicy bypass -File 'C:\Users\user\AppData\Local\T emp\tmpD845.tmp.ps1' MD5: DBA3E6449E97D4E3DF64527EF7012A10) CCrroreenaattatteeinss s aa l oppnrrrogoc cseelsesses piiinns ss(u>us=sp p3ee nmnddiened)d moo… conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 5484 cmdline: 'C:\Windows\System32\WindowsPowerShDCDeerelelttt\eaevc1tcettt.ee0sd d\ap p popoowrtttoeecnrnsetttiihsiaaselll lcicln.rrrey ysxppuetttos'o p- ffEfueuxnnecdccttetiiuiodotn nimonopolicy bypass -File 'C:\Users\user\AppData\Local\T emp\tmpA617.tmp.ps1' MD5: DBA3E6449E97D4E3DF64527EF7012A10) DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xfffDDffrfrfoof pp-sFs o PPrEcEe ffViille1es sMD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup EDEnrnoaapbbslllee Pss E dd eefiblbeuusgg pprrriiivviiillleeggeess EExnxttateebnnlsesiisivv eed euubssueeg oo pfff rGiveeilttetPPgrrreoosccAAddddrrreessss (((oo… FEFoxoutuennndds aiav ehh iiiuggshhe nn ouufm GbbeeetrrPr oorofff cWAiiidnnddrooewws s /// U(Uoss… Malware Configuration FFoouunndd papo ohttteiegnnhttti iianallul smstttrrrbiiinneggr oddfee Wccrrryiynppdtttiioioownn /// aUa…s IIFIPPo auadndddr rrpeeossstse snseteieaenln s iiintnr i cncogon ndnneeecccrttytiiiopontni o wwniii ttt/hh a oo… Threatname: DanaBot IIInPnttt eearrrdnndeerttte PPsrsrroo svveiiiddeeenrrr isnsee ceeonnn iinine ccootinonnne ewccttititiiohon no… IIIsns t llelooroonkkeiiintn gPg rfffoovrrr i sdsoeoffrfttt wwseaaerrreen iiinnss ctttaaolllnllleendde ocotnnio tttnhh… { MIsa aloyy o sskllleieneegpp f (o((eerv vsaaossfiitivwveea llrlooeoo ipnpss))t) a tttolole hhdiiin noddnee rtrrh … "C2 list": [ May sleep (evasive loops) to hinder "142.11.244.124:443" PMPEEa y fffii illsleel e cceoopnn tt(taaeiiivnnasss ssiveeecc tttliioioonnpsss ww) iitittothh h nnionondn--e-ssr… ], PPEE fffiiilllee ccoonntttaaiiinnss ssttetrrracatnnioggnees rr rewessitoohuu nrrrccoeenss-s "Embedded Hash": "6AD9FE4F9E491E785665E0D144F61DAB" } QPEuue efrirrliiiee ssc ottthhneeta vvinoosllluu smtreea niiinngfffoeor rrrmeasaotttiiiouonrnc (e((nnsaam… SQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … Yara Overview USUsasemessp 3l3e22 bfbiiliitett P PisEE d fffiiiflllefeessrent than original UUsseess M32iiicbcrrrioto sPsooEffft tt'f''ssil e EEsnnhhaanncceedd CCrrryypptttoogg… Dropped Files UUsseess cMcooidcdereo osobobfffutu'ss ccEaantttiihiooannn tttceeeccdhh nnCiiiqrqyuupeetsos g(((… Uses code obfuscation techniques ( Source Rule Description Author Strings C:\Users\user\Desktop\X4XY5J~1.EXE.tmp JoeSecurity_DanaBot_stea Yara detected Joe Security ler_dll_1 DanaBot stealer dll Copyright Joe Security LLC 2021 Page 4 of 19 Sigma Overview System Summary: Sigma detected: Suspicious Script Execution From Temp Folder Sigma detected: Non Interactive PowerShell Jbx Signature Overview Click to jump to signature section AV Detection: Found malware configuration Multi AV Scanner detection for dropped file Multi AV Scanner detection for submitted file Yara detected DanaBot stealer dll Machine Learning detection for sample Compliance: Detected unpacking (overwrites its own PE header) Networking: C2 URLs / IPs found in malware configuration E-Banking Fraud: Yara detected DanaBot stealer dll Sets a proxy for the internet explorer Spam, unwanted Advertisements and Ransom Demands: Enables a proxy for the internet explorer Sets a proxy for the internet explorer System Summary: Data Obfuscation: Detected unpacking (changes PE section rights) Detected unpacking (overwrites its own PE header) Malware Analysis System