Automated Malware Analysis Report for Dopdf-Full.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 60711 Sample Name: dopdf-full.exe Cookbook: default.jbs Time: 17:32:26 Date: 22/05/2018 Version: 22.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 Cryptography: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Networking: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 24 Contacted Domains 24 Contacted IPs 25 Public 25 Static File Info 25 General 25 File Icon 25 Static PE Info 26 General 26 Copyright Joe Security LLC 2018 Page 2 of 84 Authenticode Signature 26 Entrypoint Preview 26 Data Directories 27 Sections 28 Resources 28 Imports 28 Version Infos 29 Possible Origin 29 Network Behavior 30 Network Port Distribution 30 TCP Packets 30 UDP Packets 31 DNS Queries 31 DNS Answers 31 HTTPS Packets 31 Code Manipulations 36 Statistics 36 Behavior 36 System Behavior 37 Analysis Process: dopdf-full.exe PID: 3480 Parent PID: 3048 37 General 37 File Activities 37 File Written 37 File Read 37 Analysis Process: dopdf-full.exe PID: 3516 Parent PID: 3480 38 General 38 File Activities 38 File Created 38 File Written 43 File Read 83 Registry Activities 83 Disassembly 84 Code Analysis 84 Copyright Joe Security LLC 2018 Page 3 of 84 Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 60711 Start time: 17:32:26 Joe Sandbox Product: CloudBasic Start date: 22.05.2018 Overall analysis duration: 0h 5m 38s Hypervisor based Inspection enabled: false Report type: light Sample file name: dopdf-full.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean13.evad.winEXE@3/66@4/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 91.5%) Quality average: 71.3% Quality standard deviation: 31.8% Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: dopdf-full.exe Detection Strategy Score Range Reporting Detection Threshold 13 0 - 100 Report FP / FN Copyright Joe Security LLC 2018 Page 4 of 84 Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 1 0 - 5 true Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 2018 Page 5 of 84 Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample may be VM or Sandbox-aware, try analysis on a native machine Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview • Cryptography • Key, Mouse, Clipboard, Microphone and Screen Capturing • Networking • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Lowering of HIPS / PFW / Operating System Security Settings • Language, Device and Operating System Detection Click to jump to signature section Cryptography: Uses Microsoft's Enhanced Cryptographic Provider Key, Mouse, Clipboard, Microphone and Screen Capturing: Creates a window with clipboard capturing capabilities Networking: Contains functionality to download additional files from the internet Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS Persistence and Installation Behavior: Drops PE files Data Obfuscation: PE file contains an invalid checksum PE file contains sections with non-standard names Uses code obfuscation techniques (call, push, ret) Spreading: Contains functionality to enumerate / list files inside a directory Copyright Joe Security LLC 2018 Page 6 of 84 System Summary: Detected potential crypto function Found potential string decryption / allocating functions PE file contains strange resources Reads the hosts file Sample file is different than original file name gathered from version info Sample reads its own file content .NET source code contains methods with suspicious names Classification label Contains functionality for error logging Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to instantiate COM classes Contains functionality to modify services (start/stop/modify) Creates temporary files PE file has an executable .text section and no other executable section Parts of this applications are using the .NET runtime (Probably coded in C#) Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses Microsoft Silverlight Submission file is bigger than most known malware samples PE file contains a mix of data directories often seen in goodware Contains modern PE file flags such as dynamic base (ASLR) or NX PE file contains a debug data directory Binary contains paths to debug symbols PE file contains a valid data directory to section mapping HIPS / PFW / Operating System Protection Evasion: Contains functionality to add an ACL to a security descriptor Contains functionality to create a new security descriptor May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality which may be used to detect a debugger (GetProcessHeap) Enables debug privileges Contains functionality to register its own exception handler Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Found a high number of Window / User specific system calls (may be a loop to detect user behavior) Found dropped PE file which has not been started or loaded Found evasive API chain checking for process token information Uses the system / local time for branch decision (may execute only at specific dates) Contains functionality to enumerate / list files inside a directory Program exit points Hooking and other Techniques for Hiding and Protection: Copyright Joe Security LLC 2018 Page 7 of 84 Extensive use of GetProcAddress (often used to hide API calls) Monitors certain registry keys / values for changes (often done to protect autostart functionality) Disables application error messsages (SetErrorMode) Lowering of HIPS / PFW / Operating System Security Settings: Adds / modifies Windows certificates Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) Language, Device and Operating System Detection: Contains functionality to query CPU information (cpuid) Queries the volume information (name, serial number etc) of a device Contains functionality to create pipes for IPC Contains functionality to query local / system time Contains functionality to query the account / user name Contains functionality to query time zone information Contains functionality to query windows version Queries the cryptographic machine GUID Behavior Graph Hide Legend Legend: Process Behavior Graph Signature ID: 60711 Created File DNS/IP Info Sample: dopdf-full.exe Is Dropped Startdate: 22/05/2018 Architecture: WINDOWS Is Windows Process Score: 13 Number of created Registry Values Number of created Files secure.novapdf.com started Visual Basic Delphi Java dopdf-full.exe .Net C# or VB.NET C, C++ or other language Is malicious started dopdf-full.exe 13 91 secure.novapdf.com 209.222.17.77, 443, 49168 dropped dropped dropped dropped AS-CHOOPA-ChoopaLLCUS United