Automated Malware Analysis Report for Dopdf-Full.Exe

Total Page:16

File Type:pdf, Size:1020Kb

Automated Malware Analysis Report for Dopdf-Full.Exe ID: 60711 Sample Name: dopdf-full.exe Cookbook: default.jbs Time: 17:32:26 Date: 22/05/2018 Version: 22.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 Cryptography: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Networking: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 24 Contacted Domains 24 Contacted IPs 25 Public 25 Static File Info 25 General 25 File Icon 25 Static PE Info 26 General 26 Copyright Joe Security LLC 2018 Page 2 of 84 Authenticode Signature 26 Entrypoint Preview 26 Data Directories 27 Sections 28 Resources 28 Imports 28 Version Infos 29 Possible Origin 29 Network Behavior 30 Network Port Distribution 30 TCP Packets 30 UDP Packets 31 DNS Queries 31 DNS Answers 31 HTTPS Packets 31 Code Manipulations 36 Statistics 36 Behavior 36 System Behavior 37 Analysis Process: dopdf-full.exe PID: 3480 Parent PID: 3048 37 General 37 File Activities 37 File Written 37 File Read 37 Analysis Process: dopdf-full.exe PID: 3516 Parent PID: 3480 38 General 38 File Activities 38 File Created 38 File Written 43 File Read 83 Registry Activities 83 Disassembly 84 Code Analysis 84 Copyright Joe Security LLC 2018 Page 3 of 84 Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 60711 Start time: 17:32:26 Joe Sandbox Product: CloudBasic Start date: 22.05.2018 Overall analysis duration: 0h 5m 38s Hypervisor based Inspection enabled: false Report type: light Sample file name: dopdf-full.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean13.evad.winEXE@3/66@4/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 100% (good quality ratio 91.5%) Quality average: 71.3% Quality standard deviation: 31.8% Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: dopdf-full.exe Detection Strategy Score Range Reporting Detection Threshold 13 0 - 100 Report FP / FN Copyright Joe Security LLC 2018 Page 4 of 84 Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 1 0 - 5 true Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 2018 Page 5 of 84 Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample may be VM or Sandbox-aware, try analysis on a native machine Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview • Cryptography • Key, Mouse, Clipboard, Microphone and Screen Capturing • Networking • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Lowering of HIPS / PFW / Operating System Security Settings • Language, Device and Operating System Detection Click to jump to signature section Cryptography: Uses Microsoft's Enhanced Cryptographic Provider Key, Mouse, Clipboard, Microphone and Screen Capturing: Creates a window with clipboard capturing capabilities Networking: Contains functionality to download additional files from the internet Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS Persistence and Installation Behavior: Drops PE files Data Obfuscation: PE file contains an invalid checksum PE file contains sections with non-standard names Uses code obfuscation techniques (call, push, ret) Spreading: Contains functionality to enumerate / list files inside a directory Copyright Joe Security LLC 2018 Page 6 of 84 System Summary: Detected potential crypto function Found potential string decryption / allocating functions PE file contains strange resources Reads the hosts file Sample file is different than original file name gathered from version info Sample reads its own file content .NET source code contains methods with suspicious names Classification label Contains functionality for error logging Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to instantiate COM classes Contains functionality to modify services (start/stop/modify) Creates temporary files PE file has an executable .text section and no other executable section Parts of this applications are using the .NET runtime (Probably coded in C#) Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses Microsoft Silverlight Submission file is bigger than most known malware samples PE file contains a mix of data directories often seen in goodware Contains modern PE file flags such as dynamic base (ASLR) or NX PE file contains a debug data directory Binary contains paths to debug symbols PE file contains a valid data directory to section mapping HIPS / PFW / Operating System Protection Evasion: Contains functionality to add an ACL to a security descriptor Contains functionality to create a new security descriptor May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality which may be used to detect a debugger (GetProcessHeap) Enables debug privileges Contains functionality to register its own exception handler Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: Found a high number of Window / User specific system calls (may be a loop to detect user behavior) Found dropped PE file which has not been started or loaded Found evasive API chain checking for process token information Uses the system / local time for branch decision (may execute only at specific dates) Contains functionality to enumerate / list files inside a directory Program exit points Hooking and other Techniques for Hiding and Protection: Copyright Joe Security LLC 2018 Page 7 of 84 Extensive use of GetProcAddress (often used to hide API calls) Monitors certain registry keys / values for changes (often done to protect autostart functionality) Disables application error messsages (SetErrorMode) Lowering of HIPS / PFW / Operating System Security Settings: Adds / modifies Windows certificates Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) Language, Device and Operating System Detection: Contains functionality to query CPU information (cpuid) Queries the volume information (name, serial number etc) of a device Contains functionality to create pipes for IPC Contains functionality to query local / system time Contains functionality to query the account / user name Contains functionality to query time zone information Contains functionality to query windows version Queries the cryptographic machine GUID Behavior Graph Hide Legend Legend: Process Behavior Graph Signature ID: 60711 Created File DNS/IP Info Sample: dopdf-full.exe Is Dropped Startdate: 22/05/2018 Architecture: WINDOWS Is Windows Process Score: 13 Number of created Registry Values Number of created Files secure.novapdf.com started Visual Basic Delphi Java dopdf-full.exe .Net C# or VB.NET C, C++ or other language Is malicious started dopdf-full.exe 13 91 secure.novapdf.com 209.222.17.77, 443, 49168 dropped dropped dropped dropped AS-CHOOPA-ChoopaLLCUS United
Recommended publications
  • Adobe Reader Free Download for Windows 10 64 Bit How to Open a PDF File with Adobe
    adobe reader free download for windows 10 64 bit How to Open a PDF File With Adobe. Adobe Systems is a software manufacturer that has created many document and multimedia editing programs. A PDF (Portable Document Format) is a widely popular type of document format created by Adobe. You'll find many online papers and forms that are downloadable in a PDF format. If you need to open a PDF file for viewing or printing, you will need to download and run it with Adobe's free PDF viewer called Adobe Reader. Step 1. Go to http://get.adobe.com/reader/ and download the latest version of Adobe Reader offered for your operating system. Step 2. Install Adobe Reader by double-clicking on the setup file you download and following the setup instructions. Step 3. Browse your computer and locate the PDF file you want to open. Step 4. Right-click on the PDF file, then select "Open with Adobe Reader." Adobe Reader should automatically be set as the default program for opening PDF files after you install it, so this option should be the first one on the drop-down list. If this option is not on the list, click "Open With" then select "Adobe Reader." The free version of Adobe Reader can open PDFs for viewing and printing, but has limited capability for editing and altering PDF files. You can buy more powerful programs to gain more options when dealing with PDF files. Many organizations offer forms online in a PDF format that can be printed, then filled out by hand, which can then be mailed or scanned back into a computer as an image or PDF to be sent via email.
    [Show full text]
  • Dopdf Does PDF. for Free
    doPDF doPDF does PDF. For free. doPDF User Manual Copyright © 2015 Softland doPDF User Manual for doPDF version 8 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I doPDF 5 1 Installing doPDF................................................................................................................................... 5 System requirements.......................................................................................................................................................... 5 2 Using doPDF................................................................................................................................... 5 Introduction .........................................................................................................................................................
    [Show full text]
  • Dopdf Does PDF. for Free
    doPDF doPDF does PDF. For free. doPDF User Manual Copyright © 2014 Softland 2 doPDF v7 Table of Contents Part I doPDF 3 1 Installing ...................................................................................................................................doPDF 3 Installation .......................................................................................................................................................... 3 Command line ......................................................................................................................................................... 3 System requirements.......................................................................................................................................................... 5 2 Using doPDF................................................................................................................................... 5 Introduction .......................................................................................................................................................... 5 Create PDF from any.......................................................................................................................................................... application 7 Save PDF ......................................................................................................................................................... 11 3 Configuring..................................................................................................................................
    [Show full text]
  • Novapdf SDK User Manual
    novaPDF SDK User Manual Copyright © 2021 Softland novaPDF SDK User Manual for novaPDF SDK version <%APP_VS%> by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF SDK 11 1 Introduction................................................................................................................................... 11 2 Overview ................................................................................................................................... 11 Installation .......................................................................................................................................................... 11 System requirements.........................................................................................................................................................
    [Show full text]
  • Novapdf SDK User Manual
    novaPDF SDK Paperless office solutions novaPDF SDK User Manual Copyright © 2017 Softland novaPDF SDK User Manual for novaPDF 9 SDK Developer version 9 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF SDK 10 1 Introduction................................................................................................................................... 10 2 Overview................................................................................................................................... 10 Installation.........................................................................................................................................................
    [Show full text]
  • Dopdf Does PDF. for Free
    doPDF doPDF does PDF. For free. doPDF User Manual Copyright © 2017 Softland doPDF User Manual for doPDF version 9 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I doPDF 5 1 Installing doPDF................................................................................................................................... 5 System requirements.......................................................................................................................................................... 5 2 Using doPDF................................................................................................................................... 5 Introduction .........................................................................................................................................................
    [Show full text]
  • Automated Malware Analysis Report for Novapdf8com(X86).Msi
    ID: 205201 Sample Name: novaPDF8COM(x86).msi Cookbook: default.jbs Time: 11:37:00 Date: 03/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report novaPDF8COM(x86).msi 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Language, Device and Operating System Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 Authenticode Signature 14 OLE File "novaPDF8COM(x86).msi" 14 Indicators 14 Summary 15 Streams 15 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6451 15 General 15 Copyright Joe Security LLC 2020 Page 2 of 22 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20 15 General 15 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 580
    [Show full text]
  • Novapdf SDK User Manual
    novaPDF SDK User Manual Copyright © 2020 Softland novaPDF SDK User Manual for novaPDF 10 SDK Developer version 10 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF SDK 11 1 Introduction................................................................................................................................... 11 2 Overview................................................................................................................................... 11 Installation.......................................................................................................................................................... 11 System requirements.........................................................................................................................................................
    [Show full text]
  • Backup Outlook Emails and Settings
    Backup Outlook emails and settings Summary: This article explains how to backup Outlook emails and settings. This backup article refers to Microsoft Outlook, not Outlook Express (for Outlook Express, Backup4all has a predefined backup option that will select automatically all files to be backed up and the tutorial is here: Outlook Express Backup). On this page: How to configure a backup for Outlook in Backup4all How to find the locations of MS Outlook files Backup limitations for locked or open files Details: MS Outlook emails are stored in .pst files. In order to have a complete backup of MS Outlook data, it is not enough to back up only the .pst files, but the following items too: MS Outlook shortcuts Personal Address Book Rules Signatures Stationery Menu or toolbar customizations Nicknames Also, for MS Outlook 2003 and 2007, you need to backup some additional items: Navigation Pane settings (this file includes Shortcuts, Calendar, and Contact links). Dictionary Templates Send/Receive settings Print styles Custom forms Registered Microsoft Exchange extensions How to configure a backup for Outlook in Backup4all Starting with Backup4all 4.1 a new plugin for Microsoft Outlook was created. The plugin is automatically installed with Backup4all. Here are the steps to follow to create a new backup job using the Microsoft Outlook plugin: 1. Open Backup4all and select File->New Backup (Ctrl+N). 2. On the first page enter a name for the backup in the Name field. 3. Select a backup destination and press Next. 4. From the drop-down list, select Microsoft Outlook. Press Next. 5.
    [Show full text]
  • Novapdf OEM 9 User Manual
    novaPDF OEM 9 Paperless office solutions novaPDF OEM 9 User Manual Copyright © 2017 Softland novaPDF OEM 9 User Manual for novaPDF 9 OEM Developer version 9 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF OEM 5 1 Introduction................................................................................................................................... 5 2 Overview ................................................................................................................................... 5 Installation.........................................................................................................................................................
    [Show full text]
  • Novapdf OEM 8 Paperless Office Solutions
    novaPDF OEM 8 Paperless office solutions novaPDF OEM 8 User Manual Copyright © 2015 Softland novaPDF OEM 8 User Manual for novaPDF 8 OEM Developer version 8 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF OEM 5 1 Introduction................................................................................................................................... 5 2 Overview................................................................................................................................... 5 Installation .........................................................................................................................................................
    [Show full text]
  • Novapdf OEM 11 User Manual
    novaPDF OEM 11 User Manual Copyright © 2021 Softland novaPDF OEM 11 User Manual for novaPDF 11 OEM Developer version <%APP_VS%> by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF OEM 5 1 Introduction................................................................................................................................... 5 2 Overview................................................................................................................................... 5 Installation .......................................................................................................................................................... 5 System requirements.........................................................................................................................................................
    [Show full text]