Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 71345 Cookbook: browseurl.jbs Time: 11:22:46 Date: 07/08/2018 Version: 23.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Signature Overview 5 AV Detection: 6 Bitcoin Miner: 6 Software Vulnerabilities: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 Malware Analysis System Evasion: 6 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 Dropped Files 9 Screenshots 9 Startup 9 Created / dropped Files 9 Contacted Domains/Contacted IPs 11 Contacted Domains 11 Contacted URLs 12 Contacted IPs 12 Public 12 Static File Info 12 No static file info 12 Network Behavior 12 Network Port Distribution 12 TCP Packets 13 UDP Packets 13 DNS Queries 13 Copyright Joe Security LLC 2018 Page 2 of 16 DNS Answers 13 HTTP Request Dependency Graph 13 HTTP Packets 13 Code Manipulations 14 Statistics 14 Behavior 14 System Behavior 14 Analysis Process: iexplore.exe PID: 2056 Parent PID: 548 14 General 15 File Activities 15 Registry Activities 15 Analysis Process: iexplore.exe PID: 1900 Parent PID: 2056 15 General 15 File Activities 15 Registry Activities 16 Analysis Process: wscript.exe PID: 3104 Parent PID: 2056 16 General 16 File Activities 16 Registry Activities 16 Key Created 16 Disassembly 16 Copyright Joe Security LLC 2018 Page 3 of 16 Analysis Report Overview General Information Joe Sandbox Version: 23.0.0 Analysis ID: 71345 Start date: 07.08.2018 Start time: 11:22:46 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 56s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: http://aqc223.adfrend.com/friendly.js Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled Analysis stop reason: Timeout Detection: MAL Classification: mal56.expl.mine.win@5/9@1/1 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Detection Strategy Score Range Reporting Detection Threshold 56 0 - 100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 4 of 16 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Copyright Joe Security LLC 2018 Page 5 of 16 • AV Detection • Bitcoin Miner • Software Vulnerabilities • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for dropped file Bitcoin Miner: Found strings related to Crypto-Mining Software Vulnerabilities: Potential browser exploit detected (process start blacklist hit) Networking: Downloads compressed data via HTTP Downloads files Downloads files from webservers via HTTP Performs DNS lookups Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Found WSH timer for Javascript or VBS script (likely evasive script) Copyright Joe Security LLC 2018 Page 6 of 16 Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Hide Legend Behavior Graph Legend: ID: 71345 URL: http://aqc223.adfrend.com/friendly.js Process Startdate: 07/08/2018 Signature Architecture: WINDOWS Score: 56 Created File DNS/IP Info Is Dropped Antivirus detection Found strings related started for dropped file to Crypto-Mining Is Windows Process Number of created Registry Values iexplore.exe Number of created Files Visual Basic 8 37 Delphi dropped Java friendly.js.b9ht2v...ial:Zone.Identifier, ASCII .Net C# or VB.NET C, C++ or other language started started Is malicious Potential browser exploit detected (process start blacklist hit) iexplore.exe wscript.exe 10 aqc223.adfrend.com 173.208.193.181, 49171, 49172, 80 dropped dropped WII-KC-WholeSaleInternetIncUS United States C:\Users\user\AppData\...\friendly[1].js, HTML C:\Users\user\...\friendly.js.b9ht2vr.partial, HTML Simulations Behavior and APIs Time Type Description 11:23:26 API Interceptor 421x Sleep call for process: iexplore.exe modified 11:23:50 API Interceptor 2x Sleep call for process: wscript.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link http://aqc223.adfrend.com/friendly.js 0% virustotal Browse Copyright Joe Security LLC 2018 Page 7 of 16 Dropped Files Source Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K 100% Avira PUA/CryptoMiner.Gen Z\friendly[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4 100% Avira PUA/CryptoMiner.Gen R\friendly.js.b9ht2vr.partial Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link aqc223.adfrend.com 0% virustotal Browse URLs Source Detection Scanner Label Link http://aqc223.adfrend.com/friendly.js 0% virustotal Browse http://aqc223.adfrend.com/friendly.js 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Copyright Joe Security LLC 2018 Page 8 of 16 Dropped Files No context Screenshots Startup System is w7 iexplore.exe (PID: 2056 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 1900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2056 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750) wscript.exe (PID: 3104 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\fri endly.js' MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\~DF01346E7BD5F72CD3.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: FoxPro FPT, blocks size 258, next free block index 16711424 Copyright Joe Security LLC 2018 Page 9 of 16 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF01346E7BD5F72CD3.TMP Size (bytes): 29989 Entropy (8bit): 1.5449829905758383 Encrypted: false MD5: 8130C3A6952FC493FA5F6EC39295E090 SHA1: 35926EF1820B8C44FF6C450FE8C2E1F2AED56862 SHA-256: 37E99ECED0122D5F230F07BA7C7FE5E5A5B381853A4A435C8D00D7E4700BCBDE SHA-512: F192A2EF2A5BE9DBBE4E252EDAF57748F48C4CD9F73860B7E3DC495A6FBDFC55E95DE4068FE09EBC0D6E9AB5 9E645034184C2AAE7C1953A787AC6094B95C6679 Malicious: false Reputation: low C:\Users\SAMTAR~1\AppData\Local\Temp\~DF442007127DB870C9.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: data Size (bytes): 12981 Entropy (8bit): 2.8326739835194443 Encrypted: false MD5: BCC796EAEFCEEC052188CAACC8D4CAFC SHA1: 625B8D8CEA3F6FE31BE37B849D89904522961296 SHA-256: E9336A2665B887E5507782A9831C3B9162A5D4AEDAA0E3645AB3C92092C62CA0 SHA-512: E094E014D68E236160A77E96ACEAD30264D013FE7200EBD57D9928BAAAB3DB7B41B718EC4320DEEEAB60E6E6 8F25A04731AC716F641F08629C013E9BD3FDD8C8 Malicious: false Reputation: low C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{899453F1-9A23-11E8-B3E3-CCDA62336E41}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 32344 Entropy (8bit): 1.7952268015278676 Encrypted: false MD5: EB3FA6865F05937651AD47B606D65620 SHA1: 867E3DDF6BFFDE2E44C4AFD721E2B0B2E6C94D37 SHA-256: 73958600453C6A50E140A4959F00CFC01C4C2243D289DFF1FF30546C579E86CD SHA-512: F806CEF5CCCEC46458B86C7BA7B0FA415F262A79C7392258C828FED4D72FCC3B886136755202060800A5B7DFE5 9F0F85D77E547AD1D23BDEB7DA0BF82DA8CF1D Malicious: false Reputation: low C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{899453F3-9A23-11E8-B3E3-CCDA62336E41}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Entropy (8bit): 1.6010720089232622 Encrypted: