Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 182796 Cookbook: browseurl.jbs Time: 11:09:30 Date: 15/10/2019 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report https://ziad-w-hammad-dot-yamm-track.appspot.com 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Malware Analysis System Evasion: 7 HIPS / PFW / Operating System Protection Evasion: 7 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 39 Contacted Domains 39 URLs from Memory and Binaries 39 Contacted IPs 41 Public 41 Static File Info 42 No static file info 42 Network Behavior 42 Network Port Distribution 42 TCP Packets 42 UDP Packets 43 DNS Queries 44 DNS Answers 44 HTTPS Packets 44 Code Manipulations 44 Statistics 44 Behavior 44 Copyright Joe Security LLC 2019 Page 2 of 46 System Behavior 45 Analysis Process: iexplore.exe PID: 2676 Parent PID: 700 45 General 45 File Activities 45 Registry Activities 45 Analysis Process: iexplore.exe PID: 1860 Parent PID: 2676 45 General 45 File Activities 46 Registry Activities 46 Disassembly 46 Copyright Joe Security LLC 2019 Page 3 of 46 Analysis Report https://ziad-w-hammad-dot-yamm-track.appspot.com Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 182796 Start date: 15.10.2019 Start time: 11:09:30 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 21s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://ziad-w-hammad-dot-yamm- track.appspot.com Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.phis.win@3/189@2/28 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://sites.g oogle.com/site/scriptsexamples/ Browsing link: https://sites.g oogle.com/site/scriptsexamples/home/news Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables Browsing link: https://support.awesome- table.com/hc/en-us Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables/demos Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables/add-ons Browsing link: https://plus.go ogle.com/communities/117434057513505498243 Browsing link: https://sites.g oogle.com/site/scriptsexamples/customers Browsing link: https://support.awesome- table.com/hc/en-us/co mmunity/topics/115000043385 Browsing link: https://support.awesome- table.com/hc/en-us/articles/360000251129 Browsing link: https://sites.g oogle.com/site/scriptsexamples/available-web- apps/awesome-tables/terms-of-service Copyright Joe Security LLC 2019 Page 4 of 46 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 104.108.44.35, 67.26.73.254, 67.27.234.126, 67.27.157.126, 8.248.115.254, 8.248.113.254, 216.58.201.78, 172.217.23.227 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, ssl.gstatic.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, sites.google.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.n et Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Detection Strategy Score Range Reporting Whitelisted Threat Detection Audio Threshold 48 0 - 100 false Phisher Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Copyright Joe Security LLC 2019 Page 5 of 46 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Mitre Att&ck Matrix Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Process Web Service 1 Credential Process Application Data from Local Data Web Service 1 Remote Helper DLL Injection 1 Dumping Discovery 1 Deployment System Encrypted 1 Management Software Replication Service Port Monitors Accessibility Process Network Security Remote Data from Exfiltration Over Standard Through Execution Features Injection 1 Sniffing Software Services Removable Other Network Cryptographic Removable Discovery 1 Media Medium Protocol 2 Media Copyright Joe Security LLC 2019 Page 6 of 46 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Drive-by Windows Accessibility Path Rootkit Input File and Windows Data from Automated Standard Non- Compromise Management Features Interception Capture Directory Remote Network Shared Exfiltration Application Instrumentation Discovery 1 Management Drive Layer Protocol 2 Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials System Network Logon Scripts Input Capture Data Encrypted Standard Facing Firmware Order Hijacking Files or in Files Configuration Application Application Information Discovery Layer Protocol 2 Signature Overview • Phishing • Networking • System Summary • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Phishing: Yara detected Audio Phisher Networking: Social media urls found in memory data Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Sample might require command line arguments Spawns processes Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Malware Analysis System Evasion: May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) HIPS / PFW / Operating System Protection Evasion: Copyright Joe Security LLC 2019 Page 7 of 46 May try to detect the Windows Explorer process (often used for injection) Behavior Graph Hide Legend Behavior Graph Legend: ID: 182796 Process URL: https://ziad-w-hammad-dot-y... Signature Startdate: 15/10/2019 Created File Architecture: WINDOWS Score: 48 DNS/IP Info Is Dropped Is Windows Process Yara detected Audio started Number of created Registry Values Phisher Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET 26 87 C, C++ or other language Is malicious started Internet iexplore.exe 10 318 104.16.53.111 104.16.86.20 unknown unknown 27 other IPs or domains dropped United States United States C:\Users\user\AppData\Local\...\Y827I32K.htm, HTML Simulations Behavior and APIs No simulations Antivirus, Machine Learning and Genetic Malware Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2019 Page 8 of 46 No Antivirus matches URLs Source Detection Scanner Label Link www.mercadolivre.com.br/ 0% Avira URL Cloud safe www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.dailymail.co.uk/ 0% URL Reputation safe https://sites.gooRoot 0% Avira URL Cloud safe https://sites.goom/communities/117434057513505498243b-apps/awesome-tables/add- 0% Avira URL Cloud safe onib/query/?v=309 getbootstrap.com) 0% URL Reputation safe busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe https://sites.gooom/site/scriptsexamples/ailable-web-apps/mail-merge/Root 0% Avira URL Cloud safe www.etmall.com.tw/favicon.ico 0% URL Reputation safe it.search.dada.net/favicon.ico 0% URL Reputation safe search.hanafos.com/favicon.ico 0% URL Reputation safe googleappsdeveloper.blogspot.fr/2011/10/4-ways-to-do-mail-merge-using-google.html 0% Avira URL Cloud safe cgi.search.biglobe.ne.jp/favicon.ico 0% Avira URL Cloud safe ocsp.pki.goog/gts1o10 0% URL Reputation safe search.msn.co.jp/results.aspx?q= 0% URL Reputation safe buscar.ozu.es/ 0% Avira URL Cloud safe ocsp.pki.goog/gsr202 0% URL Reputation safe https://pki.goog/repository/0