Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 39901 Sample Name: GUf5eGGUpw.000 Cookbook: default.jbs Time: 00:06:11 Date: 13/12/2017 Version: 20.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Software Vulnerabilities: 6 Networking: 6 Boot Survival: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 7 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 10 Dropped Files 10 Screenshot 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 14 Contacted Domains 14 Contacted IPs 15 Static File Info 15 General 15 File Icon 15 Static PE Info 16 General 16 Entrypoint Preview 16 Data Directories 17 Sections 17 Resources 18 Copyright Joe Security LLC 2017 Page 2 of 34 Imports 18 Possible Origin 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 19 DNS Queries 20 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 20 Statistics 20 Behavior 20 System Behavior 20 Analysis Process: GUf5eGGUpw.exe PID: 3256 Parent PID: 2972 21 General 21 File Activities 21 File Created 21 File Deleted 23 File Written 23 Analysis Process: DiskGenius.exe PID: 3272 Parent PID: 3256 33 General 33 File Activities 33 Registry Activities 33 Disassembly 33 Code Analysis 34 Copyright Joe Security LLC 2017 Page 3 of 34 Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 39901 Start time: 00:06:11 Joe Sandbox Product: CloudBasic Start date: 13.12.2017 Overall analysis duration: 0h 6m 9s Hypervisor based Inspection enabled: false Report type: light Sample file name: GUf5eGGUpw.000 (renamed file extension from 000 to exe) Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal60.evad.spyw.winEXE@3/20@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 2.9% (good quality ratio 2.9%) Quality average: 86.1% Quality standard deviation: 22.3% Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold 60 0 - 100 Report FP / FN Confidence Copyright Joe Security LLC 2017 Page 4 of 34 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook Copyright Joe Security LLC 2017 Page 5 of 34 Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Signature Overview • Key, Mouse, Clipboard, Microphone and Screen Capturing • Software Vulnerabilities • Networking • Boot Survival • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection Click to jump to signature section Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality for read data from the clipboard Contains functionality to record screenshots Creates a window with clipboard capturing capabilities Contains functionality to register a low level keyboard hook Installs a global keyboard hook Software Vulnerabilities: Found inlined nop instructions (likely shell or obfuscated code) Networking: Contains functionality to download additional files from the internet Downloads files Downloads files from webservers via HTTP Performs DNS lookups Urls found in memory or binary data Boot Survival: Contains functionality to infect the boot sector Persistence and Installation Behavior: Creates license or readme file Contains functionality to read ini properties file for application configuration Drops PE files May use bcdedit to modify the Windows boot settings Contains functionality to infect the boot sector Drops PE files with a suspicious file extension Data Obfuscation: Contains functionality to dynamically determine API calls Copyright Joe Security LLC 2017 Page 6 of 34 File is packed with WinRar Uses code obfuscation techniques (call, push, ret) Spreading: Contains functionality to enumerate / list files inside a directory Contains functionality to get notified if a device is plugged in / out System Summary: Executable creates window controls seldom found in malware Uses Rich Edit Controls Found graphical window changes (likely an installer) Submission file is bigger than most known malware samples PE file contains a debug data directory Binary contains paths to debug symbols Classification label Contains functionality for error logging Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates temporary files PE file has an executable .text section and no other executable section Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Contains functionality to communicate with device drivers Creates driver files Found potential string decryption / allocating functions PE file contains executable resources (Code or Archives) PE file contains strange resources PE file does not import any functions Reads the hosts file Tries to load missing DLLs HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to dynamically determine API calls Contains functionality which may be used to detect a debugger (GetProcessHeap) Malware Analysis System Evasion: Contains functionality to enumerate / list files inside a directory May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Program exit points Found dropped PE file which has not been started or loaded Found large amount of non-executed APIs May sleep (evasive loops) to hinder dynamic analysis Copyright Joe Security LLC 2017 Page 7 of 34 Queries disk information (often used to detect virtual machines) Tries to detect virtual machines Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Queries the cryptographic machine GUID Contains functionality locales information (e.g. system language) Behavior Graph Hide Legend Behavior Graph Legend: ID: 39901 Process Sample: GUf5eGGUpw.000 Signature Startdate: 13/12/2017 Created File Architecture: WINDOWS DNS/IP Info Score: 60 Is Dropped started Is Windows Process GUf5eGGUpw.exe Number of created Registry Values Number of created Files 32 Visual Basic dropped dropped dropped dropped Delphi Java Dropped files exeeded maximum capacity for this level. Hdrw.dll, PE32 HdrwImg.dll, PE32 Hdrwnt.dll, PE32 12 dropped files have been hidden. .Net C# or VB.NET C, C++ or other language started Is malicious Drops PE files with a suspicious file extension DiskGenius.exe 11 www.diskman.cc 120.27.53.36, 80 www.diskman.cc CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China Contains functionality Contains functionality Installs a global to infect the to register keyboard hook boot sector a low level keyboard hook Simulations Behavior and APIs No simulations Copyright Joe Security LLC 2017 Page 8 of 34 Antivirus Detection Initial Sample Source Detection Cloud Link GUf5eGGUp.exe 3% virustotal Browse Dropped Files