Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 378032 Cookbook: urldownload.jbs Time: 11:41:34 Date: 30/03/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/ Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 8 Private 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 15 No static file info 15 Network Behavior 15 UDP Packets 15 DNS Queries 16 DNS Answers 16 Code Manipulations 16 Statistics 16 Behavior 16 System Behavior 17 Analysis Process: cmd.exe PID: 6692 Parent PID: 4812 17 General 17 File Activities 17 File Created 17 Analysis Process: conhost.exe PID: 6704 Parent PID: 6692 17 General 17 Analysis Process: wget.exe PID: 6736 Parent PID: 6692 18 General 18 File Activities 18 File Created 18 Analysis Process: iexplore.exe PID: 6836 Parent PID: 6032 18 General 18 File Activities 19 Registry Activities 19 Analysis Process: iexplore.exe PID: 6884 Parent PID: 6836 19 General 19 File Activities 19 Disassembly 19 Code Analysis 19 Copyright Joe Security LLC 2021 Page 2 of 19 Analysis Report https://bazaar.abuse.ch/download/37a2…259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/ Overview General Information Detection Signatures Classification Sample URL: https://bazaar.abuse. ch/download/37a2259b979 Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam… 1e03125fef3ca14baa3336c Queries the volume information (nam a823c354a9b864944bcfe7 892241e0/ Analysis ID: 378032 Ransomware Infos: Miner Spreading mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100% Startup System is w10x64 cmd.exe (PID: 6692 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe78 92241e0/' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6736 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) iexplore.exe (PID: 6836 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 6884 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6836 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright Joe Security LLC 2021 Page 3 of 19 • Compliance • Networking • System Summary • Language, Device and Operating System Detection Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Non- Eavesdrop on Remotely Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Application Insecure Track Device Instrumentation Dumping Discovery 1 System Network Layer Network Without Medium Protocol 1 Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Application Exploit SS7 to Remotely Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Layer Redirect Phone Wipe Data Initialization Initialization Discovery 1 2 Protocol Media Bluetooth Protocol 1 Calls/SMS Without Scripts Scripts Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote System SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Script or Information Account Discovery 1 Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 19 Hide Legend Behavior Graph Legend: ID: 378032 Process URL: https://bazaar.abuse.ch/dow... Signature Startdate: 30/03/2021 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped Is Windows Process started started Number of created Registry Values Number of created Files cmd.exe iexplore.exe Visual Basic Delphi 2 1 7J4ava .Net C# or VB.NET C, C++ or other language Is malicious 192.168.2.1 started started unknown I n t e rsntaertted unknown wget.exe conhost.exe iexplore.exe 3 22 bazaar.abuse.ch Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 19 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link 0% Avira URL Cloud safe https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892 241e0/ Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe Copyright Joe Security LLC 2021 Page 6 of 19 Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation bazaar.abuse.ch unknown unknown false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation www.wikipedia.com/ msapplication.xml6.3.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe www.amazon.com/ msapplication.xml.3.dr false high www.nytimes.com/ msapplication.xml3.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0781683.0000000002B1A000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/re 004.00000001.sdmp www.live.com/ msapplication.xml2.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0257464.0000000000FE0000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/V 004.00000040.sdmp, wget.exe, 0 0000002.00000002.640262128.000 0000000FE6000.00000004.0000004 0.sdmp www.reddit.com/ msapplication.xml4.3.dr false high www.twitter.com/ msapplication.xml5.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0262128.0000000000FE6000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/ 004.00000040.sdmp, cmdline.out.2.dr www.youtube.com/ msapplication.xml7.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0257464.0000000000FE0000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/P 004.00000040.sdmp Contacted IPs Copyright Joe Security LLC 2021 Page 7 of 19 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Domain Country Flag ASN ASN Name Malicious Private IP 192.168.2.1 General Information Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 378032 Start date: 30.03.2021 Start time: 11:41:34 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 6s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: https://bazaar.abuse.ch/download/37a2259b9791 e03125fef3ca14baa3336ca823c354a9b864944bcfe7892 241e0/ Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 13 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Copyright Joe Security LLC 2021 Page 8 of 19 Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@7/16@1/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe