Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 441415 Cookbook: browseurl.jbs Time: 22:03:40 Date: 28/06/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Windows Analysis Report https://grenddottreliefss.cabanova.com/ 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 AV Detection: 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 6 Domains and IPs 6 Contacted Domains 6 Contacted URLs 6 URLs from Memory and Binaries 6 Contacted IPs 6 Public 6 General Information 6 Simulations 7 Behavior and APIs 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 7 Static File Info 18 No static file info 18 Network Behavior 18 Network Port Distribution 19 TCP Packets 19 UDP Packets 19 DNS Queries 19 DNS Answers 19 HTTPS Packets 19 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: iexplore.exe PID: 4548 Parent PID: 792 21 General 21 File Activities 22 Registry Activities 22 Analysis Process: iexplore.exe PID: 5516 Parent PID: 4548 22 General 22 File Activities 22 Registry Activities 22 Disassembly 22 Copyright Joe Security LLC 2021 Page 2 of 22 Windows Analysis Report https://grenddottreliefss.caba…nova.com/ Overview General Information Detection Signatures Classification Sample URL: https://grenddottrelief ss.cabanova.com/ AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb… Analysis ID: 441415 HAHTnTtMivLiLr u bbsoo d/d ySy ccaoonnntttaaeiiinrn sds e lllootewwc tnniouunm fbboeer rrrs ouoffbf … Infos: HHTTMLL ttbtiiittotllleed ydd ocoeoesns t nanoionttt s m loaawtttcc hhn uUUmRRbLLer of Most interesting Screenshot: Ransomware HTML title does not match URL Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 48 Range: 0 - 100 Whitelisted: false Confidence: 100% Process Tree System is w10x64 iexplore.exe (PID: 4548 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 5516 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4548 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Click to jump to signature section AV Detection: Copyright Joe Security LLC 2021 Page 3 of 22 AV Detection: Antivirus / Scanner detection for submitted sample Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Hide Legend Behavior Graph Legend: ID: 441415 Process URL: https://grenddottreliefss.c... Signature Startdate: 28/06/2021 Architecture: WINDOWS Created File Score: 48 DNS/IP Info Is Dropped Is Windows Process grenddottreliefss.cabanova.com Number of created Registry Values Number of created Files started Visual Basic Antivirus / Scanner detection for submitted Delphi sample Java .Net C# or VB.NET C, C++ or other language iexplore.exe Is malicious Internet 2 61 started iexplore.exe 2 64 grenddottreliefss.cabanova.com sitebuilder.cabanova.com 94.130.246.164, 443, 49721, 49722 35.186.205.126, 443, 49734, 49735 code.jquery.com HETZNER-ASDE GOOGLEUS Germany United States Screenshots Thumbnails Copyright Joe Security LLC 2021 Page 4 of 22 This section contains all screenshots as thumbnails, including those not shown in the slideshow. Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://grenddottreliefss.cabanova.com/ 2% Virustotal Browse https://grenddottreliefss.cabanova.com/ 100% Avira URL Cloud phishing Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 2021 Page 5 of 22 URLs Source Detection Scanner Label Link www.asual.com/swfaddress/ 1% Virustotal Browse www.asual.com/swfaddress/ 0% Avira URL Cloud safe delicious.com/save?v=5&noui&jump=close&url=__URL__ 0% Avira URL Cloud safe https://delicious.com/save?v=5&noui&jump=close&url=__URL__ 0% Avira URL Cloud safe www.formspring.me/share?url=__URL__ 0% Avira URL Cloud safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.formspring.me/share?url=__URL__ 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation grenddottreliefss.cabanova.com 94.130.246.164 true false high sitebuilder.cabanova.com 35.186.205.126 true false high code.jquery.com unknown unknown false high Contacted URLs Name Malicious Antivirus Detection Reputation https://grenddottreliefss.cabanova.com/ false high URLs from Memory and Binaries Contacted IPs Public IP Domain Country Flag ASN ASN Name Malicious 35.186.205.126 sitebuilder.cabanova.com United States 15169 GOOGLEUS false 94.130.246.164 grenddottreliefss.cabanova Germany 24940 HETZNER-ASDE false .com General Information Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 441415 Start date: 28.06.2021 Start time: 22:03:40 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 39s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://grenddottreliefss.cabanova.com/ Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 6 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Copyright Joe Security LLC 2021 Page 6 of 22 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal48.win@3/35@4/2 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Simulations Behavior and APIs No simulations Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Created / dropped Files C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A1E0376-D897-11EB-90E4-ECF4BB862DED}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 30296 Entropy (8bit): 1.8502238635052335 Encrypted: false SSDEEP: 192:rHZMTZU2/WFtZkfcBBRMjJ3OLlLafUBKhX:r5M1DOPZKeB6jJ3OLlL4WKp MD5: 76DDCB8E8EF46CB7037ACFCA5976FAC8 SHA1: A61DF97DB2DC14F17CE0AA04952FF8A156A27DCF SHA-256: 8491F2FA2EF9EC55081B7CA2E6A41901193DA5DE8EA13BED745AF3F331348DCB SHA-512: 1E5360D5FB91197A01F50FD2A562AB5ACA0C1A3B45E73F9F0AFE3C415ED4939A0F6B07C165766A245A20A4C59CB3CE053103BC846F2D6B1BAF3839A01F5CD4D 6 Malicious: false Reputation: low Copyright Joe Security LLC 2021 Page 7 of 22 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A1E0376-D897-11EB-90E4-ECF4BB862DED}.dat Preview: .............................................................................................................................................................................................................................................................................. ..................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r. y............................................................................................................................................................................................................................................................................. .......................................................................................................................................................................................................