Automated Malware Analysis Report for Gridcoin-4.0.4-Win64-Setup
Total Page:16
File Type:pdf, Size:1020Kb
ID: 137413 Sample Name: gridcoin-4.0.4- win64-setup (1).exe Cookbook: default.jbs Time: 20:59:04 Date: 31/05/2019 Version: 26.0.0 Aquamarine Table of Contents Table of Contents 2 Analysis Report gridcoin-4.0.4-win64-setup (1).exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Cryptography: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 E-Banking Fraud: 8 System Summary: 8 Data Obfuscation: 8 Persistence and Installation Behavior: 8 Boot Survival: 8 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 9 HIPS / PFW / Operating System Protection Evasion: 9 Language, Device and Operating System Detection: 9 Behavior Graph 9 Simulations 10 Behavior and APIs 10 Antivirus and Machine Learning Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 11 Domains 11 URLs 11 Yara Overview 11 Initial Sample 11 PCAP (Network Traffic) 11 Dropped Files 11 Memory Dumps 11 Unpacked PEs 11 Joe Sandbox View / Context 11 IPs 11 Domains 12 ASN 12 JA3 Fingerprints 13 Dropped Files 13 Screenshots 13 Thumbnails 13 Startup 14 Created / dropped Files 14 Domains and IPs 33 Contacted Domains 33 Contacted URLs 33 URLs from Memory and Binaries 33 Contacted IPs 38 Public 38 Static File Info 38 General 38 File Icon 39 Copyright Joe Security LLC 2019 Page 2 of 109 Static PE Info 39 General 39 Entrypoint Preview 39 Data Directories 40 Sections 40 Resources 42 Imports 42 Version Infos 42 Possible Origin 42 Static AutoIT Info 43 General 43 Network Behavior 43 Network Port Distribution 43 TCP Packets 43 UDP Packets 45 DNS Queries 45 DNS Answers 46 HTTP Request Dependency Graph 46 HTTP Packets 46 Code Manipulations 47 Statistics 47 Behavior 47 System Behavior 47 Analysis Process: gridcoin-4.0.4-win64-setup (1).exe PID: 2292 Parent PID: 3592 47 General 47 File Activities 47 File Created 48 File Deleted 52 File Written 52 File Read 84 Registry Activities 84 Key Created 84 Key Value Created 85 Key Value Modified 85 Analysis Process: gridcoinresearch.exe PID: 944 Parent PID: 2292 85 General 85 File Activities 86 File Created 86 File Deleted 87 File Moved 87 File Written 87 File Read 108 Registry Activities 108 Key Created 108 Disassembly 109 Code Analysis 109 Copyright Joe Security LLC 2019 Page 3 of 109 Analysis Report gridcoin-4.0.4-win64-setup (1).exe Overview General Information Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 137413 Start date: 31.05.2019 Start time: 20:59:04 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 10m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: gridcoin-4.0.4-win64-setup (1).exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 13 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus28.troj.winEXE@3/69@13/7 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 39.1% (good quality ratio 24.6%) Quality average: 41.4% Quality standard deviation: 41% HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Detection Copyright Joe Security LLC 2019 Page 4 of 109 Strategy Score Range Reporting Whitelisted Detection Threshold 28 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 2 0 - 5 true Classification Copyright Joe Security LLC 2019 Page 5 of 109 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample searches for specific file, try point organization specific fake files to the analysis machine Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Accounts Execution Startup Startup Deobfuscate/Decode Input System Time Remote File Input Data Uncommonly through API 1 Items 1 Items 1 Files or Capture 1 Discovery 1 Copy 1 Capture 1 Encrypted 1 1 Used Port 1 Information 1 Replication Service Registry Run Process Obfuscated Files or Network Security Remote Clipboard Exfiltration Over Commonly Through Execution Keys / Startup Injection 1 Information 2 Sniffing Software Services Data 1 Other Network Used Port 1 Removable Folder 1 Discovery 1 1 Medium Media Copyright Joe Security LLC 2019 Page 6 of 109 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Drive-by Windows Modify Existing New Service 1 Masquerading 1 Input Capture File and Windows Data from Automated Remote File Compromise Management Service 1 Directory Remote Network Exfiltration Copy 1 Instrumentation Discovery 1 2 Management Shared Drive Exploit Public- Scheduled Task New Service 1 DLL Search Process Injection 1 Credentials in System Logon Scripts Input Capture Data Encrypted Standard Facing Order Hijacking Files Information Cryptographic Application Discovery 2 3 Protocol 1 Spearphishing Command-Line Shortcut File System DLL Side- Account Query Shared Data Staged Scheduled Standard Link Interface Modification Permissions Loading 1 Manipulation Registry 1 Webroot Transfer Non- Weakness Application Layer Protocol 2 Spearphishing Graphical User Modify Existing New Service DLL Search Order Brute Force Process Third-party Screen Data Transfer Standard Attachment Interface Service Hijacking Discovery 2 Software Capture Size Limits Application Layer Protocol 2 Spearphishing Scripting Path Scheduled Task Software Packing Two-Factor Remote System Pass the Hash Email Exfiltration Over Uncommonly via Service Interception Authentication Discovery 1 Collection Command and Used Port Interception Control Channel Signature Overview • AV Detection • Cryptography • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Multi AV Scanner detection for submitted file Cryptography: Public key (encryption) found Spreading: Enumerates the file system Contains functionality to enumerate / list files inside a directory Networking: Connects to many ports of the same IP (likely port scanning) Detected TCP or UDP traffic on non-standard ports Connects to IPs without corresponding DNS lookups IP address seen in connection with other malware Internet Provider seen in connection with other malware Downloads files from webservers via HTTP Found strings which match to known social media urls Copyright Joe Security LLC 2019 Page 7 of 109 Performs DNS lookups Urls found in memory or binary data Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality for read data from the clipboard Creates a DirectInput object (often for capturing keystrokes) E-Banking Fraud: Found strings which match to known bank urls System Summary: Contains functionality to shutdown / reboot the system Creates mutexes Detected potential crypto function Enables security privileges Found potential string decryption / allocating functions Reads the hosts file Sample file is different than original file name gathered from version info Sample reads its own file content Tries to load missing DLLs Binary contains paths to development resources Classification label Contains functionality to check free disk space Contains functionality to instantiate COM classes Creates files inside the program directory Creates files inside the user directory Creates temporary files PE file has an executable .text section and no