Automated Malware Analysis Report for Charles

ID: 231093 Sample Name: charles-proxy- 4.5.6-win64.msi Cookbook: default.jbs Time: 16:53:59 Date: 18/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report charles-proxy-4.5.6-win64.msi 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Language, Device and Operating System Detection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 7 Malware Configuration 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 10 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 11 Static File Info 12 General 12 File Icon 12 Network Behavior 12 Code Manipulations 12 Statistics 12 Behavior 12

Copyright Joe Security LLC 2020 Page 2 of 14 System Behavior 13 Analysis Process: msiexec.exe PID: 5052 Parent PID: 4316 13 General 13 File Activities 13 Registry Activities 13 Analysis Process: msiexec.exe PID: 4412 Parent PID: 3988 13 General 13 Disassembly 14 Code Analysis 14

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 231093 Start date: 18.05.2020 Start time: 16:53:59 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 43s Hypervisor based Inspection enabled: false Report type: light Sample file name: charles-proxy-4.5.6-win64.msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@2/1@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 2 0 - 100 false

Strategy Score Range Further Analysis Required? Confidence

Threshold 3 0 - 5 true

Classification Spiderchart

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Replication Graphical User Winlogon Process Disabling Credential Peripheral Replication Data from Data Data Eavesdrop on Remotely Through Interface 2 Helper DLL Injection 1 Security Dumping Device Through Local Compressed Obfuscation Insecure Track Device Removable Tools 1 Discovery 1 1 Removable System Network Without Media 1 Media 1 Communication Authorization Replication Service Port Accessibility Modify Network File and Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Through Execution Monitors Features Registry 1 Sniffing Directory Services Removable Over Other Channels Redirect Phone Wipe Data Removable Discovery 1 Media Network Calls/SMS Without Media Medium Authorization External Windows Accessibility Path Process Input System Windows Data from Automated Custom Exploit SS7 to Obtain Remote Management Features Interception Injection 1 Capture Information Remote Network Exfiltration Cryptographic Track Device Device Services Instrumentation Discovery 1 3 Management Shared Protocol Location Cloud Drive Backups Drive-by Scheduled System DLL Search DLL Side- Credentials System Logon Input Data Multiband SIM Card Compromise Task Firmware Order Loading 1 in Files Network Scripts Capture Encrypted Communication Swap Hijacking Configuration Discovery

Signature Overview

• Spreading • Networking • System Summary • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Spreading:

Checks for available system drives (often done to infect USB drives)

Networking:

Urls found in memory or binary data

System Summary:

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification label

Creates temporary files

Reads software policies

Sample is a Windows installer

Spawns processes

Uses an in-process (OLE) Automation server

Found GUI installer (many successful clicks)

Found graphical window changes (likely an installer)

Submission file is bigger than most known malware samples

Binary contains paths to debug symbols

Persistence and Installation Behavior:

Drops PE files

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Checks the free space of harddrives

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Malware Configuration

No configs have been found

Behavior Graph

Behavior Graph Is Dropped Is Windows Process ID: 231093 Number of created Registry Values Sample: charles-proxy-4.5.6-win64.msi Startdate: 18/05/2020 Number of created Files Architecture: WINDOWS Visual Basic

Score: 2 Delphi

Java started started .Net C# or VB.NET

C, C++ or other language msiexec.exe msiexec.exe Is malicious

Internet

dropped

C:\Users\user\AppData\Local\Temp\MSIA9A.tmp, PE32

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link charles-proxy-4.5.6-win64.msi 0% Virustotal Browse charles-proxy-4.5.6-win64.msi 0% Metadefender Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\MSIA9A.tmp 0% Virustotal Browse C:\Users\user\AppData\Local\Temp\MSIA9A.tmp 0% Metadefender Browse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Source Detection Scanner Label Link crl.sectigo.com/COMODOTimeStampingCA_2.crl0r 1% Virustotal Browse crl.sectigo.com/COMODOTimeStampingCA_2.crl0r 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe https://sectigo.com/CPS0B 0% Virustotal Browse https://sectigo.com/CPS0B 0% URL Reputation safe crt.sectigo.com/COMODOTimeStampingCA_2.crt0# 0% Virustotal Browse crt.sectigo.com/COMODOTimeStampingCA_2.crt0# 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Match Associated Sample Name / URL SHA 256 Detection Link Context C:\Users\user\AppData\Local\Temp\MSI WordConnectSetup-User(1.7.0).msi Get hash malicious Browse A9A.tmp

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

Copyright Joe Security LLC 2020 Page 10 of 14 System is w10x64 msiexec.exe (PID: 5052 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\charles-proxy-4.5.6-win64.msi' MD5: 4767B71A318E201188A0D0A420C8B608) msiexec.exe (PID: 4412 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 8BE91C52776A6FD3B2990A275FF239DF C MD5: 12C17B5A5C2A7B97342C362CA467E9A2) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MSIA9A.tmp

Process: C:\Windows\System32\msiexec.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 107008 Entropy (8bit): 6.5209930454984955 Encrypted: false MD5: F54BFFE4D54C0B794C5389BD2C7BAAC2 SHA1: C472C6A4BD6510B02244D53819EF07882BC101E0 SHA-256: 3C06F5BECA24D0EDAEB63BDD5E671386FFC66807E323BA6BCB893260EB52D433 SHA-512: A722D4770D605D489C14FDE532CACD031B11467041C5FF304C4C63A95EFC21896996CC6EEEF45BC462F7C72361763885F763ED732B75436E4BD191EEED829441 Malicious: false Antivirus: Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Joe Sandbox Filename: WordConnectSetup-User(1.7.0).msi, Detection: malicious, Browse View: Reputation: moderate, very likely benign file Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... >8.._V.._V.._V.I..._V.I..._V.I..._V.n?U.._V.n?R.._V.n?S.._V.. '.._V.._W.8_V.D>S.._V.D>V.._V.D>..._V.._..._V.D>T.._V.Rich._V...... PE..L....G.Y...... !...... 5...... @...... \...|...... x...... T...... 8...@...... (...... text...[...... `.rdata...t...... v...... @[email protected]"...... @....rsr c...x...... @[email protected]...... @..B......

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation https://www.charlesproxy.com/ msiexec.exe, 00000000.00000003 false high .778139536.00000194484B9000.00 000004.00000001.sdmp, msiexec.exe, 00000000.00000002.8743316 87.000001944AA30000.00000004.0 0000001.sdmp crl.sectigo.com/COMODOTimeStampingCA_2.crl0r msiexec.exe, 00000000.00000003 false 1%, Virustotal, Browse low .871490074.00000194484C0000.00 URL Reputation: safe 000004.00000001.sdmp ocsp.sectigo.com0 msiexec.exe, 00000000.00000003 false URL Reputation: safe unknown .871490074.00000194484C0000.00 000004.00000001.sdmp https://sectigo.com/CPS0B msiexec.exe, 00000000.00000003 false 0%, Virustotal, Browse low .871490074.00000194484C0000.00 URL Reputation: safe 000004.00000001.sdmp https://www.charlesproxy.com/buy/ charles-proxy-4.5.6-win64.msi false high crt.sectigo.com/COMODOTimeStampingCA_2.crt0# msiexec.exe, 00000000.00000003 false 0%, Virustotal, Browse low .871490074.00000194484C0000.00 URL Reputation: safe 000004.00000001.sdmp

Contacted IPs

No contacted IP infos

General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Charles 4.5 .6 Installer, Author: XK72 Ltd, Keywords: Installer, Comments: Copyright 2017 XK72 Ltd, Template: x6 4;1033, Revision Number: {114DE1DA-8407-44F6- A55C-3094C20D329A}, Create Time/Date: Tue Jan 14 23:52:09 2020, Last Saved Time/Date: Tue Jan 14 23:52:09 2020, Number of Pages: 200, Number of W ords: 2, Name of Creating Application: Windows Ins taller XML Toolset (3.11.0.1701), Security: 2 Entropy (8bit): 7.986394692464093 TrID: Microsoft Windows Installer (77509/1) 90.64% Generic OLE2 / Multistream Compound File (8008/1) 9.36% File name: charles-proxy-4.5.6-win64.msi File size: 57728000 MD5: affcd0eed5e4cac671bcaa19c8d6b5c5 SHA1: b25de9ee3c4176be6cc0656e20833fc5dc444dd1 SHA256: 4c980c37792e675ea981a9263c8275c5c840a87cd62063 d09833d32db2dcbd71 SHA512: a862bbfeddc047585ce673a9fa6c105cba741270919b5f3 5f8b4d640d21931f3af6af831e08b1ace6afac3ea82c70df dfe3dd939fbe687a2957f7aed18536159 SSDEEP: 1572864:S/oOgu0+5OrHf340IMvuaSzA1WX21rH1l9HIC XLIcqvdm:S/oOgu08OjfPIMvuaSE2ExpIcss File Content Preview: ...... >...... q...... f...... !..

File Icon

Icon Hash: a2a0b496b2caca72

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• msiexec.exe • msiexec.exe

System Behavior

Analysis Process: msiexec.exe PID: 5052 Parent PID: 4316

General

Start time: 16:54:25 Start date: 18/05/2020 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\charles-proxy-4.5.6-win64.msi' Imagebase: 0x7ff61f7f0000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Registry Activities

Source Key Path Name Type Old Data New Data Completion Count Address Symbol

Analysis Process: msiexec.exe PID: 4412 Parent PID: 3988

General

Start time: 16:54:42 Start date: 18/05/2020 Copyright Joe Security LLC 2020 Page 13 of 14 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: C:\Windows\syswow64\MsiExec.exe -Embedding 8BE91C52776A6FD3B2990A275FF239DF C Imagebase: 0xa00000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

Disassembly

Code Analysis