ID: 328642 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 14:20:48 Date: 09/12/2020 Version: 31.0.0 Red Diamond Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Boot Survival: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 7 Contacted Domains 8 Contacted IPs 8 General Information 8 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 No static file info 9 Network Behavior 9 Code Manipulations 9 Statistics 9 Behavior 9 System Behavior 10 Analysis Process: cmd.exe PID: 6668 Parent PID: 2124 10 General 10 File Activities 10 Analysis Process: conhost.exe PID: 6676 Parent PID: 6668 10 General 10 Analysis Process: schtasks.exe PID: 6720 Parent PID: 6668 11 General 11 File Activities 11 Analysis Process: regsvr32.exe PID: 6740 Parent PID: 528 11 General 11 Disassembly 11 Code Analysis 11

Copyright null 2020 Page 2 of 11 Copyright null 2020 Page 3 of 11 Analysis Report

Overview

General Information Detection Signatures Classification

Analysis ID: 328642 UUsseess sscchhtttaasskkss...eexxee oorrr aattt...eexxee tttoo aadddd … Most interesting Screenshot: CUCrrsreeaasttt eesscs h aat a ppsrrrokoscc.eessxsse i iinon r s sauutss.eppxeeenn ddtoee dda dmdoo …

PCPrrroeogagrrtraeams a dd opoereossc nenosotstt ssinhh ooswwu s mpeuuncchdh e aadcc ttmtiiivvoiii…

Ransomware SPSaraomgprpallleem ee dxxeoececusut ttiniiooonnt sstthtoooppwss wmwhuhiicillleeh pparrrcootcicveei… Miner Spreading

TSTrariiemessp ttloeo lelooxaaeddc mutiiisossnsii nnsggto DDpLsL LLwsshile proce TTrrriiieess tttoo lllooaadd miiissssiiinngg DDLLLLss mmaallliiiccciiioouusss malicious

Evader Phishing

sssuusssppiiiccciiioouusss Tries to load missing DLLs suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 22 Range: 0 - 100 Whitelisted: false Confidence: 80%

Startup

System is w10x64 cmd.exe (PID: 6668 cmdline: cmd /C ' 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Roa ming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) schtasks.exe (PID: 6720 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Ro aming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37 MD5: 15FF7D8324231381BAD48A052F85DF04) regsvr32.exe (PID: 6740 cmdline: regsvr32.exe -s 'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc' MD5: D78B75FC68247E8A63ACBA846182740E) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright null 2020 Page 4 of 11 • System Summary • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Scheduled Scheduled Process Process OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Task/Job 1 Task/Job 1 Injection 1 1 Injection 1 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled DLL Side- Scheduled DLL Side- LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Loading 1 Task/Job 1 Loading 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Discovery 1 Protocol Media Bluetooth Calls/SMS Without Authorization Domain At (Linux) Logon Script DLL Side- Obfuscated Security Query SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) Loading 1 Files or Account Registry Admin Shares Network Exfiltration Track Device Device Device Information Manager Shared Location Cloud Data Drive Backups

Behavior Graph

Copyright null 2020 Page 5 of 11 Hide Legend Legend: Process Behavior Graph Signature

ID: 328642 Created File

Cookbook: defaultwindowscmdlinecookbook.jbs DNS/IP Info Startdate: 09/12/2020 Is Dropped

Architecture: WINDOWS Is Windows Process Score: 22 Number of created Registry Values

Number of created Files

Visual Basic

Uses schtasks.exe or Delphi at.exe to add and modify started started task schedules Java

.Net C# or VB.NET

C, C++ or other language

Is malicious cmd.exe regsvr32.exe Internet

1

started started

conhost.exe schtasks.exe

1

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2020 Page 6 of 11 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Copyright null 2020 Page 7 of 11 Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 328642 Start date: 09.12.2020 Start time: 14:20:48 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 47s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 24 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus22.win@5/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

Time Type Description 14:21:35 Task Scheduler Run new task: vsmztxer path: regsvr32.exe s>-s "C:\Users\Admin\AppData\Roaming\Goka.zzxxcc"

Joe Sandbox View / Context

Copyright null 2020 Page 8 of 11 IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• cmd.exe • conhost.exe • schtasks.exe • regsvr32.exe

Copyright null 2020 Page 9 of 11 Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6668 Parent PID: 2124

General

Start time: 14:21:34 Start date: 09/12/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /C ' 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37' Imagebase: 0xbd0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: conhost.exe PID: 6676 Parent PID: 6668

General

Start time: 14:21:34 Start date: 09/12/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Copyright null 2020 Page 10 of 11 Analysis Process: schtasks.exe PID: 6720 Parent PID: 6668

General

Start time: 14:21:35 Start date: 09/12/2020 Path: C:\Windows\SysWOW64\schtasks.exe Wow64 process (32bit): true Commandline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37 Imagebase: 0xa10000 File size: 185856 bytes MD5 hash: 15FF7D8324231381BAD48A052F85DF04 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 6740 Parent PID: 528

General

Start time: 14:21:35 Start date: 09/12/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: regsvr32.exe -s 'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc' Imagebase: 0x7ff6b2f80000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate

Disassembly

Code Analysis

Copyright null 2020 Page 11 of 11