ID: 328642 Cookbook: defaultwindowscmdlinecookbook.jbs Time: 14:20:48 Date: 09/12/2020 Version: 31.0.0 Red Diamond Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Boot Survival: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 7 Contacted Domains 8 Contacted IPs 8 General Information 8 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 No static file info 9 Network Behavior 9 Code Manipulations 9 Statistics 9 Behavior 9 System Behavior 10 Analysis Process: cmd.exe PID: 6668 Parent PID: 2124 10 General 10 File Activities 10 Analysis Process: conhost.exe PID: 6676 Parent PID: 6668 10 General 10 Analysis Process: schtasks.exe PID: 6720 Parent PID: 6668 11 General 11 File Activities 11 Analysis Process: regsvr32.exe PID: 6740 Parent PID: 528 11 General 11 Disassembly 11 Code Analysis 11
Copyright null 2020 Page 2 of 11 Copyright null 2020 Page 3 of 11 Analysis Report
Overview
General Information Detection Signatures Classification
Analysis ID: 328642 UUsseess sscchhtttaasskkss...eexxee oorrr aattt...eexxee tttoo aadddd … Most interesting Screenshot: CUCrrsreeaasttt eesscs h aat a ppsrrrokoscc.eessxsse i iinon r s sauutss.eppxeeenn ddtoee dda dmdoo …
PCPrrroeogagrrtraeams a dd opoereossc nenosotstt ssinhh ooswwu s mpeuuncchdh e aadcc ttmtiiivvoiii…
Ransomware SPSaraomgprpallleem ee dxxeoececusut ttiniiooonnt sstthtoooppwss wmwhuhiicillleeh pparrrcootcicveei… Miner Spreading
TSTrariiemessp ttloeo lelooxaaeddc mutiiisossnsii nnsggto DDpLsL LLwsshile proce TTrrriiieess tttoo lllooaadd miiissssiiinngg DDLLLLss mmaallliiiccciiioouusss malicious
Evader Phishing
sssuusssppiiiccciiioouusss Tries to load missing DLLs suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 22 Range: 0 - 100 Whitelisted: false Confidence: 80%
Startup
System is w10x64 cmd.exe (PID: 6668 cmdline: cmd /C ' 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Roa ming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) schtasks.exe (PID: 6720 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Ro aming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37 MD5: 15FF7D8324231381BAD48A052F85DF04) regsvr32.exe (PID: 6740 cmdline: regsvr32.exe -s 'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc' MD5: D78B75FC68247E8A63ACBA846182740E) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
Copyright null 2020 Page 4 of 11 • System Summary • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion
Click to jump to signature section
Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
Mitre Att&ck Matrix
Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Scheduled Scheduled Process Process OS Security Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Task/Job 1 Task/Job 1 Injection 1 1 Injection 1 1 Credential Software Services Local Over Other Obfuscation Insecure Track Device System Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled DLL Side- Scheduled DLL Side- LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Loading 1 Task/Job 1 Loading 1 Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Discovery 1 Protocol Media Bluetooth Calls/SMS Without Authorization Domain At (Linux) Logon Script DLL Side- Obfuscated Security Query SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Delete Accounts (Windows) Loading 1 Files or Account Registry Admin Shares Network Exfiltration Track Device Device Device Information Manager Shared Location Cloud Data Drive Backups
Behavior Graph
Copyright null 2020 Page 5 of 11 Hide Legend Legend: Process Behavior Graph Signature
ID: 328642 Created File
Cookbook: defaultwindowscmdlinecookbook.jbs DNS/IP Info Startdate: 09/12/2020 Is Dropped
Architecture: WINDOWS Is Windows Process Score: 22 Number of created Registry Values
Number of created Files
Visual Basic
Uses schtasks.exe or Delphi at.exe to add and modify started started task schedules Java
.Net C# or VB.NET
C, C++ or other language
Is malicious cmd.exe regsvr32.exe Internet
1
started started
conhost.exe schtasks.exe
1
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright null 2020 Page 6 of 11 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
No Antivirus matches
Domains and IPs
Copyright null 2020 Page 7 of 11 Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 31.0.0 Red Diamond Analysis ID: 328642 Start date: 09.12.2020 Start time: 14:20:48 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 47s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: defaultwindowscmdlinecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 24 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus22.win@5/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Simulations
Behavior and APIs
Time Type Description 14:21:35 Task Scheduler Run new task: vsmztxer path: regsvr32.exe s>-s "C:\Users\Admin\AppData\Roaming\Goka.zzxxcc"
Joe Sandbox View / Context
Copyright null 2020 Page 8 of 11 IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
No created / dropped files found
Static File Info
No static file info
Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• cmd.exe • conhost.exe • schtasks.exe • regsvr32.exe
Copyright null 2020 Page 9 of 11 Click to jump to process
System Behavior
Analysis Process: cmd.exe PID: 6668 Parent PID: 2124
General
Start time: 14:21:34 Start date: 09/12/2020 Path: C:\Windows\SysWOW64\cmd.exe Wow64 process (32bit): true Commandline: cmd /C ' 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37' Imagebase: 0xbd0000 File size: 232960 bytes MD5 hash: F3BDBE3BB6F734E357235F4D5898582D Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: conhost.exe PID: 6676 Parent PID: 6668
General
Start time: 14:21:34 Start date: 09/12/2020 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff6b2800000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Copyright null 2020 Page 10 of 11 Analysis Process: schtasks.exe PID: 6720 Parent PID: 6668
General
Start time: 14:21:35 Start date: 09/12/2020 Path: C:\Windows\SysWOW64\schtasks.exe Wow64 process (32bit): true Commandline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn vsmztxer /tr 'regsvr32.exe -s \'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc\'' /SC ONCE /Z /ST 18:25 /ET 18:37 Imagebase: 0xa10000 File size: 185856 bytes MD5 hash: 15FF7D8324231381BAD48A052F85DF04 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Analysis Process: regsvr32.exe PID: 6740 Parent PID: 528
General
Start time: 14:21:35 Start date: 09/12/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: regsvr32.exe -s 'C:\Users\Admin\AppData\Roaming\Goka.zzxxcc' Imagebase: 0x7ff6b2f80000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Disassembly
Code Analysis
Copyright null 2020 Page 11 of 11