Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 289897 Cookbook: browseurl.jbs Time: 11:27:39 Date: 25/09/2020 Version: 30.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report http://c3.sdkclickurl.com/click/? adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id={android_id}&bundle={bundle}&ip= {ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe26&gaid=6d0fd5e2- dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 7 URLs 7 Domains and IPs 7 Contacted Domains 7 Contacted URLs 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 10 Static File Info 14 No static file info 14 Network Behavior 14 Network Port Distribution 14 TCP Packets 15 UDP Packets 16 DNS Queries 16 DNS Answers 17 HTTP Request Dependency Graph 17 HTTP Packets 17 HTTPS Packets 18 Code Manipulations 18 Statistics 19 Behavior 19 System Behavior 19 Analysis Process: iexplore.exe PID: 5320 Parent PID: 788 19 General 19 File Activities 19 Registry Activities 19 Analysis Process: iexplore.exe PID: 4444 Parent PID: 5320 20 General 20 File Activities 20 Registry Activities 20 Disassembly 20 Copyright null 2020 Page 2 of 20 Analysis Report http://c3.sdkclickurl.com/click/?adgroup…_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id={android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang={lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe26&gaid=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26 Overview General Information Detection Signatures Classification Sample URL: c3.sdkclickurl.com/cli No high impact signatures. ck/?adgroup_id=3954232& user_id=699999&timeflag= 202009250600&mid=2157 &android_id={android_id}& bundle={bundle}&ip={ip}&u a={ua}&lang={lang}&tid=R SB_C8323ABF5CB47CAB F251DE48B390223CD18E D4F247BEB9107AEA02D 0D05C1F8B6020BB87965 D54B6422A0F9E968CC1A 9_MOBILEPARTNER_zya _giraffe5f6d8fd1e4b04b780 100a4fe26&gaid=6d0fd5e2 -dfb8-4abf-b91c-844c98a8 929d&pub_id=28446&idx= 26 Score: 0 Analysis ID: 289897 Range: 0 - 100 Most interesting Screenshot: Whitelisted: false Confidence: 80% Copyright null 2020 Page 3 of 20 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Startup System is w10x64 iexplore.exe (PID: 5320 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 4444 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5320 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview • Networking • System Summary Click to jump to signature section There are no malicious signatures, click here to show all signatures . Copyright null 2020 Page 4 of 20 Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 2 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 3 Location Cloud Data Drive Backups Local At (Windows) Logon Script Logon Binary Padding NTDS System Distributed Input Scheduled Ingress SIM Card Carrier Accounts (Mac) Script Network Component Capture Transfer Tool Swap Billing (Mac) Configuration Object Model Transfer 1 Fraud Discovery Behavior Graph Hide Legend Behavior Graph Legend: ID: 289897 Process URL: http://c3.sdkclickurl.com/c... Signature Startdate: 25/09/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped Is Windows Process Number of created Registry Values impression.appsflyer.com started Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET C, C++ or other language 11 85 Is malicious Internet started iexplore.exe 33 c3.sdkclickurl.com impression.appsflyer.com 47.254.213.111, 49707, 49708, 80 52.51.186.116, 443, 49709, 49710 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC AMAZON-02US United States United States Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2020 Page 5 of 20 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link c3.sdkclickurl.com/click/? 3% Virustotal Browse adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id= {android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B 6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe2 6&gaid=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26 c3.sdkclickurl.com/click/? 0% Avira URL Cloud safe adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id= {android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0D05C1F8B 6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd1e4b04b780100a4fe2 6&gaid=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&pub_id=28446&idx=26 Dropped Files No Antivirus matches Unpacked PE Files Copyright null 2020 Page 6 of 20 No Antivirus matches Domains Source Detection Scanner Label Link c3.sdkclickurl.com 1% Virustotal Browse URLs Source Detection Scanner Label Link www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation impression.appsflyer.com 52.51.186.116 true false high c3.sdkclickurl.com 47.254.213.111 true false 1%, Virustotal, Browse unknown Contacted URLs Name Malicious Antivirus Detection Reputation https://impression.appsflyer.com/de.autodoc.gmbh? false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af_siteid=92517477&pid=roockmobil e_int&clickid=20200925092837_wangmeng10_21df697a0270dd7675eabf9afce2d53444227_v3 &android_id={android_id}&advertising_id=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d&imei= {imei}&idfa=6d0fd5e2-dfb8-4abf-b91c-844c98a8929d c3.sdkclickurl.com/click/? false unknown adgroup_id=3954232&user_id=699999&timeflag=202009250600&mid=2157&android_id= {android_id}&bundle={bundle}&ip={ip}&ua={ua}&lang= {lang}&tid=RSB_C8323ABF5CB47CABF251DE48B390223CD18ED4F247BEB9107AEA02D0 D05C1F8B6020BB87965D54B6422A0F9E968CC1A9_MOBILEPARTNER_zya_giraffe5f6d8fd 1e4b04b780100a4fe26&gaid=6d0fd5e2-dfb8-4abf-b91c- 844c98a8929d&pub_id=28446&idx=26 URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation www.wikipedia.com/ msapplication.xml7.1.dr false 0%, Virustotal, Browse unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe www.amazon.com/ msapplication.xml.1.dr false high www.nytimes.com/ msapplication.xml4.1.dr false high https://impression.appsflyer.com/de.autodoc.gmbh? {EB2B3048-FF5C-11EA-90E3-ECF4B false high c=Autodoc_Android_CPA&af_viewthrough_lookback=1d&af B570DC9}.dat.1.dr, ~DFF0DB07DF 8329656E.TMP.1.dr www.live.com/ msapplication.xml3.1.dr false high www.reddit.com/ msapplication.xml5.1.dr false high www.twitter.com/ msapplication.xml6.1.dr false high www.youtube.com/ msapplication.xml8.1.dr false high Contacted IPs Copyright null 2020 Page 7 of 20 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious 47.254.213.111 United States 45102 CNNIC-ALIBABA-US-NET- false APAlibabaUSTechnologyCoLtdC 52.51.186.116 United States 16509 AMAZON-02US false General Information Joe Sandbox Version: 30.0.0 Red Diamond Analysis ID: 289897 Start date: 25.09.2020 Start time: 11:27:39 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 43s Hypervisor based Inspection enabled: false Report