Automated Malware Analysis Report for MILKA CHOCO
Total Page:16
File Type:pdf, Size:1020Kb
ID: 452495 Sample Name: MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 14:01:33 Date: 22/07/2021 Version: 33.0.0 White Diamond Table of Contents Table of Contents 2 Windows Analysis Report MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Threatname: GuLoader 4 Yara Overview 4 Memory Dumps 4 Sigma Overview 4 Exploits: 4 System Summary: 5 Jbx Signature Overview 5 AV Detection: 5 Exploits: 5 Networking: 5 System Summary: 5 Data Obfuscation: 5 Boot Survival: 5 Malware Analysis System Evasion: 5 Mitre Att&ck Matrix 5 Behavior Graph 6 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 8 URLs 8 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 8 Public 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 14 General 14 File Icon 14 Static OLE Info 15 General 15 OLE File "MILKA CHOCO COW BISCUITS AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx" 15 Indicators 15 Streams 15 Network Behavior 15 Network Port Distribution 15 TCP Packets 15 HTTP Request Dependency Graph 15 HTTP Packets 15 Code Manipulations 16 Statistics 16 Behavior 16 System Behavior 16 Analysis Process: EXCEL.EXE PID: 2368 Parent PID: 584 16 General 16 File Activities 17 File Written 17 Registry Activities 17 Key Created 17 Key Value Created 17 Copyright Joe Security LLC 2021 Page 2 of 18 Key Value Modified 17 Analysis Process: EQNEDT32.EXE PID: 2124 Parent PID: 584 17 General 17 File Activities 17 Registry Activities 17 Key Created 17 Analysis Process: vbc.exe PID: 2192 Parent PID: 2124 17 General 17 File Activities 18 Disassembly 18 Code Analysis 18 Copyright Joe Security LLC 2021 Page 3 of 18 Windows Analysis Report MILKA CHOCO COW BISCUITS… AND CADBURY OFFERS,TWIX,SNICKERS,BOUNTY,GALAXY.xlsx Overview General Information Detection Signatures Classification Sample MILKA CHOCO COW Name: BISCUITS AND AAnntttiiivviiirrruuss ddeettteecctttiiioonn fffoorrr UURRLL oorrr ddoomaaiiinn CADBURY FAFonoutuinvndidr u ms aadlllwewtaearrcreet i occonon nffoffiiigrg uUurrrRaattLtiiioo onnr domain OFFERS,TWIX,SNICKER S,BOUNTY,GALAXY.xlsx MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiiaiootnino ffnfoorrr ddrrroopppp… Analysis ID: 452495 Ransomware Multi AV Scanner detection for dropp SMSiiigugmlti aaA dVde eSttteecccatttneendde::: rDD drrroeoptpeppceetrirrossn EE fxoxppr lllodoiriittotiiinnpggp… Miner Spreading MD5: b7cdda84714069… SSiiiggmaa ddeettteeccttteedd::: EDEQroNNpEpEeDDrTsT3 3E22x..EpElXXoEiEti n ccg mmaallliiiccciiioouusss SSiiiggmaa ddeettteeccttteedd::: EEQNNEEDDTT3322...EEXXEE cc… malicious SHA1: 874d1157c6e658… Evader Phishing sssuusssppiiiccciiioouusss SSiiiggmaa ddeettteeccttteedd::: FEFiiQillleeN DDErrrDoopTppp3ee2dd.E BBXyyE EE cQ… suspicious SHA256: SSiiggmaa ddeetteecctteedd:: FFiillee DDrrooppppeedd BByy EEQ… 1e7447cb7adb33… cccllleeaann clean YSYaiagrrrmaa add eedttteetccetttecetdde dG:u uFLLioloeaa Dddereorrrpped By EQ Tags: VelvetSweatshop xlsx Exploiter Banker Infos: CYC2a2 r UaU RRdLeLstse //c/ ItIIPePdss GfffoouuLnnodda iiidnne mr aalllwwaarrree ccoonn… Spyware Trojan / Bot GuLoader CCo2on nUtttaaRiiinnLss fff/uu InnPccsttti iiofoonnuaanllliiditttyy i ntttoo m ddaeelttwteecactrtt e hh acarorrddn… Adware Most interesting Screenshot: Score: 100 DCDeoettnteetcacttitenedsd RfRuDnDcTTtSiSoCCn a ddluiutym tmo yyd eiiinntsesttctrrrtuu hcctattiiiorodnn… Range: 0 - 100 DDrrerootpepscs t PePdEE R fffiiilDlleeTss S tttooC tt thdheue m uusmseeyrrr rirrnoosootttrt uddciiirrrteieoccn… Whitelisted: false ODfrfffoffiiicpcees ePeqqEuu afaitltteiiioosnn t oee ddthiiitttoeor rru ddsrrreoorpp rsso PoPtEE d ffifiriillelec Confidence: 100% Offffffiiiccee eeqquuaatttiiioonn eeddiiitttoorrr sdsttrtaaorrrptttss pPprrrEooc cfeielessss… SOSiiifggfimceaa e ddqeeuttteaectcittoteendd ::e: EdExixteoecrc usutttiaiioornnts ff frrproormoc SeSsuuss… Process Tree TSTrririgiieemss a ttto od dedeteetttecectcettt d vv:iii rrrEtttuuxaaellliciizzuaatttitioiioonnn f ttrthohrrmroou uSgguhhs… ATAbrbinenoso rrrtmo aadllle hhteiiiggchht vCCirPPtuUUa UlUizssaaatgigoeen through System is w7x64 AAllblllloonccoaartmtteesas l m heiegmh ooCrrryPy Uww iiitUtthhsiiinna grrraeannggee wwhhiiicc… EXCEL.EXE (PID: 2368 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0) CACololonnctttaaiitinness fffmuunneccmtttiiioonrnyaa lwlliiitttyiyt h fffoionrrr reeaxxneegcceuu twttiiioohnnic … EQNEDT32.EXE (PID: 2124 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8) CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy ttftoo r c ceaaxlllllle nncaautttiiivvoeen fff… vbc.exe (PID: 2192 cmdline: 'C:\Users\Public\vbc.exe' MD5: C937FC9ED4325E6AB24D49A3175F3A5C) cleanup CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo qcquauelel rrrnyya CCtivPPeUU f … CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo rrqreeuaaeddr y ttth hCeeP PPUEE BB CCrroreenaattatteeinss s aa f uppnrrroocctcieoesnsssa liiinnty s stuuoss rppeeeannddd etehdde m PoEo…B DCDereettteaectcettteesd da p ppoortttoeecnnetttiisiaaslll cicnrrry yspputttoso p fffueunncdcttetiiiodon nmo Malware Configuration DDoeoctceuucmteeednn ttpt motiieissnssteeiassl aac r ccyeeprrrtttotaa iifinnu nOcLLtiEoE n sstttrrr… DDoowcwunnmlllooeaanddtss m eeixxseescecuustt taab bclllee r cctaooiddnee O vvLiiiaaE H HsTtTrTT… Threatname: GuLoader DDrroroowppnssl oPPaEEd sfffiii llleesxsecutable code via HTT DDrrrooppss PPEE fffiiillleess tttoo ttthhee uusseerrr ddiiirrreecctttoorrryy { "Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin" IIDIPPr oaapddsdd rrPreeEsss sf i slseeesee ntno i iintnh ceco ounnsnneeerc cdtttiiioorennc wwtoiiitrtthyh oo… } IIInPnttt eearrrdnndeerttte PPsrsrroo svveiiiddeeenrrr isnsee ceeonnn iinine ccootinonnne ewccttititiiohon no… MInataeyyr nssellleete ePppr o(((evevivdaaessriii vvsee ellloonoo pipnss )c)) otttoon nhheiiinncddtieoerrnr … OMffaffffiiyicc ees l EeEeqqpuu aa(tettiiiovonan s EEivddeiiitt toloorrro hhpaasss) btboee ehenin dsstettaarrr r… Yara Overview POPEEff i fcffiiilellee E ccqoounnatttaatiiionnnss sEstttdrrraiatnongrg ehe a rrreses sbooeuuerrrcnce essstar PPoEottt eefinlnettti iiacaloll dndotoacciunums esentnrtatt enexgxpepll looreiiittt s ddoeeutttreecccetttesedd… Memory Dumps PPoottteenntttiiiaalll ddooccuumeennttt eexxpplllooiiittt ddeettteeccttteedd… Source Rule DescriptioUPnUsoseteessn atai a kkln nAdooouwwctnhun m owwreenbbt bberrrxoopwwlossieet rrrd ueusStseetcrrr t i aenagdgees… 00000006.00000002.2388759813.00000000002 JoeSecurity_GuLoader_2 Yara detecUtUessdee ss caco okddnJeeoo owoebb nSfff uuwessceccubaar tttibiitiooyrnon w ttteesccehhrn nuiiiqsqueuere sas g (((…e E0000.00000040.00000001.sdmp GuLoader Uses code obfuscation techniques ( Sigma Overview Exploits: Sigma detected: EQNEDT32.EXE connecting to internet Copyright Joe Security LLC 2021 Page 4 of 18 Sigma detected: File Dropped By EQNEDT32EXE System Summary: Sigma detected: Droppers Exploiting CVE-2017-11882 Sigma detected: Execution from Suspicious Folder Jbx Signature Overview Click to jump to signature section AV Detection: Antivirus detection for URL or domain Found malware configuration Multi AV Scanner detection for dropped file Exploits: Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) Networking: C2 URLs / IPs found in malware configuration System Summary: Office equation editor drops PE file Data Obfuscation: Yara detected GuLoader Boot Survival: Drops PE files to the user root directory Malware Analysis System Evasion: Contains functionality to detect hardware virtualization (CPUID execution measurement) Detected RDTSC dummy instruction sequence (likely for instruction hammering) Tries to detect virtualization through RDTSC time measurements Mitre Att&ck Matrix Initial Privilege Credential Lateral Command and Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Control Effects Valid Exploitation for Path Process Masquerading 1 1 1 OS Security Software Remote Archive Exfiltration Encrypted Eavesdrop on Accounts Client Interception Injection 1 2 Credential Discovery 4 1 Services Collected Over Other Channel 1 Insecure Execution 1 2 Dumping Data 1 Network Network Medium Communication Copyright Joe Security LLC 2021 Page 5 of 18 Initial Privilege Credential Lateral Command and Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Control Effects Default Scheduled Boot or Boot or Logon Virtualization/Sandbox LSASS Virtualization/Sandbox Remote Data from Exfiltration Ingress Tool Exploit SS7 to Accounts Task/Job Logon Initialization Evasion 1 Memory Evasion 1 Desktop Removable Over Transfer 1 2 Redirect Phone Initialization Scripts Protocol Media Bluetooth Calls/SMS Scripts Domain At (Linux) Logon Script Logon Script Process Injection 1 2 Security Process Discovery 1 SMB/Windows Data from Automated Non-Application Exploit SS7 to Accounts (Windows) (Windows) Account Admin Shares Network Exfiltration Layer Protocol 1 Track