Automated Malware Analysis Report for Novapdf8com(X86).Msi
Total Page:16
File Type:pdf, Size:1020Kb
ID: 205201 Sample Name: novaPDF8COM(x86).msi Cookbook: default.jbs Time: 11:37:00 Date: 03/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report novaPDF8COM(x86).msi 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Language, Device and Operating System Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 Authenticode Signature 14 OLE File "novaPDF8COM(x86).msi" 14 Indicators 14 Summary 15 Streams 15 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6451 15 General 15 Copyright Joe Security LLC 2020 Page 2 of 22 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20 15 General 15 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 580 15 General 15 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files, Stream Size: 922265 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992 16 General 16 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 752 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 8784 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1092 17 General 17 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 42 17 General 17 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2304 17 General 17 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48 17 General 17 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24 17 General 17 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 12 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32 18 General 18 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 18 General 18 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10 18 General 18 Stream Path: \x18496\x16924\x17007\x16923\x18474, File Type: data, Stream Size: 8 18 General 19 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4 19 General 19 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30 19 General 19 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 120 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 156 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 19 General 19 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4 20 General 20 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: PDP-11 separate I&D executable, Stream Size: 32 20 General 20 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 36 20 General 21 Network Behavior 21 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: msiexec.exe PID: 3628 Parent PID: 3808 21 General 21 File Activities 22 Analysis Process: msiexec.exe PID: 1148 Parent PID: 4560 22 General 22 File Activities 22 Registry Activities 22 Disassembly 22 Code Analysis 22 Copyright Joe Security LLC 2020 Page 3 of 22 Analysis Report novaPDF8COM(x86).msi Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205201 Start date: 03.02.2020 Start time: 11:37:00 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 33s Hypervisor based Inspection enabled: false Report type: light Sample file name: novaPDF8COM(x86).msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@2/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Whitelisted Detection Threshold 2 0 - 100 false Copyright Joe Security LLC 2020 Page 4 of 22 Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 2 0 - 5 true Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Copyright Joe Security LLC 2020 Page 5 of 22 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Replication Windows Winlogon Process Process Credential Peripheral Replication Data from Data Data Eavesdrop on Remotely Modify Through Remote Helper DLL Injection 1 Injection 1 Dumping Device Through Local Compressed Obfuscation Insecure Track Device System Removable Management Discovery 1 1 Removable System Network Without Partition Media 1 Media 1 Communication Authorization Replication Service Port Accessibility DLL Side- Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through Execution Monitors Features Loading 1 Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Discovery 1 3 Media Network Calls/SMS Without Media Medium Authorization Signature Overview • Spreading • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection Click to jump to signature section Spreading: Checks for available system drives (often done to infect USB drives) Networking: Urls found in memory or binary data System Summary: Sample file is different than original file name gathered from version info Tries to load missing DLLs Classification label Reads software policies Sample is a Windows installer Spawns processes Uses an in-process (OLE) Automation server PE / OLE file has a valid certificate Submission file is bigger than most known malware samples Binary contains paths to debug symbols Copyright Joe Security LLC 2020 Page 6 of 22 Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Checks the free space of harddrives Language, Device and Operating System Detection: Queries the volume information (name, serial number etc) of a device Queries the cryptographic machine GUID Malware Configuration No configs have been found Behavior Graph Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Behavior Graph Number of created Registry Values Number of created Files