DOCSLIB.ORG

Automated Malware Analysis Report for Novapdf8com(X86).Msi

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Malware Analysis Report for Novapdf8com(X86).Msi ID: 205201 Sample Name: novaPDF8COM(x86).msi Cookbook: default.jbs Time: 11:37:00 Date: 03/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report novaPDF8COM(x86).msi 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Spreading: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Language, Device and Operating System Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 13 Static File Info 13 General 13 File Icon 14 Static OLE Info 14 General 14 Authenticode Signature 14 OLE File "novaPDF8COM(x86).msi" 14 Indicators 14 Summary 15 Streams 15 Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6451 15 General 15 Copyright Joe Security LLC 2020 Page 2 of 22 Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20 15 General 15 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 580 15 General 15 Stream Path: \x16944\x17191\x14436\x16830\x16740, File Type: Microsoft Cabinet archive data, 922265 bytes, 6 files, Stream Size: 922265 16 General 16 Stream Path: \x17163\x16689\x18229\x16446\x18156\x14988, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 212992 16 General 16 Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 752 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with no line terminators, Stream Size: 8784 16 General 16 Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 1092 17 General 17 Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 42 17 General 17 Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 2304 17 General 17 Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48 17 General 17 Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 24 17 General 17 Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 12 18 General 18 Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 32 18 General 18 Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14 18 General 18 Stream Path: \x18496\x16923\x15722\x16818\x17892\x17778, File Type: data, Stream Size: 10 18 General 18 Stream Path: \x18496\x16924\x17007\x16923\x18474, File Type: data, Stream Size: 8 18 General 19 Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 4 19 General 19 Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30 19 General 19 Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 120 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 156 19 General 19 Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 42 19 General 19 Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17610\x16179\x16680\x16821\x18475, File Type: data, Stream Size: 4 20 General 20 Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: PDP-11 separate I&D executable, Stream Size: 32 20 General 20 Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 12 20 General 20 Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 36 20 General 20 Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 36 20 General 21 Network Behavior 21 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: msiexec.exe PID: 3628 Parent PID: 3808 21 General 21 File Activities 22 Analysis Process: msiexec.exe PID: 1148 Parent PID: 4560 22 General 22 File Activities 22 Registry Activities 22 Disassembly 22 Code Analysis 22 Copyright Joe Security LLC 2020 Page 3 of 22 Analysis Report novaPDF8COM(x86).msi Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205201 Start date: 03.02.2020 Start time: 11:37:00 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 33s Hypervisor based Inspection enabled: false Report type: light Sample file name: novaPDF8COM(x86).msi Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.winMSI@2/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .msi Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Whitelisted Detection Threshold 2 0 - 100 false Copyright Joe Security LLC 2020 Page 4 of 22 Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 2 0 - 5 true Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Copyright Joe Security LLC 2020 Page 5 of 22 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Replication Windows Winlogon Process Process Credential Peripheral Replication Data from Data Data Eavesdrop on Remotely Modify Through Remote Helper DLL Injection 1 Injection 1 Dumping Device Through Local Compressed Obfuscation Insecure Track Device System Removable Management Discovery 1 1 Removable System Network Without Partition Media 1 Media 1 Communication Authorization Replication Service Port Accessibility DLL Side- Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through Execution Monitors Features Loading 1 Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Discovery 1 3 Media Network Calls/SMS Without Media Medium Authorization Signature Overview • Spreading • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection Click to jump to signature section Spreading: Checks for available system drives (often done to infect USB drives) Networking: Urls found in memory or binary data System Summary: Sample file is different than original file name gathered from version info Tries to load missing DLLs Classification label Reads software policies Sample is a Windows installer Spawns processes Uses an in-process (OLE) Automation server PE / OLE file has a valid certificate Submission file is bigger than most known malware samples Binary contains paths to debug symbols Copyright Joe Security LLC 2020 Page 6 of 22 Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Checks the free space of harddrives Language, Device and Operating System Detection: Queries the volume information (name, serial number etc) of a device Queries the cryptographic machine GUID Malware Configuration No configs have been found Behavior Graph Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Behavior Graph Number of created Registry Values Number of created Files
Load more

Recommended publications
  • Adobe Reader Free Download for Windows 10 64 Bit How to Open a PDF File with Adobe
    adobe reader free download for windows 10 64 bit How to Open a PDF File With Adobe. Adobe Systems is a software manufacturer that has created many document and multimedia editing programs. A PDF (Portable Document Format) is a widely popular type of document format created by Adobe. You'll find many online papers and forms that are downloadable in a PDF format. If you need to open a PDF file for viewing or printing, you will need to download and run it with Adobe's free PDF viewer called Adobe Reader. Step 1. Go to http://get.adobe.com/reader/ and download the latest version of Adobe Reader offered for your operating system. Step 2. Install Adobe Reader by double-clicking on the setup file you download and following the setup instructions. Step 3. Browse your computer and locate the PDF file you want to open. Step 4. Right-click on the PDF file, then select "Open with Adobe Reader." Adobe Reader should automatically be set as the default program for opening PDF files after you install it, so this option should be the first one on the drop-down list. If this option is not on the list, click "Open With" then select "Adobe Reader." The free version of Adobe Reader can open PDFs for viewing and printing, but has limited capability for editing and altering PDF files. You can buy more powerful programs to gain more options when dealing with PDF files. Many organizations offer forms online in a PDF format that can be printed, then filled out by hand, which can then be mailed or scanned back into a computer as an image or PDF to be sent via email.
    [Show full text]
  • Dopdf Does PDF. for Free
    doPDF doPDF does PDF. For free. doPDF User Manual Copyright © 2015 Softland doPDF User Manual for doPDF version 8 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I doPDF 5 1 Installing doPDF................................................................................................................................... 5 System requirements.......................................................................................................................................................... 5 2 Using doPDF................................................................................................................................... 5 Introduction .........................................................................................................................................................
    [Show full text]
  • Dopdf Does PDF. for Free
    doPDF doPDF does PDF. For free. doPDF User Manual Copyright © 2014 Softland 2 doPDF v7 Table of Contents Part I doPDF 3 1 Installing ...................................................................................................................................doPDF 3 Installation .......................................................................................................................................................... 3 Command line ......................................................................................................................................................... 3 System requirements.......................................................................................................................................................... 5 2 Using doPDF................................................................................................................................... 5 Introduction .......................................................................................................................................................... 5 Create PDF from any.......................................................................................................................................................... application 7 Save PDF ......................................................................................................................................................... 11 3 Configuring..................................................................................................................................
    [Show full text]
  • Automated Malware Analysis Report for Dopdf-Full.Exe
    ID: 60711 Sample Name: dopdf-full.exe Cookbook: default.jbs Time: 17:32:26 Date: 22/05/2018 Version: 22.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 Cryptography: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Networking: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 24 Contacted Domains 24 Contacted IPs 25 Public 25 Static File Info 25 General 25 File Icon 25 Static PE Info 26 General 26 Copyright Joe Security LLC 2018 Page 2 of 84 Authenticode Signature 26 Entrypoint Preview 26 Data Directories 27 Sections 28 Resources 28 Imports 28 Version Infos 29 Possible Origin 29 Network Behavior 30 Network Port Distribution 30 TCP Packets 30 UDP Packets 31 DNS Queries 31 DNS Answers 31 HTTPS
    [Show full text]
  • Novapdf SDK User Manual
    novaPDF SDK User Manual Copyright © 2021 Softland novaPDF SDK User Manual for novaPDF SDK version <%APP_VS%> by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF SDK 11 1 Introduction................................................................................................................................... 11 2 Overview ................................................................................................................................... 11 Installation .......................................................................................................................................................... 11 System requirements.........................................................................................................................................................
    [Show full text]
  • Novapdf SDK User Manual
    novaPDF SDK Paperless office solutions novaPDF SDK User Manual Copyright © 2017 Softland novaPDF SDK User Manual for novaPDF 9 SDK Developer version 9 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF SDK 10 1 Introduction................................................................................................................................... 10 2 Overview................................................................................................................................... 10 Installation.........................................................................................................................................................
    [Show full text]
  • Dopdf Does PDF. for Free
    doPDF doPDF does PDF. For free. doPDF User Manual Copyright © 2017 Softland doPDF User Manual for doPDF version 9 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I doPDF 5 1 Installing doPDF................................................................................................................................... 5 System requirements.......................................................................................................................................................... 5 2 Using doPDF................................................................................................................................... 5 Introduction .........................................................................................................................................................
    [Show full text]
  • Novapdf SDK User Manual
    novaPDF SDK User Manual Copyright © 2020 Softland novaPDF SDK User Manual for novaPDF 10 SDK Developer version 10 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF SDK 11 1 Introduction................................................................................................................................... 11 2 Overview................................................................................................................................... 11 Installation.......................................................................................................................................................... 11 System requirements.........................................................................................................................................................
    [Show full text]
  • Backup Outlook Emails and Settings
    Backup Outlook emails and settings Summary: This article explains how to backup Outlook emails and settings. This backup article refers to Microsoft Outlook, not Outlook Express (for Outlook Express, Backup4all has a predefined backup option that will select automatically all files to be backed up and the tutorial is here: Outlook Express Backup). On this page: How to configure a backup for Outlook in Backup4all How to find the locations of MS Outlook files Backup limitations for locked or open files Details: MS Outlook emails are stored in .pst files. In order to have a complete backup of MS Outlook data, it is not enough to back up only the .pst files, but the following items too: MS Outlook shortcuts Personal Address Book Rules Signatures Stationery Menu or toolbar customizations Nicknames Also, for MS Outlook 2003 and 2007, you need to backup some additional items: Navigation Pane settings (this file includes Shortcuts, Calendar, and Contact links). Dictionary Templates Send/Receive settings Print styles Custom forms Registered Microsoft Exchange extensions How to configure a backup for Outlook in Backup4all Starting with Backup4all 4.1 a new plugin for Microsoft Outlook was created. The plugin is automatically installed with Backup4all. Here are the steps to follow to create a new backup job using the Microsoft Outlook plugin: 1. Open Backup4all and select File->New Backup (Ctrl+N). 2. On the first page enter a name for the backup in the Name field. 3. Select a backup destination and press Next. 4. From the drop-down list, select Microsoft Outlook. Press Next. 5.
    [Show full text]
  • Novapdf OEM 9 User Manual
    novaPDF OEM 9 Paperless office solutions novaPDF OEM 9 User Manual Copyright © 2017 Softland novaPDF OEM 9 User Manual for novaPDF 9 OEM Developer version 9 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF OEM 5 1 Introduction................................................................................................................................... 5 2 Overview ................................................................................................................................... 5 Installation.........................................................................................................................................................
    [Show full text]
  • Novapdf OEM 8 Paperless Office Solutions
    novaPDF OEM 8 Paperless office solutions novaPDF OEM 8 User Manual Copyright © 2015 Softland novaPDF OEM 8 User Manual for novaPDF 8 OEM Developer version 8 by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF OEM 5 1 Introduction................................................................................................................................... 5 2 Overview................................................................................................................................... 5 Installation .........................................................................................................................................................
    [Show full text]
  • Novapdf OEM 11 User Manual
    novaPDF OEM 11 User Manual Copyright © 2021 Softland novaPDF OEM 11 User Manual for novaPDF 11 OEM Developer version <%APP_VS%> by Softland This documentation contains proprietary information of Softland. All rights reserved. No part of this documentation shall be reproduced, stored in a retrieval system or transmitted by any means, electronic, mechanical, photocopying, recoding, or otherwise, without permission from Softland. No patent liability is assumed with respect to the use of the information contained herein. The information in this document is subject to change without notice. Although every precaution has been taken in the preparation of this book, Softland assumes no responsibility for errors and omissions. Nor is any liability assumed for damages resulting from the information contained herein. Windows ® is a registered trademark of the Microsoft Corporation. All other products or company names in this document are used for identification purposes only, and may be trademarks of their respective owners. Contents 3 Table of Contents Part I novaPDF OEM 5 1 Introduction................................................................................................................................... 5 2 Overview................................................................................................................................... 5 Installation .......................................................................................................................................................... 5 System requirements.........................................................................................................................................................
    [Show full text]