Automated Malware Analysis Report for Murmurhash-1.0
Total Page:16
File Type:pdf, Size:1020Kb
ID: 205862 Sample Name: murmurhash- 1.0.2-cp37-cp37m- win_amd64.whl Cookbook: default.jbs Time: 02:34:55 Date: 05/02/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report murmurhash-1.0.2-cp37-cp37m-win_amd64.whl 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Software Vulnerabilities: 6 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Startup 9 Created / dropped Files 10 Domains and IPs 14 Contacted Domains 14 URLs from Memory and Binaries 14 Contacted IPs 14 Static File Info 14 General 14 File Icon 15 Network Behavior 15 Code Manipulations 15 Statistics 15 Behavior 15 System Behavior 15 Analysis Process: unarchiver.exe PID: 5844 Parent PID: 3292 16 Copyright Joe Security LLC 2020 Page 2 of 25 General 16 File Activities 16 File Created 16 File Written 16 File Read 16 Analysis Process: 7za.exe PID: 5868 Parent PID: 5844 17 General 17 File Activities 17 File Created 17 File Written 18 File Read 24 Analysis Process: conhost.exe PID: 5892 Parent PID: 5868 24 General 24 Disassembly 25 Code Analysis 25 Copyright Joe Security LLC 2020 Page 3 of 25 Analysis Report murmurhash-1.0.2-cp37-cp37m-win_amd64.whl Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 205862 Start date: 05.02.2020 Start time: 02:34:55 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 12s Hypervisor based Inspection enabled: false Report type: light Sample file name: murmurhash-1.0.2-cp37-cp37m-win_amd64.whl (renamed file extension from whl to zip) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean3.winZIP@4/16@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Execution Graph export aborted for target unarchiver.exe, PID 5844 because it is empty Detection Strategy Score Range Reporting Whitelisted Detection Threshold 3 0 - 100 false Confidence Copyright Joe Security LLC 2020 Page 4 of 25 Strategy Score Range Further Analysis Required? Confidence Threshold 4 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Copyright Joe Security LLC 2020 Page 5 of 25 Mitre Att&ck Matrix Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Winlogon Process Disabling Security Credential Virtualization/Sandbox Application Data from Data Standard Eavesdrop on Accounts Remote Helper DLL Injection 1 1 Tools 1 Dumping Evasion 2 Deployment Local Encrypted 1 Cryptographic Insecure Management Software System Protocol 1 Network Communication Replication Service Port Accessibility Virtualization/Sandbox Network System Information Remote Data from Exfiltration Fallback Exploit SS7 to Through Execution Monitors Features Evasion 2 Sniffing Discovery 2 Services Removable Over Other Channels Redirect Phone Removable Media Network Calls/SMS Media Medium External Windows Accessibility Path Process Input Query Registry Windows Data from Automated Custom Exploit SS7 to Remote Management Features Interception Injection 1 1 Capture Remote Network Exfiltration Cryptographic Track Device Services Instrumentation Management Shared Protocol Location Drive Drive-by Scheduled System DLL Search Obfuscated Files or Credentials System Network Logon Input Data Multiband SIM Card Compromise Task Firmware Order Information 1 in Files Configuration Scripts Capture Encrypted Communication Swap Hijacking Discovery Signature Overview • Software Vulnerabilities • Networking • System Summary • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section Software Vulnerabilities: Found inlined nop instructions (likely shell or obfuscated code) Networking: Urls found in memory or binary data System Summary: Detected potential crypto function Classification label Creates mutexes Creates temporary files Parts of this applications are using the .NET runtime (Probably coded in C#) Reads software policies Spawns processes Uses new MSVCR Dlls Copyright Joe Security LLC 2020 Page 6 of 25 Persistence and Installation Behavior: Drops PE files Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Contains long sleeps (>= 3 min) Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging HIPS / PFW / Operating System Protection Evasion: Creates a process in suspended mode (likely to inject code) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Malware Configuration No configs have been found Behavior Graph Copyright Joe Security LLC 2020 Page 7 of 25 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info ID: 205862 Sample: murmurhash-1.0.2-cp37-cp37m... Is Dropped Startdate: 05/02/2020 Is Windows Process Architecture: WINDOWS Score: 3 Number of created Registry Values started Number of created Files Visual Basic unarchiver.exe Delphi 5 Java .Net C# or VB.NET started C, C++ or other language 7za.exe Is malicious Internet 27 dropped dropped dropped dropped C:\Users\user\...\test_against_mmh3.py, Python C:\Users\user\...\mrmr.cp37-win_amd64.pyd, PE32+ C:\Users\user\AppData\...\test_import.py, Python C:\Users\user\AppData\Local\...\__init__.py, Python started conhost.exe Simulations Behavior and APIs No simulations Antivirus, Machine Learning and Genetic Malware Detection Initial Sample No Antivirus matches Dropped Files Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\wltdyeg5.cqs\murmurhash\mrmr.cp37-win_amd64.pyd 0% Virustotal Browse Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 2020 Page 8 of 25 No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Sigma Overview No Sigma rule has matched Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Startup Copyright Joe Security LLC 2020 Page 9 of 25 System is w10x64 unarchiver.exe (PID: 5844 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\murmurhash-1.0.2-cp37-cp37m-win_amd64.zip' MD5: CC652A2104B9470999DA6603F972D7B4) 7za.exe (PID: 5868 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\wltdyeg5.cqs' 'C:\Users\user\Desktop\murmurhash-1.0.2- cp37-cp37m-win_amd64.zip' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C) conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cleanup Created / dropped Files C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log Process: C:\Windows\SysWOW64\unarchiver.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 128 Entropy (8bit): 5.166201977254936 Encrypted: false MD5: 55887639A13C458914BF5B0242958FD8 SHA1: 1B7576C23201581E49DA512B0E61743324CB8251 SHA-256: BA44A8F5211411E615ED523042D2B1870ACDBC6F6D3FE99C30429BB4CC151247 SHA-512: FC3E785FDA47A67AAD3230C138A560A07A240EAB74742CCAB68D4611D9E818B177D7B102CEA0A79F265A7751C2A8E5E138446E9BEB214A3532B566649175D313 Malicious: false Reputation: moderate, very likely benign file Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\d72bdddce94cd6438f15999de0b0afb6\System.ni.dll",0.. C:\Users\user\AppData\Local\Temp\rwduyhgu.iiz\unarchiver.log Process: C:\Windows\SysWOW64\unarchiver.exe