DOCSLIB.ORG

Automated Malware Analysis Report for Clapzok

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Malware Analysis Report for Clapzok ID: 78954 Sample Name: Clapzok Cookbook: default.jbs Time: 09:56:23 Date: 21/09/2018 Version: 23.0.0 Table of Contents Table of Contents 2 Analysis Report Clapzok 3 Overview 3 General Information 3 Detection 3 Confidence 3 Classification 4 Analysis Advice 4 Signature Overview 5 AV Detection: 5 Networking: 5 System Summary: 5 Malware Analysis System Evasion: 5 Anti Debugging: 5 Behavior Graph 5 Simulations 6 Behavior and APIs 6 Antivirus Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Memory Dumps 7 Unpacked PEs 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 Dropped Files 7 Created / dropped Files 7 Domains and IPs 7 Contacted Domains 7 Contacted IPs 7 Static File Info 8 General 8 File Icon 8 Network Behavior 8 Code Manipulations 8 Statistics 8 System Behavior 8 Disassembly 8 Copyright Joe Security LLC 2018 Page 2 of 8 Analysis Report Clapzok Overview General Information Joe Sandbox Version: 23.0.0 Analysis ID: 78954 Start date: 21.09.2018 Start time: 09:56:23 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 0m 56s Hypervisor based Inspection enabled: false Report type: light Sample file name: Clapzok Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 1 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal56.win@0/0@0/0 Cookbook Comments: Adjust boot time Unable to launch sample, stop analysis Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Errors: Nothing to analyse, Joe Sandbox has not found any analysis process or sample Unable to start the sample Detection Strategy Score Range Reporting Detection Threshold 56 0 - 100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 3 of 8 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample could not be started, try setting a correct file extension or analyse on different analysis machine Copyright Joe Security LLC 2018 Page 4 of 8 Signature Overview • AV Detection • Networking • System Summary • Malware Analysis System Evasion • Anti Debugging Click to jump to signature section AV Detection: Antivirus detection for submitted file Multi AV Scanner detection for submitted file Networking: Urls found in memory or binary data System Summary: Classification label Sample is known by Antivirus Malware Analysis System Evasion: Program does not show much activity (idle) Anti Debugging: Program does not show much activity (idle) Behavior Graph Copyright Joe Security LLC 2018 Page 5 of 8 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Behavior Graph Visual Basic ID: 78954 Delphi Sample: Clapzok Java Startdate: 21/09/2018 .Net C# or VB.NET Architecture: WINDOWS C, C++ or other language Score: 56 Is malicious Antivirus detection Multi AV Scanner detection for submitted file for submitted file Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Source Detection Scanner Label Link Clapzok 54% virustotal Browse Clapzok 100% Avira W32/Elmacz.A Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 2018 Page 6 of 8 No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Created / dropped Files No created / dropped files found Domains and IPs Contacted Domains No contacted domains info Contacted IPs Copyright Joe Security LLC 2018 Page 7 of 8 No contacted IP infos Static File Info General File type: Mach-O universal binary with 2 architectures: [x86_64: Mach-O 64-bit x86_64 executable] [i386: Mach-O i386 executable] Entropy (8bit): 5.084211406944398 TrID: Mac OS X Universal Binary executable (4004/1) 75.96% HSC music composer song (1267/141) 24.04% File name: Clapzok File size: 84794 MD5: 99fe5ad5ff514f5aaea8e501ddbaf95b SHA1: 48bc391b35a5323b70c6908c428917d08054744b SHA256: 03f2591771c4c04d7f69dd0f7e29f012a4836410e9fb2430 d880e38feafe2729 SHA512: c3bdfb40a8c0a6c86135eb4c27e68ad77f2b0b6c0701bff 0f7b277fe7977780a35254837f5a8f7bee746f0f4eb7b30b def99d923d621a07734a9bd31d59ca2d8 File Content Preview: ...........................................:............................................. ......................................................................................... ............................................................................. File Icon Network Behavior No network behavior found Code Manipulations Statistics System Behavior Disassembly Copyright Joe Security LLC 2018 Page 8 of 8.
Load more

Recommended publications
  • Chapter 1. Origins of Mac OS X
    1 Chapter 1. Origins of Mac OS X "Most ideas come from previous ideas." Alan Curtis Kay The Mac OS X operating system represents a rather successful coming together of paradigms, ideologies, and technologies that have often resisted each other in the past. A good example is the cordial relationship that exists between the command-line and graphical interfaces in Mac OS X. The system is a result of the trials and tribulations of Apple and NeXT, as well as their user and developer communities. Mac OS X exemplifies how a capable system can result from the direct or indirect efforts of corporations, academic and research communities, the Open Source and Free Software movements, and, of course, individuals. Apple has been around since 1976, and many accounts of its history have been told. If the story of Apple as a company is fascinating, so is the technical history of Apple's operating systems. In this chapter,[1] we will trace the history of Mac OS X, discussing several technologies whose confluence eventually led to the modern-day Apple operating system. [1] This book's accompanying web site (www.osxbook.com) provides a more detailed technical history of all of Apple's operating systems. 1 2 2 1 1.1. Apple's Quest for the[2] Operating System [2] Whereas the word "the" is used here to designate prominence and desirability, it is an interesting coincidence that "THE" was the name of a multiprogramming system described by Edsger W. Dijkstra in a 1968 paper. It was March 1988. The Macintosh had been around for four years.
    [Show full text]
  • Pooch Manual In
    What’s New As of August 21, 2011, Pooch is updated to version 1.8.3 for use with OS X 10.7 “Lion”: Pooch users can renew their subscriptions today! Please see http://daugerresearch.com/pooch for more! On November 17, 2009, Pooch was updated to version 1.8: • Linux: Pooch can now cluster nodes running 64-bit Linux, combined with Mac • 64-bit: Major internal revisions for 64-bit, particularly updated data types and structures, for Mac OS X 10.6 "Snow Leopard" and 64-bit Linux • Sockets: Major revisions to internal networking to adapt to BSD Sockets, as recommended by Apple moving forward and required for Linux • POSIX Paths: Major revisions to internal file specification format in favor of POSIX paths, recommended by Apple moving forward and required for Linux • mDNS: Adapted usage of Bonjour service discovery to use Apple's Open Source mDNS library • Pooch Binary directory: Added Pooch binary directory support, making possible launching jobs using a remotely-compiled executable • Minor updates and fixes needed for Mac OS X 10.6 "Snow Leopard" Current Pooch users can renew their subscriptions today! Please see http://daugerresearch.com/pooch for more! On April 16, 2008, Pooch was updated to version 1.7.6: • Mac OS X 10.5 “Leopard” spurs updates in a variety of Pooch technologies: • Network Scan window • Preferences window • Keychain access • Launching via, detection of, and commands to the Terminal • Behind the Login window behavior • Other user interface and infrastructure adjustments • Open MPI support: • Complete MPI support using libraries
    [Show full text]
  • SSMUG Feb Newsletter UPCOMING MEETINGS Page 2 Ƒƒ
    February 2008 UPCOMING MEETINGS Apple reports best MARCH Search Engine quarterly revenue and Optimization of Web Sites. earnings in its history Special Meeting Notice Announcing financial results for its A shortened version of a seminar. fiscal 2008 first quarter, which The full seminar on Search ended December 29, 2007, Apple Engine Optimazation costs today posted revenue of $9.6 billion $39.00 but we get a free preview at and net quarterly profit of $1.58 the March meeting! billion, or $1.76 per diluted share. These results compare to revenue Meetings will be held from June of $7.1 billion and net quarterly through December at the Grande profit of $1 billion, or $1.14 per Prairie Public Library. diluted share, in the year-ago quarter. In attaining its highest revenue and earnings in company APPLE NEWS history, Apple shipped 2,319,000 Andrea Jung Joins Apple’s Macs, a 44% unit growth and 47% revenue growth over the year ago Board of Directors quarter; sold 22,121,000 iPods, representing five percent unit CUPERTINO, California—January growth and 17 percent revenue 7—Apple® today announced that growth over the year-ago quarter; Andrea Jung, chairman and chief and sold 2,315,000 iPhones in the executive officer of Avon Products, quarter. [Jan 22, 2008] was elected to Apple’s board of directors. Andrea also serves on the board of directors of the General Electric Company and is a member Tickled pink over new of the New York Presbyterian iPod nano Hospital board of trustees and the Catalyst board of directors.
    [Show full text]
  • Vtouch Support User Guide Contents Introduction
    vTouch Support User Guide Contents Introduction ................................................................ 3 What is vTouch Support? .......................................................................................3 Monitor Support ..................................................................................................... 3 Initial Setup ................................................................. 4 Where to get vTouch Support ................................................................................4 Installing vTouch on Big Sur ....................................................................................5 For Intel Systems ..................................................................................................... 5 For Silicon (M1 chip) Systems.................................................................................. 6 Installing UPDD in Big Sur .......................................................................................7 Intel systems ........................................................................................................... 7 Silicon systems ........................................................................................................ 7 Connection Methods ..............................................................................................8 Using the Applications ................................................. 9 UPDD Commander .................................................................................................9 Setup
    [Show full text]
  • Key-Based Self-Driven Compression in Columnar Binary JSON
    Otto von Guericke University of Magdeburg Department of Computer Science Master's Thesis Key-Based Self-Driven Compression in Columnar Binary JSON Author: Oskar Kirmis November 4, 2019 Advisors: Prof. Dr. rer. nat. habil. Gunter Saake M. Sc. Marcus Pinnecke Institute for Technical and Business Information Systems / Database Research Group Kirmis, Oskar: Key-Based Self-Driven Compression in Columnar Binary JSON Master's Thesis, Otto von Guericke University of Magdeburg, 2019 Abstract A large part of the data that is available today in organizations or publicly is provided in semi-structured form. To perform analytical tasks on these { mostly read-only { semi-structured datasets, Carbon archives were developed as a column-oriented storage format. Its main focus is to allow cache-efficient access to fields across records. As many semi-structured datasets mainly consist of string data and the denormalization introduces redundancy, a lot of storage space is required. However, in Carbon archives { besides a deduplication of strings { there is currently no compression implemented. The goal of this thesis is to discuss, implement and evaluate suitable compression tech- niques to reduce the amount of storage required and to speed up analytical queries on Carbon archives. Therefore, a compressor is implemented that can be configured to apply a combination of up to three different compression algorithms to the string data of Carbon archives. This compressor can be applied with a different configuration per column (per JSON object key). To find suitable combinations of compression algo- rithms for each column, one manual and two self-driven approaches are implemented and evaluated. On a set of ten publicly available semi-structured datasets of different kinds and sizes, the string data can be compressed down to about 53% on average, reducing the whole datasets' size by 20%.
    [Show full text]
  • Program Logger
    order/info: 1·800·426·8434 • www.bswusa.com order/info: 1·800·426·8434 • www.bswusa.com Fine-Tune Your Station: Essential Broadcast Software Easily Record & Edit Voice for On Air VoxPro 4.1 PC Editing Software When it comes to editing voice, it makes sense to have software with the right tool set to handle it. The VoxPro PC software system is an easy-to-use two-track recording and digital editing system for voice-overs and phone conversations. VoxPro PC software uses an optional hardware USB- or Serial-port controller (highly recommended) for fast recording/editing as well as on-air “Hot Key” playback. The system is seamlessly networkable, allowing files to be moved instantly between the production room, on-air studio and newsroom. The single screen interface with large full-color sound window displays your recording the instant you make it. VoxPro PC Version 4.1 represents a considerable advance over the previous version of the software, and offers a range of exciting features: Markers, AGC, Auto-Network, Zoom, Auto-Import and Improved Effects. Call BSW today! **VOXPROS Software 4.1 with network List $999.00 VOXPROCU USB controller List $999.00 VOXPROCS Serial controller List $999.00 Call BSW For Lowest Price: 800-426-8434 Sony Sound Forge 9 PC Recording/Editing Software Sony’s Sound Forge 9 professional Master Your Sound! audio production suite for PC (now compatible with Vista) has all your BBE Sonic Maximizer Software Plug-In bases covered. Use it to create and BBE’s Plug-In brings the Sonic Maximizer process to your DAW.
    [Show full text]
  • HP Pav for Mac Corporate EN
    CORPORATE EDITION Panda Antivirus for Mac Total Security for your Business Macs The growing adoption of Mac OS in companies, schools and other institutions adds difficulties in providing a comprehensive threat protection for the entire network. In these environments, centralized security monitoring and management of all Mac workstations and servers is a must. Panda Antivirus for Mac, Corporate Edition, provides robust protection from the many dangers of the Internet and allows businesses a centralized administration of all Mac OS desktops, laptops and servers, allowing administrators to establish and deploy their security policies quickly and easily. Panda Antivirus for Mac, Corporate Edition offers full virus and malware protection to Mac users. This simple, powerful antivirus program offers a high level Threat Protection of protection, blocking Mac OS X malware, Windows malware (so Mac users don’t • Macintosh and Windows viruses, worms, Trojans, spywares, adwares, hacker tools, share infected files with others), and more for both Mac Worstations and Mac keyloggers and other threats. Servers. Protection Endpoints • iMac It scans archives and e-mails, quarantines infected files. It includes two scanners: an • MacBook on-access scanner that constantly scans files on a Mac, and an on-demand scanner • Mac Mini to perform manual scans. It even scans iPhones, iPads and iPod touches for • Mac Pro malware. • MacBook Pro • MacBook Air • iPhone Panda Antivirus for Mac Administration Console allows businesses to • iPad manage from a single console, all Mac Workstations and Mav Servers protected • iPod with Panda Antivirus for Mac, Corporate Edition. • + Xserve Supported languages Panda Antivirus for Mac Administration Console is a multi- component • English program, which works with a server component installed on an always-on Mac, • Spanish • French client components installed on managed workstations or servers, and an • Italian (only Workstations) administration console installed on any Mac that an administrator wants to use.
    [Show full text]
  • Mach-O Programming Topics
    Mach-O Programming Topics Tools > Compiling & Debugging 2006-11-28 subsidiaries in the United States and other Apple Inc. countries. © 2003, 2006 Apple Computer, Inc. Java and all Java-based trademarks are All rights reserved. trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other No part of this publication may be countries. reproduced, stored in a retrieval system, or transmitted, in any form or by any means, PowerPC and and the PowerPC logo are mechanical, electronic, photocopying, trademarks of International Business recording, or otherwise, without prior Machines Corporation, used under license written permission of Apple Inc., with the therefrom. following exceptions: Any person is hereby UNIX is a registered trademark of The Open authorized to store documentation on a Group single computer for personal use only and Simultaneously published in the United to print copies of documentation for States and Canada. personal use provided that the documentation contains Apple’s copyright Even though Apple has reviewed this document, APPLE MAKES NO WARRANTY OR notice. REPRESENTATION, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THIS The Apple logo is a trademark of Apple Inc. DOCUMENT, ITS QUALITY, ACCURACY, MERCHANTABILITY, OR FITNESS FOR A Use of the “keyboard” Apple logo PARTICULAR PURPOSE. AS A RESULT, THIS (Option-Shift-K) for commercial purposes DOCUMENT IS PROVIDED “AS IS,” AND YOU, THE READER, ARE ASSUMING THE without the prior written consent of Apple ENTIRE RISK AS TO ITS QUALITY AND may constitute trademark infringement and ACCURACY. unfair competition in violation of federal IN NO EVENT WILL APPLE BE LIABLE FOR and state laws.
    [Show full text]
  • Openafs Client for Macos
    OpenAFS client for macOS Marcio Barbosa 2021 OpenAFS Workshop AGENDA • A high-level view of XNU • Kernel Extensions • Securing Modular Architecture • System Extensions • Apple Silicon • Conclusion • References / Contact A HIGH-LEVEL VIEW OF XNU A HIGH-LEVEL VIEW OF XNU • The Mac OS X kernel is called XNU. • Stands for X is Not UNIX. • Microkernel architecture? No, XNU is a hybrid kernel. FreeBSD Mach MONOLITHIC KERNELS • "Classic" kernel architecture. • Predominant in the UNIX and Linux realms. • All kernel functionality in one address space. • If any service fails, the whole system crashes. • Hard to extend. MICROKERNELS • Consists of only the core kernel functionality. • The rest of the functionality exported to external servers. • There exists complete isolation between the individual servers. • Communication between them is carried out by message passing. • Failure is contained. • Monolithic kernel failures usually trigger a complete kernel panic. • Performance can be an issue. HYBRID KERNELS • Hybrid kernels attempt to synthesize the best of both worlds. • The innermost core of the kernel is self-contained. • All other services are outside this core, but in the same memory space. • XNU is a hybrid. • The kernel is modular and allows for pluggable Kernel Extensions. • Absence of isolation exposes the system to bugs introduced by KEXTs. MONOLITHIC, MICROKERNELS, AND HYBRID Golftheman, Public domain, via Wikimedia Commons https://commons.wikimedia.org/wiki/File:OS-structure2.svg KERNEL EXTENSIONS KERNEL EXTENSIONS • No kernel can completely accommodate all the hardware, peripheral devices, and services available. • KEXTs are kernel modules, which may be dynamically inserted or removed on demand. • Augments kernel functionality with entirely self-contained subsystems.
    [Show full text]
  • Copyrighted Material
    Part I Mac OS X Basics COPYRIGHTED MATERIAL 995363c01.indd5363c01.indd 1 11/25/09/25/09 44:39:27:39:27 PPMM 995363c01.indd5363c01.indd 2 11/25/09/25/09 44:39:27:39:27 PPMM CHAPTER 1 Mac OS X Architecture This chapter begins by addressing many of the basics of a Mac OS X system. This includes the general architecture and the tools necessary to deal with the architecture. It then addresses some of the security improvements that come with version 10.5 “Leopard”, the most recent version of Mac OS X. Many of these security topics will be discussed in great detail throughout this book. Basics Before we dive into the tools, techniques, and security of Mac OS X, we need to start by discussing how it is put together. To understand the details of Leopard, you need fi rst to understand how it is built, from the ground up. As depicted in Figure 1-1, Mac OS X is built as a series of layers, including the XNU kernel and the Darwin operating system at the bottom, and the Aqua interface and graphical applications on the top. The important components will be discussed in the following sections. 3 995363c01.indd5363c01.indd 3 11/25/09/25/09 44:39:27:39:27 PPMM 4 Part I ■ Mac OS X Basics Applications Safari, Mail, iCal, etc. GUI Aqua Application Environments BSD, X11, Carbon, Cocoa, AWT, Swing Libraries URL parsing, Networking, Core Audio, HTML rendering, etc. Kernel BSD (signals, sockets, etc.) Mach (virtual memory, IPC, etc.) Firmware EFI Hardware Apple hardware Figure 1-1: Basic architecture of a Mac OS X system XNU The heart of Mac OS X is the XNU kernel.
    [Show full text]
  • A Guide to Kernel Exploitation Attacking the Core (2011
    A Guide to Kernel Exploitation This page intentionally left blank A Guide to Kernel Exploitation Attacking the Core Enrico Perla Massimiliano Oldani Technical Editor Graham Speake AMSTERDAM • BOSTON • HEIDELBERG • LONDON • • • NEW YORK OXFORD PARIS SAN DIEGO SYNGRESS SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO ® Syngress is an imprint of Elsevier Acquiring Editor: Rachel Roumeliotis Development Editor: Matthew Cater Project Manager: Julie Ochs Designer: Alisa Andreola Syngress is an imprint of Elsevier 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA © 2011 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
    [Show full text]
  • Importance of New Apple Computers
    Importance of New Apple Computers Lorrin R. Garson OPCUG & PATACS December 12, 2020 © 2020 Lorrin R. Garson Rapidly Changing Scene •Some information will have changed within the past few days and even hours •Expect new developments over the next several months 2 A Short Prologue: Computer Systems I’ve Worked On •Alpha Microsystems* (late 1970s ➜ 1990s) •Various Unix systems (1980s ➜ 2000s) Active hypertext •Microsoft Windows (~1985 ➜ 2013) links •Apple Computers (~1986 ➜ 2020) * Major similarities to DEC PDP/11 3 Not me in disguise! No emotional attachment to any computer system 4 Short History of Apple CPUs •1976 Apple I & II; MOS 6502 •1977 Apple III; Synertek 6502B •1985 Macintosh; Motorola 68000 ✓ 68020, 68030 and 68030 •1994 Macintosh; PowerPC 601 ✓ 603, 604, G3, G4 and G5 5 History of Apple Hardware (CPUs) (cont.) •2006 Macintosh; Intel x86 ✓ Yonah, Core Penryn, Nehalem, Westmere, Sandy Bridge, Ivy Bridge, Haswell, Broadwell, Skylake, Kaby Lake, Coffee Lake, Ice Lake, Tiger Lake ✓ 2009 Apple dropped support for PowerPC •2020 Mac Computers; Apple Silicon 6 Terminology •“Apple Silicon” refers to Apple’s proprietary ARM- based hardware •Apple Silicon aka “System* on a Chip” aka “SoC” •“M1” name of the chip implementing Apple Silicon** * Not silicon on a chip ** The M1 is a “superset” of the iPhone A14 chip 7 ARM vs. x86 •ARM uses RISC architecture (Reduced Instruction Set Computing) ✓ Fugaku supercomputer (world’s fastest computer) •x86 uses CISC architecture (Complex Instruction Set Computing) ✓ Intel-based computers •ARM focuses
    [Show full text]