Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 445881 Cookbook: browseurl.jbs Time: 14:23:44 Date: 08/07/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Windows Analysis Report http://104.244.93.16/seed7.sh 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Jbx Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 5 Domains and IPs 6 Contacted Domains 6 URLs from Memory and Binaries 6 Contacted IPs 6 Public 6 General Information 6 Simulations 6 Behavior and APIs 6 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 JA3 Fingerprints 7 Dropped Files 7 Created / dropped Files 7 Static File Info 10 No static file info 10 Network Behavior 10 Network Port Distribution 11 TCP Packets 11 UDP Packets 11 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 11 Analysis Process: iexplore.exe PID: 668 Parent PID: 792 11 General 11 File Activities 11 Registry Activities 11 Analysis Process: iexplore.exe PID: 2968 Parent PID: 668 11 General 11 File Activities 12 Disassembly 12 Copyright Joe Security LLC 2021 Page 2 of 12 Windows Analysis Report http://104.244.93.16/seed7.sh Overview General Information Detection Signatures Classification Sample URL: 104.244.93.16/seed7 No high impact signatures. .sh Analysis ID: 445881 Infos: Most interesting Screenshot: Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 0 Errors Range: 0 - 100 URL not reachable Whitelisted: false Confidence: 80% Process Tree System is w10x64 iexplore.exe (PID: 668 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 2968 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:668 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Jbx Signature Overview Click to jump to signature section Copyright Joe Security LLC 2021 Page 3 of 12 There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Behavior Graph Hide Legend Behavior Graph Legend: Process ID: 445881 Signature URL: http://104.244.93.16/seed7.sh Created File Startdate: 08/07/2021 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 0 Is Windows Process Number of created Registry Values started Number of created Files Visual Basic iexplore.exe Delphi Java .Net C# or VB.NET 1 51 C, C++ or other language Is malicious started Internet iexplore.exe 35 104.244.93.16, 49718, 49719, 80 IT7NETCA Canada Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 4 of 12 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link 104.244.93.16/seed7.sh 0% Virustotal Browse 104.244.93.16/seed7.sh 0% Avira URL Cloud safe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link 104.244.93.16/seed7.shRoot 0% Avira URL Cloud safe Copyright Joe Security LLC 2021 Page 5 of 12 Domains and IPs Contacted Domains No contacted domains info URLs from Memory and Binaries Contacted IPs Public IP Domain Country Flag ASN ASN Name Malicious 104.244.93.16 unknown Canada 25820 IT7NETCA false General Information Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 445881 Start date: 08.07.2021 Start time: 14:23:44 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 38s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: 104.244.93.16/seed7.sh Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 6 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: UNKNOWN Classification: unknown0.win@3/11@0/1 Cookbook Comments: Adjust boot time Enable AMSI URL browsing timeout or error Warnings: Show All Errors: URL not reachable Simulations Behavior and APIs No simulations Copyright Joe Security LLC 2021 Page 6 of 12 Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Created / dropped Files C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1462496-E032-11EB-90E5-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 30296 Entropy (8bit): 1.8497185349682697 Encrypted: false SSDEEP: 96:r0ZZ9Zk2AWUtUbfIjEKMdsqwyQOxfgjB6X:r0ZHZk2AWUtEfINM9mQfgsX MD5: 8DD2136E19D57B9995FD1808E1297EAD SHA1: 3531B492FDA547FE9DE6CC41A3D4F48D0E31AD71 SHA-256: 5E9A9B8B099CF6D410E84AE9A7123D5F8B6EA3CA08ACE23B26AA93F4D667BCB5 SHA-512: 95F823A6DDA1F10EEBC1196D1644790BCF53588E10D71542A5599816DBE87C5D8E397CD0D80C9F0E67BCBB7A3077C1D21BF245B7178844B32FA6B7B06351BFB8 Malicious: false Reputation: low Preview: .............................................................................................................................................................................................................................................................................. ..................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r. y............................................................................................................................................................................................................................................................................. ........................................................................................................................................................................................................ C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1462498-E032-11EB-90E5-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 24168 Entropy (8bit): 1.6285403932748126 Encrypted: false SSDEEP: 48:IwfGcprqjGwpaeG4pQCGrapbSEGQpBdcxGHHpcd+GTGUp8dnGzYpmdUMGopO3UyE:r1Zq9Qe6EBScjV29WXMvknLg MD5: D4B79F65F89CCAAA4F92DD763F8065EB SHA1: C50247CD18E8913FACAA8F0EBEFA7EC79A972D26 SHA-256: D6F0FFF9EF5AC9A0241365F5E7026D10B744DB1AA021ADEE359FCE237C36BE6D SHA-512: 381E8A1DD52EF0D8A8DF22306B03393F940ACFC8B119BA3B6D97D8D2D2A664CED067B604C2FF31A364EED7666CCAB73923040D1E9BE996905C4DEBB84AEE89 48 Malicious: false Reputation: low Preview: .............................................................................................................................................................................................................................................................................. ..................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r. y............................................................................................................................................................................................................................................................................. ........................................................................................................................................................................................................ Copyright Joe Security LLC 2021 Page 7 of 12 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E1462499-E032-11EB-90E5-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes):