Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 142877 Cookbook: browseurl.jbs Time: 14:46:27 Date: 18/06/2019 Version: 26.0.0 Aquamarine Table of Contents Table of Contents 2 Analysis Report http://ftp.webolton.com/ 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus and Machine Learning Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 10 Created / dropped Files 11 Domains and IPs 29 Contacted Domains 29 Contacted URLs 29 URLs from Memory and Binaries 29 Contacted IPs 31 Public 31 Static File Info 31 No static file info 31 Network Behavior 31 Network Port Distribution 31 TCP Packets 32 UDP Packets 33 DNS Queries 35 DNS Answers 35 HTTP Request Dependency Graph 35 HTTP Packets 36 HTTPS Packets 38 Code Manipulations 41 Statistics 41 Copyright Joe Security LLC 2019 Page 2 of 43 Behavior 41 System Behavior 41 Analysis Process: iexplore.exe PID: 4196 Parent PID: 692 41 General 41 File Activities 42 Registry Activities 42 Analysis Process: iexplore.exe PID: 2372 Parent PID: 4196 42 General 42 File Activities 42 Registry Activities 42 Disassembly 42 Copyright Joe Security LLC 2019 Page 3 of 43 Analysis Report http://ftp.webolton.com/ Overview General Information Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 142877 Start date: 18.06.2019 Start time: 14:46:27 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 45s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: ftp.webolton.com/ Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus21.phis.win@3/66@7/8 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: http://chrome.google.com/ Browsing link: http://www.getfirefox.com/ Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 2.20.221.85, 216.58.211.110, 172.217.168.196, 172.217.168.206, 172.217.17.131, 172.217.17.72, 172.217.17.78, 172.217.168.238, 104.16.40.2, 104.16.41.2, 72.21.81.200, 152.199.19.161, 23.10.249.50, 23.10.249.17, 205.185.216.42, 205.185.216.10, 67.27.233.254, 67.27.159.126, 8.253.204.249, 8.253.204.120, 67.26.75.254, 93.184.221.240 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, www.mozilla.org.cdn.cloudflare.net, adservice.google.com, wu.azureedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, www.googletagmanager.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2- 0.edgecastdns.net, www.google.com, www.gstatic.com, auto.au.download.windowsupdate.com.c.footprint.n et, wu.wpc.apr-52dd2.edgecastdns.net, www.google-analytics.com, www-google- analytics.l.google.com, ie9comview.vo.msecnd.net, www-googletagmanager.l.google.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net, www3.l.google.com, go.microsoft.com.edgekey.net, tools.l.google.com, chrome.google.com, www.mozilla.org, tools.google.com, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found. Copyright Joe Security LLC 2019 Page 4 of 43 Detection Strategy Score Range Reporting Whitelisted Detection Threshold 21 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 4 0 - 5 false Classification Copyright Joe Security LLC 2019 Page 5 of 43 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Mitre Att&ck Matrix Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Windows Valid Valid Valid Input File and Remote File Data from Local Data Standard Accounts 1 Remote Accounts 1 Accounts 1 Accounts 1 Prompt 1 Directory Copy 1 System Encrypted 1 Cryptographic Management Discovery 1 Protocol 2 Replication Service Port Monitors Accessibility Binary Padding Network Application Remote Data from Exfiltration Over Standard Non- Through Execution Features Sniffing Window Services Removable Other Network Application Removable Discovery Media Medium Layer Media Protocol 3 Drive-by Windows Accessibility Path Rootkit Input Query Registry Windows Data from Automated Standard Compromise Management Features Interception Capture Remote Network Shared Exfiltration Application Instrumentation Management Drive Layer Protocol 3 Copyright Joe Security LLC 2019 Page 6 of 43 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials System Network Logon Scripts Input Capture Data Encrypted Remote File Facing Firmware Order Hijacking Files or in Files Configuration Copy 1 Application Information Discovery Signature Overview • Phishing • Networking • System Summary Click to jump to signature section Phishing: Ask for current and new password Found iframes HTML body contains low number of good links None HTTPS page querying sensitive user data (password, username or email) META author tag missing META copyright tag missing Networking: Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found graphical window changes (likely an installer) Uses new MSVCR Dlls Behavior Graph Copyright Joe Security LLC 2019 Page 7 of 43 Hide Legend Behavior Graph Legend: ID: 142877 Process URL: http://ftp.webolton.com/ Signature Startdate: 18/06/2019 Created File Architecture: WINDOWS DNS/IP Info Score: 21 Is Dropped Is Windows Process Number of created Registry Values Ask for current and started new password Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET C, C++ or other language 10 84 Is malicious Internet started iexplore.exe 5 119 pagead46.l.doubleclick.net www.google.ch 172.217.17.98, 443, 49746, 49747 172.217.20.67, 443, 49744, 49745 10 other IPs or domains unknown unknown United States United States Simulations Behavior and APIs No simulations Antivirus and Machine Learning Detection Initial Sample Source Detection Scanner Label Link ftp.webolton.com/ 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link ftp.webolton.com 0% virustotal Browse URLs Copyright Joe Security LLC 2019 Page 8 of 43 Source Detection Scanner Label Link ftp.webolton.com/WebInterface/login.html 0% virustotal Browse ftp.webolton.com/WebInterface/login.html 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/jQuery/js/jquery.blockUI.js 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/login.html/chrome/face/login.htmlRoot 0% Avira URL Cloud safe ftp.webolton.com/favicon.ico 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/jQuery/images/button-bg.png 0% Avira URL Cloud safe ftp.weboltRoot 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/login.htmlRoot 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/login.htmlg/en-US/firefox/new/?redirect_soon.com/WebInterface/l 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/jQuery/js/jquery-ui-1.8.2.custom.min.js 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/images/wheel.gif 0% Avira URL Cloud safe ftp.webolton.com/favicon.ico~ 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/jQuery/js/jquery-1.4.2.min.js 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/images/bolton-logo.JPG 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/login.html.Bolton 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/jQuery/css/login.css 0% Avira URL Cloud safe ftp.webolton.com/ 0% virustotal Browse ftp.webolton.com/ 0% Avira URL Cloud safe ftp.webolton.com/WebInterface/login.htmlon.com/WebInterface/login.html 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints Copyright Joe Security LLC 2019 Page 9 of 43 No context Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those