Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 429540 Cookbook: browseurl.jbs Time: 09:22:24 Date: 04/06/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Analysis Report http://indiainfra.wireconnect.co.in/misc/pages/ 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Process Tree 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 9 General Information 9 Simulations 10 Behavior and APIs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 11 Created / dropped Files 11 Static File Info 19 No static file info 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 21 DNS Queries 22 DNS Answers 22 HTTP Request Dependency Graph 22 HTTP Packets 22 Code Manipulations 38 Statistics 38 Behavior 38 System Behavior 39 Analysis Process: iexplore.exe PID: 6012 Parent PID: 792 39 General 39 File Activities 39 Copyright Joe Security LLC 2021 Page 2 of 40 Registry Activities 39 Analysis Process: iexplore.exe PID: 6064 Parent PID: 6012 39 General 39 File Activities 39 Registry Activities 40 Disassembly 40 Copyright Joe Security LLC 2021 Page 3 of 40 Analysis Report http://indiainfra.wireconnect.co.in/misc…/pages/ Overview General Information Detection Signatures Classification Sample URL: indiainfra.wireconnec No high impact signatures. t.co.in/misc/pages/ Analysis ID: 429540 Infos: Most interesting Screenshot: Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100% Process Tree System is w10x64 iexplore.exe (PID: 6012 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 6064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6012 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright Joe Security LLC 2021 Page 4 of 40 • Compliance • Networking • System Summary Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Non- Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Application Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Layer Network Without Partition Medium Protocol 3 Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Application Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Layer Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Protocol 3 Calls/SMS Without Scripts Scripts Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Ingress Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Tool Track Device Device Device (Windows) Manager Shared Transfer 2 Location Cloud Data Drive Backups Behavior Graph Copyright Joe Security LLC 2021 Page 5 of 40 Hide Legend Legend: Behavior Graph Process ID: 429540 Signature URL: http://indiainfra.wireconne... Created File Startdate: 04/06/2021 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 0 Is Windows Process Number of created Registry Values started Number of created Files Visual Basic iexplore.exe Delphi Java 2 61 .Net C# or VB.NET C, C++ or other language started Is malicious Internet iexplore.exe 2 49 maildirect.co.in 66.7.148.195, 49694, 49695, 49696 indiainfra.wireconnect.co.in WEBWERKSAS1US United States Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 6 of 40 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link indiainfra.wireconnect.co.in/misc/pages/ 0% Virustotal Browse indiainfra.wireconnect.co.in/misc/pages/ 0% Avira URL Cloud safe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link indiainfra.wireconnect.co.in/images/md_white_logo.png 0% Avira URL Cloud safe fontforge.sf.net)IoniconsIoniconsMediumMediumFontForge 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/css/adminlte/css/AdminLTE.min.css 0% Avira URL Cloud safe Copyright Joe Security LLC 2021 Page 7 of 40 Source Detection Scanner Label Link fontforge.sf.net) 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/css/adminlte/skins/_all-skins.min.css 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/js/alt_common.js 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/images/favicon-md.ico 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/js/adminlte/jquery-ui.min.js 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/images/loading.gif 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/js/adminlte/jquery.min.js 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/js/adminlte/jquery-migrate.js 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/misc/pages/Root 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/css/adminlte/css/style.css 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/css/adminlte/fonts/ionicons.eot?v=2.0.0 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/css/adminlte/css/bootstrap.min.css 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/js/adminlte/bootstrap.min.js 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/css/adminlte/css/font-awesome.min.css 0% Avira URL Cloud safe getbootstrap.com) 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/js/common.js 0% Avira URL Cloud safe fontforge.sf.net)Created 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/css/adminlte/css/ionicons.min.css 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/images/favicon-md.ico~ 0% Avira URL Cloud safe indiainfra.wireconnect.co.in/js/adminlte/waitingfor.js 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation maildirect.co.in 66.7.148.195 true false unknown indiainfra.wireconnect.co.in unknown unknown false unknown Contacted URLs Name Malicious Antivirus Detection Reputation indiainfra.wireconnect.co.in/images/md_white_logo.png false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/css/adminlte/css/AdminLTE.min.css false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/css/adminlte/skins/_all-skins.min.css false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/js/alt_common.js false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/images/favicon-md.ico false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/js/adminlte/jquery-ui.min.js false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/images/loading.gif false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/js/adminlte/jquery.min.js false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/js/adminlte/jquery-migrate.js false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/misc/pages/ false unknown indiainfra.wireconnect.co.in/css/adminlte/css/style.css false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/css/adminlte/fonts/ionicons.eot?v=2.0.0 false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/css/adminlte/css/bootstrap.min.css false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/js/adminlte/bootstrap.min.js false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/css/adminlte/css/font-awesome.min.css false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/misc/pages/ false unknown indiainfra.wireconnect.co.in/js/common.js false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/css/adminlte/css/ionicons.min.css false Avira URL Cloud: safe unknown indiainfra.wireconnect.co.in/js/adminlte/waitingfor.js false Avira URL Cloud: safe unknown URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation ionicons[1].eot.2.dr false Avira URL Cloud: safe low fontforge.sf.net)IoniconsIoniconsMediumMediumFontForge fontawesome.io font-awesome.min[1].css.2.dr false high fontforge.sf.net) ionicons[1].eot.2.dr false Avira URL Cloud: safe low https://github.com/google/material-design-icons ionicons.min[1].css.2.dr false high https://twitter.com/benjsperry ionicons.min[1].css.2.dr false high https://adminlte.io AdminLTE.min[1].css.2.dr false high Copyright Joe Security LLC 2021 Page 8 of 40 Name Source Malicious Antivirus Detection Reputation jqueryui.com jquery-ui.min[1].js.2.dr false high opensource.org/licenses/MIT AdminLTE.min[1].css.2.dr false high ionicons.com/ ionicons.min[1].css.2.dr