ID: 180101 Sample Name: FL2000- 2.1.33676.0.exe Cookbook: default.jbs Time: 23:53:31 Date: 01/10/2019 Version: 27.0.0 Red Agate Table of Contents Table of Contents 2 Analysis Report FL2000-2.1.33676.0.exe 5 Overview 5 General Information 5 Detection 6 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Spreading: 8 Networking: 8 E-Banking Fraud: 9 System Summary: 9 Data Obfuscation: 9 Persistence and Installation Behavior: 10 Boot Survival: 10 Hooking and other Techniques for Hiding and Protection: 10 Malware Analysis System Evasion: 10 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 11 Behavior Graph 11 Simulations 11 Behavior and APIs 11 Antivirus, Machine Learning and Genetic Malware Detection 12 Initial Sample 12 Dropped Files 12 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 13 Memory Dumps 13 Unpacked PEs 13 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 14 Dropped Files 14 Screenshots 14 Thumbnails 14 Startup 15 Created / dropped Files 16 Domains and IPs 24 Contacted Domains 24 Contacted URLs 24 URLs from Memory and Binaries 24 Contacted IPs 26 Public 26 Static File Info 26 General 26 File Icon 27 Static PE Info 27 General 27 Authenticode Signature 27 Copyright Joe Security LLC 2019 Page 2 of 51 Entrypoint Preview 28 Rich Headers 29 Data Directories 29 Sections 29 Resources 29 Imports 30 Version Infos 30 Possible Origin 30 Network Behavior 31 Network Port Distribution 31 TCP Packets 31 UDP Packets 33 DNS Queries 33 DNS Answers 33 HTTP Request Dependency Graph 33 HTTP Packets 33 Code Manipulations 34 Statistics 34 Behavior 34 System Behavior 34 Analysis Process: FL2000-2.1.33676.0.exe PID: 4196 Parent PID: 4092 35 General 35 File Activities 35 File Created 35 File Deleted 36 File Moved 36 File Written 36 File Read 38 Analysis Process: FL2000-2.1.33676.0.exe PID: 948 Parent PID: 4092 38 General 38 File Activities 38 File Read 38 Analysis Process: FL2000-2.1.33676.0.exe PID: 4292 Parent PID: 4092 39 General 39 File Activities 39 File Read 39 Analysis Process: FL2000-2.1.34054.0.exe PID: 5036 Parent PID: 4196 39 General 39 File Activities 39 File Created 39 File Deleted 41 File Written 41 File Read 44 Registry Activities 44 Key Created 44 Key Value Created 45 Analysis Process: msiexec.exe PID: 4272 Parent PID: 5036 45 General 45 File Activities 45 Registry Activities 45 Analysis Process: msiexec.exe PID: 1492 Parent PID: 4536 45 General 45 Analysis Process: msiexec.exe PID: 3616 Parent PID: 4536 46 General 46 Analysis Process: msiexec.exe PID: 4148 Parent PID: 4536 46 General 46 Analysis Process: msiexec.exe PID: 5108 Parent PID: 4536 46 General 46 Analysis Process: drvinst.exe PID: 3532 Parent PID: 700 46 General 46 Analysis Process: drvinst.exe PID: 716 Parent PID: 700 47 General 47 Analysis Process: drvinst.exe PID: 4888 Parent PID: 700 47 General 47 Analysis Process: cmd.exe PID: 2564 Parent PID: 4536 47 General 47 Analysis Process: conhost.exe PID: 4420 Parent PID: 2564 48 General 48 Analysis Process: xcopy.exe PID: 2736 Parent PID: 2564 48 General 48 Copyright Joe Security LLC 2019 Page 3 of 51 Analysis Process: cmd.exe PID: 5056 Parent PID: 2564 48 General 48 Analysis Process: powershell.exe PID: 4800 Parent PID: 5056 48 General 48 Analysis Process: cmd.exe PID: 2444 Parent PID: 2564 49 General 49 Analysis Process: powershell.exe PID: 4056 Parent PID: 2444 49 General 49 Analysis Process: flvga_tray.exe PID: 4028 Parent PID: 3040 49 General 49 Analysis Process: sc.exe PID: 4824 Parent PID: 2564 49 General 49 Analysis Process: sc.exe PID: 4844 Parent PID: 2564 50 General 50 Analysis Process: flvga_tray.exe PID: 4796 Parent PID: 2564 50 General 50 Analysis Process: flvga_tray.exe PID: 2472 Parent PID: 3040 50 General 50 Disassembly 51 Code Analysis 51 Copyright Joe Security LLC 2019 Page 4 of 51 Analysis Report FL2000-2.1.33676.0.exe Overview General Information Joe Sandbox Version: 27.0.0 Red Agate Analysis ID: 180101 Start date: 01.10.2019 Start time: 23:53:31 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 10m 57s Hypervisor based Inspection enabled: false Report type: light Sample file name: FL2000-2.1.33676.0.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Cmdline fuzzy Number of analysed new started processes analysed: 30 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus36.evad.winEXE@34/35@1/1 EGA Information: Successful, ratio: 71.4% HDC Information: Successful, ratio: 93.3% (good quality ratio 87.2%) Quality average: 74.8% Quality standard deviation: 29.9% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Copyright Joe Security LLC 2019 Page 5 of 51 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.156.204.185, 172.217.23.196, 8.241.9.254, 8.248.127.254, 67.26.137.254, 8.253.204.120, 8.248.141.254, 67.26.111.254, 67.27.233.126, 8.253.95.249, 8.253.207.120, 8.253.204.249, 8.253.207.121, 8.248.113.254, 93.184.221.240, 205.185.216.42, 205.185.216.10, 67.26.83.254, 67.27.158.126 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, settings- win.data.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.azureedge.net, settingsfd-geo.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, www.google.com, auto.au.download.windowsupdate.com.c.footprint.n et, wu.wpc.apr-52dd2.edgecastdns.net Execution Graph export aborted for target FL2000- 2.1.33676.0.exe, PID 948 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Detection Strategy Score Range Reporting Whitelisted Detection Threshold 36 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 0 0 - 5 true Classification Copyright Joe Security LLC 2019 Page 6 of 51 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Execution Modify Existing Exploitation for Deobfuscate/Decode Credential System Time Remote File Data from Data Remote File Through through API 1 Service 1 Privilege Files or Dumping Discovery 1 Copy 2 Local System Encrypted 1 Copy 2 Removable Escalation 1 Information 1 Media 1 Copyright Joe Security LLC 2019 Page 7 of 51 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Command-Line Port Monitors Access Token File Deletion 1 Network Peripheral Replication Data from Exfiltration Standard Through Interface 1 Manipulation 1 Sniffing Device Through Removable Over Other Cryptographic Removable Discovery 2 1 Removable Media Network Protocol 1 Media Media 1 Medium Drive-by Windows Accessibility Process Obfuscated Files or Input Capture Security Windows Data from Automated Standard Non- Compromise Management Features Injection 1 1 Information 2 Software Remote Network Exfiltration Application Instrumentation Discovery 4 1 Management Shared Drive Layer Protocol 2 Exploit Public- Scheduled Task System DLL Search Masquerading 4 Credentials in File and Logon Scripts Input Capture Data Standard Facing Firmware Order Hijacking Files Directory Encrypted Application Application Discovery 3 Layer Protocol 2 Spearphishing Command-Line Shortcut File System Access Token Account System Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation 1 Manipulation Information