Automated Malware Analysis Report for Authorizationform.Vbs

Automated Malware Analysis Report for Authorizationform.Vbs

ID: 42946 Sample Name: AuthorizationForm.vbs Cookbook: default.jbs Time: 20:25:46 Date: 17/01/2018 Version: 20.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Networking: 6 Boot Survival: 6 Stealing of Sensitive Information: 6 Persistence and Installation Behavior: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 9 Screenshot 9 Startup 10 Created / dropped Files 10 Contacted Domains/Contacted IPs 12 Contacted Domains 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Network Behavior 13 Snort IDS Alerts 13 Network Port Distribution 13 TCP Packets 14 Copyright Joe Security LLC 2018 Page 2 of 30 UDP Packets 15 DNS Queries 16 DNS Answers 16 HTTP Request Dependency Graph 16 HTTP Packets 16 Code Manipulations 19 Statistics 19 Behavior 19 System Behavior 20 Analysis Process: wscript.exe PID: 3100 Parent PID: 2852 20 General 20 File Activities 20 File Created 20 File Deleted 21 File Written 25 Registry Activities 26 Analysis Process: explorer.exe PID: 3188 Parent PID: 2812 27 General 27 File Activities 27 File Created 27 Analysis Process: explorer.exe PID: 3200 Parent PID: 2812 27 General 27 File Activities 27 File Created 27 Analysis Process: explorer.exe PID: 3224 Parent PID: 548 28 General 28 File Activities 28 Registry Activities 28 Analysis Process: explorer.exe PID: 3236 Parent PID: 2812 28 General 28 File Activities 28 File Created 28 Analysis Process: explorer.exe PID: 3300 Parent PID: 548 29 General 29 File Activities 29 Analysis Process: explorer.exe PID: 3344 Parent PID: 548 29 General 29 Registry Activities 29 Analysis Process: wscript.exe PID: 3472 Parent PID: 3344 29 General 29 File Activities 30 Disassembly 30 Code Analysis 30 Copyright Joe Security LLC 2018 Page 3 of 30 Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 42946 Start time: 20:25:46 Joe Sandbox Product: CloudBasic Start date: 17.01.2018 Overall analysis duration: 0h 10m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: AuthorizationForm.vbs Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 16 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal84.evad.spyw.troj.winVBS@9/6@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Found application associated with file extension: .vbs Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold 84 0 - 100 Report FP / FN Confidence Copyright Joe Security LLC 2018 Page 4 of 30 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Copyright Joe Security LLC 2018 Page 5 of 30 Signature Overview • AV Detection • Networking • Boot Survival • Stealing of Sensitive Information • Persistence and Installation Behavior • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Lowering of HIPS / PFW / Operating System Security Settings • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for submitted file Networking: Downloads files Performs DNS lookups Posts data to webserver Urls found in memory or binary data Detected TCP or UDP traffic on non-standard ports Uses known network protocols on non-standard ports Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Boot Survival: Creates an autostart registry key Creates a start menu entry (Start Menu\Programs\Startup) Stores files to the Windows start menu directory Drops VBS files to the startup folder Stealing of Sensitive Information: Searches for user specific document files Uploads sensitive system information to the internet (privacy leak) Persistence and Installation Behavior: Windows Shell Script Host drops VBS files Spreading: Enumerates the file system System Summary: Uses Rich Edit Controls Found graphical window changes (likely an installer) Binary contains paths to debug symbols Copyright Joe Security LLC 2018 Page 6 of 30 Classification label Creates files inside the user directory Creates temporary files Executes visual basic scripts Launches a second explorer.exe instance Queries process information (via WMI, Win32_Process) Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Deletes Windows files Java / VBScript file with very long strings (likely obfuscated code) Reads the hosts file Suspicious javascript / visual basic script found (invalid extension) HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for debuggers (devices) Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Malware Analysis System Evasion: May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Enumerates the file system Found WSH timer for Javascript or VBS script (likely evasive script) Found a high number of Window / User specific system calls (may be a loop to detect user behavior) May sleep (evasive loops) to hinder dynamic analysis Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) System process connects to network (likely due to code injection or exploit) Uses known network protocols on non-standard ports Lowering of HIPS / PFW / Operating System Security Settings: Checks if Antivirus/Antispyware/Firewall program is installed (via WMI) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 30 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph ID: 42946 Is Windows Process Sample: AuthorizationForm.vbs Number of created Registry Values Startdate: 17/01/2018 Architecture: WINDOWS Score: 84 Number of created Files Visual Basic Snort IDS alert for Detected TCP or UDP network traffic (e.g. Antivirus detection traffic on non-standard 3 other signatures started started started based on Emerging Threat for submitted file ports rules) Delphi Java wscript.exe explorer.exe explorer.exe .Net C# or VB.NET 4 other processes 2 16 2 4 C, C++ or other language shkis.publicvm.com 141.255.146.245, 49164, 49165, 49166 dropped dropped dropped dropped Is malicious dropped IELOIELOMainNetworkFR Netherlands C:\...\AuthorizationForm.vbs:Zone.Identifier, ASCII C:\Users\user\...\AuthorizationForm.vbs, ASCII C:\...\AuthorizationForm.vbs:Zone.Identifier, ASCII C:\Users\user\...\AuthorizationForm.vbs, ASCII started unknown, Hitachi System process connects Detected TCP or UDP Suspicious javascript Windows Shell Script Drops VBS files to the to network (likely due traffic on non-standard / visual basic script Host drops VBS files startup folder to code injection or ports found (invalid extension) exploit) wscript.exe 1 Simulations Behavior and APIs Time Type Description 20:26:16 API Interceptor 4062x Sleep call for process: wscript.exe modified from: 60000ms to: 100ms 20:26:18 API Interceptor 43x Sleep call for process: explorer.exe modified from: 60000ms to: 100ms 20:26:18 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AuthorizationForm wscript.exe //B "C:\Users\user\AppData\Roaming\AuthorizationForm.vbs" 20:26:18 Autostart Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run AuthorizationForm wscript.exe //B "C:\Users\user\AppData\Roaming\AuthorizationForm.vbs"

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    30 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us