ID: 227143 Sample Name: m954tovB7J Cookbook: default.jbs Time: 23:36:20 Date: 03/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report m954tovB7J 5 Overview 5 General Information 5 Detection 5 Confidence 5 Classification Spiderchart 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 System Summary: 8 Data Obfuscation: 8 Boot Survival: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 9 Anti Debugging: 9 HIPS / PFW / Operating System Protection Evasion: 9 Language, Device and Operating System Detection: 9 Remote Access Functionality: 9 Malware Configuration 9 Behavior Graph 9 Simulations 10 Behavior and APIs 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 11 URLs 11 Yara Overview 11 Initial Sample 11 PCAP (Network Traffic) 11 Dropped Files 11 Memory Dumps 11 Unpacked PEs 13 Sigma Overview 14 Joe Sandbox View / Context 14 IPs 14 Domains 14 ASN 14 JA3 Fingerprints 15 Dropped Files 15 Screenshots 15 Thumbnails 15 Startup 16 Created / dropped Files 16 Domains and IPs 16 Contacted Domains 16 URLs from Memory and Binaries 16 Contacted IPs 16 Public 17 Static File Info 17 General 17 File Icon 17 Copyright Joe Security LLC 2020 Page 2 of 32 Static PE Info 18 General 18 Entrypoint Preview 18 Data Directories 19 Sections 19 Resources 20 Imports 22 Possible Origin 23 Network Behavior 23 TCP Packets 23 Code Manipulations 24 Statistics 24 Behavior 24 System Behavior 24 Analysis Process: m954tovB7J.exe PID: 5424 Parent PID: 5372 24 General 24 File Activities 25 File Created 25 File Read 25 Registry Activities 25 Key Value Created 25 Analysis Process: cmd.exe PID: 5460 Parent PID: 5424 25 General 25 File Activities 26 Analysis Process: conhost.exe PID: 5488 Parent PID: 5460 26 General 26 Analysis Process: systeminfo.exe PID: 4312 Parent PID: 5460 26 General 26 File Activities 26 Registry Activities 26 Analysis Process: tasklist.exe PID: 2336 Parent PID: 5460 26 General 26 File Activities 27 Analysis Process: cmd.exe PID: 6104 Parent PID: 5424 27 General 27 File Activities 27 Analysis Process: conhost.exe PID: 3704 Parent PID: 6104 27 General 27 Analysis Process: systeminfo.exe PID: 5824 Parent PID: 6104 27 General 27 File Activities 28 Analysis Process: tasklist.exe PID: 5252 Parent PID: 6104 28 General 28 File Activities 28 Analysis Process: cmd.exe PID: 4736 Parent PID: 5424 28 General 28 File Activities 28 Analysis Process: conhost.exe PID: 3008 Parent PID: 4736 28 General 28 Analysis Process: systeminfo.exe PID: 920 Parent PID: 4736 29 General 29 File Activities 29 Analysis Process: tasklist.exe PID: 3020 Parent PID: 4736 29 General 29 File Activities 29 Analysis Process: cmd.exe PID: 2976 Parent PID: 5424 29 General 29 File Activities 30 Analysis Process: conhost.exe PID: 184 Parent PID: 2976 30 General 30 Analysis Process: systeminfo.exe PID: 5292 Parent PID: 2976 30 General 30 File Activities 30 Analysis Process: tasklist.exe PID: 3976 Parent PID: 2976 30 General 30 File Activities 31 Analysis Process: cmd.exe PID: 4120 Parent PID: 5424 31 General 31 File Activities 31 Copyright Joe Security LLC 2020 Page 3 of 32 Analysis Process: conhost.exe PID: 5388 Parent PID: 4120 31 General 31 Analysis Process: systeminfo.exe PID: 5880 Parent PID: 4120 31 General 31 File Activities 32 Analysis Process: tasklist.exe PID: 5548 Parent PID: 4120 32 General 32 File Activities 32 Disassembly 32 Code Analysis 32 Copyright Joe Security LLC 2020 Page 4 of 32 Analysis Report m954tovB7J Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 227143 Start date: 03.05.2020 Start time: 23:36:20 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 54s Hypervisor based Inspection enabled: false Report type: light Sample file name: m954tovB7J (renamed file extension from none to exe) Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 23 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal76.evad.winEXE@36/0@0/1 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 3.9% (good quality ratio 3.9%) Quality average: 80.4% Quality standard deviation: 17.8% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): WMIADAP.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing behavior information. Detection Strategy Score Range Reporting Whitelisted Detection Threshold 76 0 - 100 false Confidence Copyright Joe Security LLC 2020 Page 5 of 32 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Spiderchart Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook Copyright Joe Security LLC 2020 Page 6 of 32 Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Mitre Att&ck Matrix Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Application Process Masquerading 1 Input System Time Application Screen Data Standard Accounts Instrumentation 3 2 1 Shimming 1 Injection 1 2 Capture 1 1 Discovery 2 Deployment Capture 1 Encrypted 1 Cryptographic Software Protocol 1 Replication Command-Line Registry Run Application Virtualization/Sandbox Network Virtualization/Sandbox Remote Input Exfiltration Commonly Through Interface 2 Keys / Shimming 1 Evasion 1 3 Sniffing Evasion 1 3 Services Capture 1 1 Over Other Used Port Removable Startup Network Media Folder 1 Medium External Execution through Accessibility Path Process Input Capture Process Discovery 2 Windows Data from Automated Custom Remote API 1 Features Interception Injection 1 2 Remote Network Exfiltration Cryptographic Services Management Shared Drive Protocol Drive-by Graphical User System DLL Search Deobfuscate/Decode Credentials in Application Window Logon Input Capture Data Multiband Compromise Interface 1 Firmware Order Files or Information 1 Files Discovery 1 1 Scripts Encrypted Communication Hijacking Exploit Public- Command-Line Interface Shortcut File System Obfuscated Files or Account Security Software Shared Data Staged Scheduled Standard Facing Modification Permissions Information 2 Manipulation Discovery 1 3 1 Webroot Transfer Cryptographic Application Weakness Protocol Spearphishing Graphical User Interface Modify New Service DLL Search Order Brute Force File and Directory Third-party Screen Data Commonly Link Existing Hijacking Discovery 1 Software Capture Transfer Used Port Service Size Limits Spearphishing Scripting Path Scheduled Software Packing Two-Factor System Information Pass the Email Exfiltration Uncommonly Attachment Interception Task Authentication Discovery 1 3 6 Hash Collection Over Used Port Interception Command and Control Channel Signature Overview • AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Remote Access Functionality Click to jump to signature section AV Detection: Antivirus detection for sample Multi AV Scanner detection for submitted file Spreading: Copyright Joe Security LLC 2020 Page 7 of 32 Contains functionality to enumerate / list files inside a directory Networking: Tries to connect to HTTP servers, but all servers are down (expired dropper behavior) Connects to IPs without corresponding DNS lookups Urls found in memory or binary data Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality to record screenshots Contains functionality to retrieve information about pressed keystrokes System Summary: Submitted sample is a known malware sample Writes or reads registry keys via WMI Detected potential crypto function Found potential string decryption / allocating functions PE file contains strange resources Sample file is different than original file name gathered from version info Yara signature match Classification label Contains functionality for error logging Contains functionality to check free disk space Contains functionality to instantiate COM classes