ID: 68736 Sample Name: Mousotronsetup.exe Cookbook: default.jbs Time: 02:00:32 Date: 19/07/2018 Version: 23.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Spreading: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Boot Survival: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 9 Behavior and APIs 9 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 14 Contacted Domains 14 Contacted IPs 14 Static File Info 14 General 14 File Icon 15 Static PE Info 15 General 15 Entrypoint Preview 15 Copyright Joe Security LLC 2018 Page 2 of 31 Data Directories 16 Sections 16 Resources 17 Imports 17 Version Infos 17 Possible Origin 17 Network Behavior 18 Code Manipulations 18 Statistics 18 Behavior 18 System Behavior 18 Analysis Process: Mousotronsetup.exe PID: 3448 Parent PID: 3040 18 General 18 File Activities 19 File Created 19 File Deleted 19 File Written 19 File Read 19 Analysis Process: Mousotronsetup.tmp PID: 3472 Parent PID: 3448 20 General 20 File Activities 20 File Created 20 File Moved 21 File Written 21 File Read 23 Registry Activities 23 Key Created 23 Key Value Created 24 Analysis Process: Mousotron.exe PID: 3552 Parent PID: 3472 25 General 25 File Activities 25 Registry Activities 25 Key Value Created 25 Key Value Modified 25 Disassembly 31 Code Analysis 31 Copyright Joe Security LLC 2018 Page 3 of 31 Analysis Report Overview General Information Joe Sandbox Version: 23.0.0 Analysis ID: 68736 Start time: 02:00:32 Joe Sandbox Product: CloudBasic Start date: 19.07.2018 Overall analysis duration: 0h 7m 11s Hypervisor based Inspection enabled: false Report type: light Sample file name: Mousotronsetup.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus26.spyw.winEXE@5/11@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 52.7% (good quality ratio 44.5%) Quality average: 73.3% Quality standard deviation: 35.9% HCA Information: Successful, ratio: 57% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold 26 0 - 100 Report FP / FN Confidence Copyright Joe Security LLC 2018 Page 4 of 31 Strategy Score Range Further Analysis Required? Confidence Threshold 2 0 - 5 true Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook Copyright Joe Security LLC 2018 Page 5 of 31 Sample searches for specific file, try point organization specific fake files to the analysis machine Signature Overview • AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for unpacked file Spreading: Enumerates the file system Contains functionality to enumerate / list files inside a directory Networking: Urls found in memory or binary data Key, Mouse, Clipboard, Microphone and Screen Capturing: Installs a global keyboard hook Contains functionality for read data from the clipboard Contains functionality to read the clipboard data Contains functionality to retrieve information about pressed keystrokes Installs a global mouse hook System Summary: Dropped file seen in connection with other malware Contains functionality to communicate with device drivers Contains functionality to shutdown / reboot the system Creates mutexes Detected potential crypto function Found potential string decryption / allocating functions PE file contains executable resources (Code or Archives) PE file contains strange resources Sample file is different than original file name gathered from version info Sample reads its own file content Classification label Copyright Joe Security LLC 2018 Page 6 of 31 Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to check free disk space Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the program directory Creates files inside the user directory Creates temporary files Parts of this applications are using Borland Delphi (Probably coded in Delphi) Reads ini files Reads software policies Reads the Windows registered organization settings Spawns processes Uses an in-process (OLE) Automation server Reads the Windows registered owner settings Executable creates window controls seldom found in malware Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Found installer window with terms and condition text Creates a directory in C:\Program Files Creates a software uninstall entry Submission file is bigger than most known malware samples Contains modern PE file flags such as dynamic base (ASLR) or NX Data Obfuscation: Contains functionality to dynamically determine API calls PE file contains sections with non-standard names Uses code obfuscation techniques (call, push, ret) Persistence and Installation Behavior: Drops PE files Boot Survival: Stores files to the Windows start menu directory Hooking and other Techniques for Hiding and Protection: Contains functionality to check if a window is minimized (may be used to check if an application is visible) Extensive use of GetProcAddress (often used to hide API calls) Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Enumerates the file system Found dropped PE file which has not been started or loaded Found evasive API chain (date check) Found large amount of non-executed APIs Queries keyboard layouts Contains functionality to enumerate / list files inside a directory Contains functionality to query system information Program exit points Queries a list of all running processes Copyright Joe Security LLC 2018 Page 7 of 31 Anti Debugging: Checks for debuggers (devices) Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls HIPS / PFW / Operating System Protection Evasion: Contains functionality to launch a program with higher privileges Contains functionality to add an ACL to a security descriptor Contains functionality to create a new security descriptor May try to detect the Windows Explorer process (often used for injection) Language, Device and Operating System Detection: Contains functionality locales information (e.g. system language) Queries the volume information (name, serial number etc) of a device Contains functionality to create pipes for IPC Contains functionality to query local / system time Contains functionality to query the account / user name Contains functionality to query time zone information Contains functionality to query windows version Behavior Graph Hide Legend Behavior Graph Legend: ID: 68736 Sample: Mousotronsetup.exe Process Startdate: 19/07/2018 Architecture: WINDOWS Signature Score: 26 Created File DNS/IP Info Dropped file seen in Antivirus detection Is Dropped connection with other started for unpacked file malware Is Windows Process Number of created Registry Values Mousotronsetup.exe Number of created Files Visual Basic 2 Delphi dropped Java .Net C# or VB.NET C:\Users\HERBBL~1\...\Mousotronsetup.tmp, PE32 started C, C++ or other language Is malicious Mousotronsetup.tmp 29 24 dropped dropped C:\Program Files\Mousotron\is-MT9NN.tmp, PE32 C:\Program Files\Mousotron\is-VKG7F.tmp, PE32 started Mousotron.exe 12 Installs a global keyboard hook Copyright Joe Security LLC 2018 Page 8 of 31 Simulations Behavior and APIs Time Type Description 02:01:03 API Interceptor