Automated Malware Analysis Report for 18-02-22-(K-Irie).Xls

Automated Malware Analysis Report for 18-02-22-(K-Irie).Xls

ID: 47598 Sample Name: 18-02-22-(k- irie).xls Cookbook: defaultwindowsofficecookbook.jbs Time: 01:30:58 Date: 23/02/2018 Version: 21.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Signature Overview 6 AV Detection: 6 Software Vulnerabilities: 6 Networking: 6 Data Obfuscation: 6 Spreading: 6 System Summary: 6 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 10 Screenshot 10 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 12 Contacted Domains 12 Contacted IPs 12 Static File Info 13 General 13 File Icon 13 Static OLE Info 13 General 13 OLE File "18-02-22-(k-irie).xls" 14 Indicators 14 Summary 14 Document Summary 14 Streams with VBA 14 Copyright Joe Security LLC 2018 Page 2 of 23 VBA File Name: Sheet1.cls, Stream Size: 977 14 General 14 VBA Code Keywords 14 VBA Code 14 VBA File Name: ThisWorkbook.cls, Stream Size: 5760 14 General 14 VBA Code Keywords 15 VBA Code 16 Streams 16 Stream Path: \x1CompObj, File Type: data, Stream Size: 107 16 General 16 Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 240 16 General 16 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 168 17 General 17 Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 55082 17 General 17 Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 425 17 General 17 Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62 17 General 17 Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 3005 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 1414 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 106 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 548 18 General 18 Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 481 19 General 19 Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 524 19 General 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 20 ICMP Packets 20 DNS Queries 20 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 21 Statistics 21 Behavior 21 System Behavior 21 Analysis Process: EXCEL.EXE PID: 3268 Parent PID: 2948 21 General 21 File Activities 21 Registry Activities 22 Key Created 22 Analysis Process: cmd.exe PID: 3348 Parent PID: 3268 22 General 22 Analysis Process: powershell.exe PID: 3376 Parent PID: 3348 22 General 22 File Activities 23 File Created 23 File Deleted 23 Registry Activities 23 Disassembly 23 Code Analysis 23 Copyright Joe Security LLC 2018 Page 3 of 23 Analysis Report Overview General Information Joe Sandbox Version: 21.0.0 Analysis ID: 47598 Start time: 01:30:58 Joe Sandbox Product: CloudBasic Start date: 23.02.2018 Overall analysis duration: 0h 4m 16s Hypervisor based Inspection enabled: false Report type: light Sample file name: 18-02-22-(k-irie).xls Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled GSI enabled (VBA) Analysis stop reason: Timeout Detection: MAL Classification: mal84.evad.expl.winXLS@5/3@3/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Adjust boot time Found application associated with file extension: .xls Found Word or Excel or PowerPoint document Simulate clicks Number of clicks 142 Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: EXCEL.EXE, powershell.exe Detection Strategy Score Range Reporting Detection Threshold 84 0 - 100 Report FP / FN Copyright Joe Security LLC 2018 Page 4 of 23 Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2018 Page 5 of 23 Signature Overview • AV Detection • Software Vulnerabilities • Networking • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Multi AV Scanner detection for domain / URL Multi AV Scanner detection for submitted file Software Vulnerabilities: Potential document exploit detected (performs DNS queries) Potential document exploit detected (performs HTTP gets) Potential document exploit detected (unknown TCP traffic) Document exploit detected (process start blacklist hit) Networking: Downloads files from webservers via HTTP Performs DNS lookups Urls found in memory or binary data Domain name seen in connection with other malware HTTP GET or POST without a user agent Internet Provider seen in connection with other malware Data Obfuscation: Document contains an embedded VBA with many string operations indicating source code obfuscation Obfuscated command line found Spreading: Enumerates the file system System Summary: Checks whether correct version of .NET is installed Found graphical window changes (likely an installer) Uses Microsoft Silverlight Checks if Microsoft Office is installed Copyright Joe Security LLC 2018 Page 6 of 23 Uses new MSVCR Dlls Binary contains paths to debug symbols Binary contains paths to development resources Classification label Creates files inside the user directory Creates temporary files Document contains an OLE Workbook stream indicating a Microsoft Excel file Found command line output Parts of this applications are using the .NET runtime (Probably coded in C#) Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Creates mutexes Document contains embedded VBA macros Reads the hosts file Document contains an embedded VBA macro which executes code when the document is opened / closed Document contains an embedded VBA macro which may execute processes Powershell connects to network HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Very long cmdline option found, this is very uncommon (may be encrypted or packed) Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Enumerates the file system Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) System process connects to network (likely due to code injection or exploit) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Queries the installation date of Windows Queries the volume information (name, serial number etc) of a device Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 23 Hide Legend Behavior Graph Legend: ID: 47598 Process Sample: 18-02-22-(k-irie).xls Startdate: 23/02/2018 Signature Architecture: WINDOWS Score: 84 Created File DNS/IP Info holdoc.com Is Dropped started Is Windows Process Multi AV Scanner detection Multi AV Scanner detection Obfuscated command line 3 other signatures for domain / URL for submitted file found Number of created Registry Values Number of created Files EXCEL.EXE Visual Basic 34 17 Delphi Java Document exploit detected Obfuscated command line (process start blacklist started .Net C# or VB.NET found hit) C, C++ or other language cmd.exe Is malicious Obfuscated command line started found powershell.exe 12 8 holdoc.com 8.8.8.8, 53, 53440, 56842 92.53.78.250, 49163, 49164, 80 GOOGLE-GoogleIncUS SELECTELRU United States Russian Federation System process connects to network (likely due Powershell connects to code injection or to network exploit) Simulations Behavior and APIs Time Type Description 01:31:49 API Interceptor 1x Sleep call

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    23 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us