ID: 80545 Sample Name: bitrecover-msg- converter-wizard.exe Cookbook: default.jbs Time: 17:08:33 Date: 27/09/2018 Version: 23.0.0 Table of Contents Table of Contents 2 Analysis Report bitrecover-msg-converter-wizard.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 6 Signature Overview 6 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 System Summary: 7 Data Obfuscation: 8 Persistence and Installation Behavior: 8 Boot Survival: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 9 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 11 Memory Dumps 11 Unpacked PEs 11 Joe Sandbox View / Context 11 IPs 11 Domains 11 ASN 11 Dropped Files 11 Screenshots 12 Thumbnails 12 Startup 13 Created / dropped Files 13 Domains and IPs 18 Contacted Domains 18 URLs from Memory and Binaries 19 Contacted IPs 20 Static File Info 21 General 21 File Icon 21 Copyright Joe Security LLC 2018 Page 2 of 37 Static PE Info 21 General 21 Authenticode Signature 21 Entrypoint Preview 22 Data Directories 22 Sections 23 Resources 23 Imports 23 Version Infos 24 Possible Origin 24 Network Behavior 24 Code Manipulations 24 Statistics 24 Behavior 24 System Behavior 25 Analysis Process: bitrecover-msg-converter-wizard.exe PID: 3972 Parent PID: 3700 25 General 25 File Activities 25 File Created 25 File Deleted 25 File Written 25 File Read 26 Analysis Process: bitrecover-msg-converter-wizard.tmp PID: 3984 Parent PID: 3972 26 General 26 File Activities 26 File Created 26 File Deleted 28 File Moved 28 File Written 28 File Read 35 Registry Activities 36 Key Created 36 Key Value Created 36 Analysis Process: MSGConverterWizard.exe PID: 1680 Parent PID: 3984 37 General 37 File Activities 37 Registry Activities 37 Disassembly 37 Code Analysis 37 Copyright Joe Security LLC 2018 Page 3 of 37 Analysis Report bitrecover-msg-converter-wizard.exe Overview General Information Joe Sandbox Version: 23.0.0 Analysis ID: 80545 Start date: 27.09.2018 Start time: 17:08:33 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 8m 24s Hypervisor based Inspection enabled: false Report type: light Sample file name: bitrecover-msg-converter-wizard.exe Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean16.winEXE@5/21@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 11.7% (good quality ratio 11.5%) Quality average: 86% Quality standard deviation: 22.1% HCA Information: Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: MSGConverterWizard.exe Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 4 of 37 Strategy Score Range Reporting Detection Threshold 16 0 - 100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 3 0 - 5 true Classification Copyright Joe Security LLC 2018 Page 5 of 37 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample searches for specific file, try point organization specific fake files to the analysis machine Signature Overview • AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 37 • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for unpacked file Spreading: Enumerates the file system Contains functionality to enumerate / list files inside a directory Networking: Contains functionality to download additional files from the internet Found strings which match to known social media urls Urls found in memory or binary data Key, Mouse, Clipboard, Microphone and Screen Capturing: Creates a window with clipboard capturing capabilities System Summary: Contains functionality to communicate with device drivers Contains functionality to shutdown / reboot the system Detected potential crypto function Found potential string decryption / allocating functions PE file contains executable resources (Code or Archives) PE file contains strange resources Sample file is different than original file name gathered from version info Sample reads its own file content PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Classification label Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to check free disk space Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the program directory Creates files inside the user directory Creates temporary files Parts of this applications are using the .NET runtime (Probably coded in C#) Reads ini files Copyright Joe Security LLC 2018 Page 7 of 37 Reads software policies Reads the Windows registered organization settings Spawns processes Uses an in-process (OLE) Automation server Reads the Windows registered owner settings Executable creates window controls seldom found in malware Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses Microsoft Silverlight Creates a directory in C:\Program Files Creates a software uninstall entry Submission file is bigger than most known malware samples Binary contains paths to debug symbols Data Obfuscation: Contains functionality to dynamically determine API calls PE file contains an invalid checksum Uses code obfuscation techniques (call, push, ret) Persistence and Installation Behavior: Drops PE files Boot Survival: Stores files to the Windows start menu directory Hooking and other Techniques for Hiding and Protection: Contains functionality to check if a window is minimized (may be used to check if an application is visible) Extensive use of GetProcAddress (often used to hide API calls) Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Enumerates the file system Found dropped PE file which has not been started or loaded Found evasive API chain (date check) Contains functionality to enumerate / list files inside a directory Contains functionality to query system information Anti Debugging: Checks for debuggers (devices) Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Contains functionality which may be used to detect a debugger (GetProcessHeap) Contains functionality to register its own exception handler Creates guard pages, often used to prevent reverse engineering and debugging HIPS / PFW / Operating System Protection Evasion: Contains functionality to launch a program with higher privileges Copyright Joe Security LLC 2018 Page 8 of 37 Creates a process in suspended mode (likely to inject code) Contains functionality to create a new security descriptor May try to detect the Windows Explorer process (often used for injection) Language, Device and Operating System Detection: Contains functionality locales information (e.g. system language) Queries the volume information (name, serial number etc) of a device Contains functionality to create pipes for IPC Contains functionality to query local / system time Contains functionality to query the account / user name Contains functionality to query windows version Queries the cryptographic machine GUID Behavior Graph Hide Legend Legend: Process Behavior Graph ID: 80545 Signature Sample: bitrecover-msg-converter-wizard.exe Startdate: 27/09/2018 Created File Architecture:
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages37 Page
-
File Size-