ID: 92618 Sample Name: n.xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 12:02:06 Date: 22/11/2018 Version: 24.0.0 Fire Opal Table of Contents Table of Contents 2 Analysis Report n.xlsx 3 Overview 3 General Information 3 Detection 3 Confidence 3 Classification 4 Analysis Advice 4 Mitre Att&ck Matrix 5 Signature Overview 5 Networking: 5 Spam, unwanted Advertisements and Ransom Demands: 5 System Summary: 5 Hooking and other Techniques for Hiding and Protection: 5 Behavior Graph 5 Simulations 6 Behavior and APIs 6 Antivirus Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Memory Dumps 7 Unpacked PEs 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 Dropped Files 8 Screenshots 8 Thumbnails 8 Startup 8 Created / dropped Files 8 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 14 Static File Info 14 General 14 File Icon 15 Network Behavior 15 Code Manipulations 15 Statistics 15 System Behavior 15 Analysis Process: EXCEL.EXE PID: 3284 Parent PID: 3072 15 General 15 File Activities 15 File Deleted 16 File Written 16 Registry Activities 16 Disassembly 16 Copyright Joe Security LLC 2018 Page 2 of 16 Analysis Report n.xlsx Overview General Information Joe Sandbox Version: 24.0.0 Fire Opal Analysis ID: 92618 Start date: 22.11.2018 Start time: 12:02:06 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: n.xlsx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus20.rans.winXLSX@1/12@0/0 Cookbook Comments: Adjust boot time Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Simulate clicks Number of clicks 76 Scroll down Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Detection Strategy Score Range Reporting Detection Threshold 20 0 - 100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 3 of 16 Strategy Score Range Further Analysis Required? Confidence Threshold 2 0 - 5 true Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice No malicious behavior found, analyze the document also on other version of Office / Acrobat Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2018 Page 4 of 16 Sample might require command line arguments, analyze it with the command line cookbook Mitre Att&ck Matrix Initial Privilege Credential Lateral Command and Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Control Valid Windows Remote Winlogon Port Monitors File System Credential System Application Data from Local Data Data Obfuscation Accounts Management Helper DLL Logical Offsets Dumping Information Deployment System Compressed Discovery 1 Software Signature Overview • Networking • Spam, unwanted Advertisements and Ransom Demands • System Summary • Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Found strings which match to known social media urls Urls found in memory or binary data Spam, unwanted Advertisements and Ransom Demands: May drop file containing decryption instructions (likely related to ransomware) System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Found graphical window changes (likely an installer) Document is a ZIP file with path names indicative of goodware Checks if Microsoft Office is installed Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 5 of 16 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 92618 Number of created Registry Values Sample: n.xlsx Number of created Files Startdate: 22/11/2018 Visual Basic Architecture: WINDOWS Score: 20 Delphi Java .Net C# or VB.NET C, C++ or other language May drop file containing decryption instructions started Is malicious (likely related to ransomware) EXCEL.EXE 40 23 Simulations Behavior and APIs Time Type Description 12:02:42 API Interceptor 3x Sleep call for process: EXCEL.EXE modified Antivirus Detection Initial Sample Source Detection Scanner Label Link n.xlsx 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 2018 Page 6 of 16 Source Detection Scanner Label Link www.nyxbone.com/malware/brazilianRansom.html 0% virustotal Browse www.nyxbone.com/malware/brazilianRansom.html 0% Avira URL Cloud safe www.nyxbone.com/malware/RemindMe.html 1% virustotal Browse www.nyxbone.com/malware/RemindMe.html 0% Avira URL Cloud safe bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html 0% Avira URL Cloud safe www.nyxbone.com/malware/Strictor.html 0% virustotal Browse www.nyxbone.com/malware/Strictor.html 0% Avira URL Cloud safe www.nyxbone.com/malware/7ev3n-HONE$T.html; 0% virustotal Browse www.nyxbone.com/malware/7ev3n-HONE$T.html; 0% Avira URL Cloud safe www.nyxbone.com/malware/CryptoMix.html 2% virustotal Browse www.nyxbone.com/malware/CryptoMix.html 0% Avira URL Cloud safe https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate 0% virustotal Browse https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate 0% Avira URL Cloud safe nyxbone.com/malware/BlackShades.html 0% virustotal Browse nyxbone.com/malware/BlackShades.html 0% Avira URL Cloud safe www.nyxbone.com/malware/koreanRansom.html 2% virustotal Browse www.nyxbone.com/malware/koreanRansom.html 0% Avira URL Cloud safe https://reaqta.com/2016/06/raa-ransomware-delivering-pony/ 0% virustotal Browse https://reaqta.com/2016/06/raa-ransomware-delivering-pony/ 0% Avira URL Cloud safe nyxbone.com/malware/SNSLocker.html 0% virustotal Browse nyxbone.com/malware/SNSLocker.html 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Copyright Joe Security LLC 2018 Page 7 of 16 Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Startup System is w7 EXCEL.EXE (PID: 3284 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 716335EDBB91DA84FC102425BFDA957E) cleanup Created / dropped Files Copyright Joe Security LLC 2018 Page 8 of 16 C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191330272160)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78223 Entropy (8bit): 7.923956211832512 Encrypted: false MD5: 76B52E7BC924F0A39CD1A978D7183DDC SHA1: 1AD9CB4742681F6F829C51C4A039D517F790FA09 SHA-256: E3CABC27DD6CFE997B5A2B911F0D68557DFF81FC9C01126A96E50774D3F6E196 SHA-512: 60995728907BC023388E76DC118B746D3D6B78AE3B58C61AD4A662320DC166F0D03EDFBAA04EA67FCC15F3CCC7 A19E685BD4CC42F26A7F5FCDCC3EA720A35A5D Malicious: false Reputation: low C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191355909024)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78230 Entropy (8bit): 7.92393574284663 Encrypted: false MD5: 739510D6E361C4DA1978E9D4AB41A026 SHA1: D713A30A5744374A3F817ED2DC80867E075E8C7F SHA-256: AFCB62F4BF442544840E5B880F71D902067943D72BA3AF5EA655303394929447 SHA-512: 2C648C121D2DBA450A9289942FEF19130EEA7C2C0E6AAD23E194FDB1A54AA3E9C6E42D518251B463AF8A50FF85 8AFF5E182B1D565BA3301254732BE1F3D171F4 Malicious: false Reputation: low C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191371431344)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78233 Entropy (8bit): 7.924019259545063 Encrypted: false MD5: 2B353CF6598ED729F5ABAE0C1A2777F8 SHA1: 4D7338DEC605D3AA47C14F3073A7CD3B7BD692EC SHA-256: 72C6876B82B5116F7D925EB57FA37C7E19B4D7F1184FBEDE479DDA1CD40482B4 SHA-512: 896C2CDAAE969389B582752DF247C27270A23AE36E2C36448EDD36B9348CC2C46B5F6B793FBCD20F28691A6302 D4BA50B2A034E850BE09FF70C6A476F7696101 Malicious: false Reputation: low C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191383849200)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78233 Entropy (8bit): 7.92390093829244 Encrypted: false MD5: 08113A57C2F5EBF268A3EC1DCF040A6C
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages16 Page
-
File Size-