ID: 180101 Sample Name: FL2000- 2.1.33676.0.exe Cookbook: default.jbs Time: 23:40:48 Date: 01/10/2019 Version: 27.0.0 Red Agate Table of Contents Table of Contents 2 Analysis Report FL2000-2.1.33676.0.exe 5 Overview 5 General Information 5 Detection 6 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Spreading: 8 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 9 E-Banking Fraud: 9 System Summary: 9 Data Obfuscation: 10 Persistence and Installation Behavior: 10 Boot Survival: 10 Hooking and other Techniques for Hiding and Protection: 10 Malware Analysis System Evasion: 10 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 11 Behavior Graph 11 Simulations 11 Behavior and APIs 11 Antivirus, Machine Learning and Genetic Malware Detection 12 Initial Sample 12 Dropped Files 12 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 13 PCAP (Network Traffic) 13 Dropped Files 13 Memory Dumps 13 Unpacked PEs 13 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 14 Dropped Files 14 Screenshots 14 Thumbnails 14 Startup 15 Created / dropped Files 16 Domains and IPs 24 Contacted Domains 24 Contacted URLs 24 URLs from Memory and Binaries 24 Contacted IPs 25 Public 25 Static File Info 25 General 25 File Icon 26 Static PE Info 26 General 26 Copyright Joe Security LLC 2019 Page 2 of 49 Authenticode Signature 26 Entrypoint Preview 27 Rich Headers 28 Data Directories 28 Sections 28 Resources 28 Imports 29 Version Infos 29 Possible Origin 29 Network Behavior 30 Network Port Distribution 30 TCP Packets 30 UDP Packets 32 DNS Queries 32 DNS Answers 32 HTTP Request Dependency Graph 32 HTTP Packets 32 Code Manipulations 33 Statistics 33 Behavior 33 System Behavior 33 Analysis Process: FL2000-2.1.33676.0.exe PID: 772 Parent PID: 3836 34 General 34 File Activities 34 File Created 34 File Deleted 35 File Moved 35 File Written 35 File Read 37 Analysis Process: FL2000-2.1.34054.0.exe PID: 1704 Parent PID: 772 37 General 37 File Activities 37 File Created 37 File Deleted 39 File Written 39 File Read 42 Registry Activities 42 Key Created 42 Key Value Created 42 Analysis Process: msiexec.exe PID: 4312 Parent PID: 1704 43 General 43 File Activities 43 Registry Activities 43 Analysis Process: msiexec.exe PID: 4360 Parent PID: 1712 43 General 43 Analysis Process: msiexec.exe PID: 2212 Parent PID: 1712 44 General 44 File Activities 44 Analysis Process: msiexec.exe PID: 396 Parent PID: 1712 44 General 44 Registry Activities 44 Analysis Process: msiexec.exe PID: 3828 Parent PID: 1712 44 General 44 File Activities 44 Registry Activities 45 Analysis Process: drvinst.exe PID: 4712 Parent PID: 700 45 General 45 Analysis Process: drvinst.exe PID: 3928 Parent PID: 700 45 General 45 Analysis Process: drvinst.exe PID: 1196 Parent PID: 700 45 General 45 Analysis Process: cmd.exe PID: 4308 Parent PID: 1712 46 General 46 Analysis Process: conhost.exe PID: 4660 Parent PID: 4308 46 General 46 Analysis Process: xcopy.exe PID: 4496 Parent PID: 4308 46 General 46 Analysis Process: cmd.exe PID: 4628 Parent PID: 4308 47 General 47 Analysis Process: powershell.exe PID: 4504 Parent PID: 4628 47 Copyright Joe Security LLC 2019 Page 3 of 49 General 47 Analysis Process: cmd.exe PID: 2352 Parent PID: 4308 47 General 47 Analysis Process: powershell.exe PID: 5028 Parent PID: 2352 47 General 47 Analysis Process: flvga_tray.exe PID: 4236 Parent PID: 3040 48 General 48 Analysis Process: sc.exe PID: 1836 Parent PID: 4308 48 General 48 Analysis Process: sc.exe PID: 4056 Parent PID: 4308 48 General 48 Analysis Process: flvga_tray.exe PID: 4212 Parent PID: 4308 48 General 48 Analysis Process: flvga_tray.exe PID: 2232 Parent PID: 3040 49 General 49 Disassembly 49 Code Analysis 49 Copyright Joe Security LLC 2019 Page 4 of 49 Analysis Report FL2000-2.1.33676.0.exe Overview General Information Joe Sandbox Version: 27.0.0 Red Agate Analysis ID: 180101 Start date: 01.10.2019 Start time: 23:40:48 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 10m 43s Hypervisor based Inspection enabled: false Report type: light Sample file name: FL2000-2.1.33676.0.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 28 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus36.evad.winEXE@32/35@1/1 EGA Information: Successful, ratio: 83.3% HDC Information: Successful, ratio: 87.9% (good quality ratio 82%) Quality average: 74.1% Quality standard deviation: 30% HCA Information: Successful, ratio: 61% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 216.58.201.100, 13.107.4.50, 205.185.216.10, 205.185.216.42, 93.184.221.240 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, ctldl.windowsupdate.com, c- 0001.c-msedge.net, cds.d2s7q6s2.hwcdn.net, wu.azureedge.net, au.au-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2- 0.edgecastdns.net, www.google.com, au.c-0001.c- msedge.net, wu.wpc.apr-52dd2.edgecastdns.net Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Copyright Joe Security LLC 2019 Page 5 of 49 Detection Strategy Score Range Reporting Whitelisted Detection Threshold 36 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 0 0 - 5 true Classification Copyright Joe Security LLC 2019 Page 6 of 49 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Execution Modify Existing Exploitation for Deobfuscate/Decode Input System Time Remote File Input Data Remote File Through through API 1 Service 1 Privilege Files or Capture 1 Discovery 1 Copy 2 Capture 1 Encrypted 1 Copy 2 Removable Escalation 1 Information 1 Media 1 Copyright Joe Security LLC 2019 Page 7 of 49 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Replication Command-Line Port Monitors Access Token File Deletion 1 Network Peripheral Replication Data from Exfiltration Standard Through Interface 1 Manipulation 1 Sniffing Device Through Removable Over Other Cryptographic Removable Discovery 2 1 Removable Media Network Protocol 1 Media Media 1 Medium Drive-by Windows Accessibility Process Obfuscated Files or Input Capture Security Windows Data from Automated Standard Non- Compromise Management Features Injection 1 1 Information 2 Software Remote Network Exfiltration Application Instrumentation Discovery 5 1 Management Shared Drive Layer Protocol 2 Exploit Public- Scheduled Task System DLL Search Masquerading 4 Credentials in File and Logon Scripts Input Capture Data Standard Facing Firmware Order Hijacking Files Directory Encrypted Application Application Discovery 3 Layer Protocol 2 Spearphishing Command-Line Shortcut File System Access Token Account System Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation 1 Manipulation Information Webroot Transfer Cryptographic Weakness Discovery 5 4 Protocol Spearphishing Graphical User Modify Existing New Service Process Brute Force Query Third-party Screen Data Transfer Commonly Attachment Interface Service Injection 1 1 Registry 1 Software Capture Size Limits Used Port Spearphishing Scripting Path Scheduled Task DLL Side- Two-Factor Process Pass the Hash Email Exfiltration Uncommonly via Service Interception