Automated Malware Analysis Report For

Automated Malware Analysis Report For

ID: 74965 Cookbook: urldownload.jbs Time: 01:35:09 Date: 01/09/2018 Version: 23.0.0 Table of Contents Table of Contents 2 Analysis Report http://cdn.appexnw.com/trident/version5b0ee6680e058.exe 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 Cryptography: 6 Bitcoin Miner: 6 Spreading: 6 Networking: 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 HIPS / PFW / Operating System Protection Evasion: 7 Language, Device and Operating System Detection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus Detection 8 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 Dropped Files 10 Screenshots 10 Startup 10 Created / dropped Files 11 Domains and IPs 15 Contacted Domains 15 Contacted URLs 15 URLs from Memory and Binaries 15 Contacted IPs 17 Public 17 Static File Info 17 No static file info 17 Copyright Joe Security LLC 2018 Page 2 of 42 Network Behavior 17 Network Port Distribution 17 TCP Packets 18 DNS Queries 19 DNS Answers 19 HTTP Request Dependency Graph 20 Code Manipulations 20 Statistics 20 Behavior 20 System Behavior 20 Analysis Process: cmd.exe PID: 3220 Parent PID: 1780 20 General 20 File Activities 21 File Created 21 Analysis Process: wget.exe PID: 3244 Parent PID: 3220 21 General 21 File Activities 21 File Created 21 File Written 21 Analysis Process: version5b0ee6680e058.exe PID: 3376 Parent PID: 3056 22 General 22 File Activities 22 File Created 22 File Deleted 25 File Written 25 File Read 39 Registry Activities 39 Key Created 39 Key Value Created 40 Key Value Modified 40 Analysis Process: HostAppServiceUpdater.exe PID: 3420 Parent PID: 1432 40 General 40 Analysis Process: taskeng.exe PID: 3440 Parent PID: 848 41 General 41 File Activities 41 File Read 41 Registry Activities 41 Key Value Created 41 Analysis Process: HostAppServiceUpdater.exe PID: 3476 Parent PID: 3440 41 General 41 Disassembly 42 Code Analysis 42 Copyright Joe Security LLC 2018 Page 3 of 42 Analysis Report http://cdn.appexnw.com/trident/version5b0ee6680e058.exe Overview General Information Joe Sandbox Version: 23.0.0 Analysis ID: 74965 Start date: 01.09.2018 Start time: 01:35:09 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 7s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: http://cdn.appexnw.com/trident/version5b0ee6680e05 8.exe Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.evad.mine.win@8/19@1/1 EGA Information: Successful, ratio: 50% HDC Information: Successful, ratio: 59.7% (good quality ratio 55.5%) Quality average: 74.2% Quality standard deviation: 30.5% HCA Information: Failed Cookbook Comments: Adjust boot time Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe TCP Packets have been reduced to 100 Execution Graph export aborted for target HostAppServiceUpdater.exe, PID 3420 because there are no executed function Report size exceeded maximum capacity and may have missing network information. Detection Strategy Score Range Reporting Detection Threshold 48 0 - 100 Report FP / FN Confidence Copyright Joe Security LLC 2018 Page 4 of 42 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Copyright Joe Security LLC 2018 Page 5 of 42 Signature Overview • Cryptography • Bitcoin Miner • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings Click to jump to signature section Cryptography: Public key (encryption) found Bitcoin Miner: Configures the Internet Explorer emulation mode (likely to run Javascript) Spreading: Creates COM task schedule object (often to register a task for autostart) Contains functionality to enumerate / list files inside a directory Networking: Downloads executable code via HTTP Downloads files from webservers via HTTP Performs DNS lookups Urls found in memory or binary data Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality for read data from the clipboard System Summary: Contains functionality to shutdown / reboot the system Creates mutexes Detected potential crypto function Found potential string decryption / allocating functions PE file contains strange resources Binary contains paths to development resources Classification label Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to check free disk space Contains functionality to instantiate COM classes Copyright Joe Security LLC 2018 Page 6 of 42 Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Reads ini files Reads software policies SQL strings found in memory and binary data Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Creates a software uninstall entry Binary contains paths to debug symbols Data Obfuscation: Contains functionality to dynamically determine API calls PE file contains an invalid checksum Uses code obfuscation techniques (call, push, ret) Persistence and Installation Behavior: Drops PE files Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Contains functionality to detect sleep reduction / modifications Checks the free space of harddrives Found dropped PE file which has not been started or loaded Found evasive API chain (date check) May sleep (evasive loops) to hinder dynamic analysis Contains functionality to enumerate / list files inside a directory Contains functionality to query system information Program exit points Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Contains functionality which may be used to detect a debugger (GetProcessHeap) Contains functionality to register its own exception handler HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Contains functionality to add an ACL to a security descriptor May try to detect the Windows Explorer process (often used for injection) Language, Device and Operating System Detection: Contains functionality locales information (e.g. system language) Contains functionality to query local / system time Copyright Joe Security LLC 2018 Page 7 of 42 Contains functionality to query the account / user name Contains functionality to query time zone information Contains functionality to query windows version Queries the cryptographic machine GUID Lowering of HIPS / PFW / Operating System Security Settings: Modifies the internet feature controls of the internet explorer Behavior Graph Hide Legend Legend: Process Signature Created File Behavior Graph ID: 74965 DNS/IP Info URL: http://cdn.appexnw.com/trident/version5b0ee6680e058.exe Startdate: 01/09/2018 Is Dropped Architecture: WINDOWS Score: 48 Is Windows Process Contains functionality Number of created Registry Values to detect sleep reduction started started started started / modifications Number of created Files Visual Basic version5b0ee6680e058.exe cmd.exe taskeng.exe HostAppServiceUpdater.exe Delphi 20 47 1 1 Java dropped dropped dropped dropped .Net C# or VB.NET C:\Users\user\AppData\...\SLToolWrapper.dll, PE32 C:\Users\user\...\HostAppServiceUpdater.exe, PE32 C:\Users\HERBBL~1\AppData\...\___aensis.dll, PE32 9 other files (1 malicious) C, C++ or other language started started Is malicious Configures the Internet Explorer emulation mode (likely to run Javascript) wget.exe HostAppServiceUpdater.exe 1 cs47724812.wpc.nucdn.net 152.195.9.15, 49161, 80 cs477248.wpc.nucdn.net 2 other IPs or domains dropped EDGECAST-MCICommunicationsServicesIncdbaVerizonB United States C:\Users\user\...\version5b0ee6680e058.exe, PE32 Simulations Behavior and APIs Time Type Description 01:35:45 API Interceptor 629x Sleep call for process: cmd.exe

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    42 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us