ID: 399715 Sample Name: wget.exe Cookbook: default.jbs Time: 04:14:24 Date: 29/04/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Analysis Report wget.exe 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Networking: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 General 9 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wget.exe PID: 6932 Parent PID: 6020 10 General 10 Disassembly 10 Code Analysis 10 Copyright Joe Security LLC 2021 Page 2 of 10 Analysis Report wget.exe Overview General Information Detection Signatures Classification Sample wget.exe Name: FFoouunndd TToorrr oonniiioonn aaddddrrreessss Analysis ID: 399715 DFDoeeuttteenccdttte eTddo prp oottnteeinontnttiiia aalll dccdrrryyrpeptsttoos fffuunncctttiiioonn MD5: 8ab07993aa4c3d… PDPrrerootgegrrcraatemd ddpooeetess n nntoioatttl sschhryoopwwt o m fuucnchch t aiaoccntttiiivviii… SHA1: 3e7d90ead707b7… Ransomware Program does not show much activi Miner Spreading SHA256: 1b532832ecfcffe… mmaallliiiccciiioouusss Infos: malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious Most interesting Screenshot: cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 21 Range: 0 - 100 Whitelisted: false Confidence: 80% Startup System is w10x64 wget.exe (PID: 6932 cmdline: 'C:\Users\user\Desktop\wget.exe' MD5: 8AB07993AA4C3DB71B44D0552950BD17) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview • Cryptography Copyright Joe Security LLC 2021 Page 3 of 10 • Networking • System Summary • Malware Analysis System Evasion • Anti Debugging Click to jump to signature section Networking: Found Tor onion address Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Command Path Path Direct OS System Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts and Scripting Interception Interception Volume Credential Service Services Collected Over Other Channel 1 Insecure Track Device System Interpreter 2 Access Dumping Discovery Data 1 1 Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS Application Remote Data from Exfiltration Proxy 1 Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory Window Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 10 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 399715 Number of created Registry Values Sample: wget.exe Number of created Files Startdate: 29/04/2021 Visual Basic Architecture: WINDOWS Delphi Score: 21 Java .Net C# or VB.NET C, C++ or other language Found Tor onion address started Is malicious Internet wget.exe Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link wget.exe 4% ReversingLabs Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe crl.sectigo.com/SectigoRSATimeStampingCA.crl0t 0% URL Reputation safe Copyright Joe Security LLC 2021 Page 6 of 10 Source Detection Scanner Label Link https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://sectigo.com/CPS0 0% URL Reputation safe https://ftpftp://ftpsftps://Rpcrt4.dllUuidCreateUuidToStringARpcStringFreeA 0% Avira URL Cloud safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSATimeStampingCA.crt0# 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe https://sectigo.com/CPS0D 0% URL Reputation safe www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns:metalinktagsidentityfilesfilenames 0% Avira URL Cloud safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe crl.sectigo.com/SectigoRSACodeSigningCA.crl0s 0% URL Reputation safe www.metalinker.org/ 0% Virustotal Browse www.metalinker.org/ 0% Avira URL Cloud safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# 0% URL Reputation safe Domains and IPs Contacted Domains No contacted domains info URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation crl.sectigo.com/SectigoRSATimeStampingCA.crl0t wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://sectigo.com/CPS0 wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe wget.exe false Avira URL Cloud: safe low https://ftpftp://ftpsftps://Rpcrt4.dllUuidCreateUuidToStringARpc StringFreeA ocsp.sectigo.com0 wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe netpreserve.org/warc/1.0/revisit/identical-payload- wget.exe false high digestWARC-Truncatedlength crt.sectigo.com/SectigoRSATimeStampingCA.crt0# wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://savannah.gnu.org/bugs/? wget.exe false high func=additem&group=wget. https://sectigo.com/CPS0D wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://gnu.org/licenses/ wget.exe false high www.gnu.org/licenses/gpl.html wget.exe false high Copyright Joe Security LLC 2021 Page 7 of 10 Name Source Malicious Antivirus Detection Reputation https://gnu.org/licenses/gpl.html wget.exe false high netpreserve.org/warc/1.0/revisit/identical-payload-digest wget.exe false high wget.exe true Avira URL Cloud: safe unknown www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns: metalinktagsidentityfilesfilenames crl.sectigo.com/SectigoRSACodeSigningCA.crl0s wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe www.metalinker.org/ wget.exe true 0%, Virustotal, Browse unknown Avira URL Cloud: safe crt.sectigo.com/SectigoRSACodeSigningCA.crt0# wget.exe false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe wget.exe false high bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft. pdf Contacted IPs No contacted IP infos General Information Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 399715 Start date: 29.04.2021 Start time: 04:14:24 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 14s Hypervisor based Inspection enabled: false Report type: light Sample file name: wget.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: SUS Classification: sus21.evad.winEXE@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated Copyright Joe Security LLC 2021 Page 8 of 10 Simulations Behavior and APIs No simulations Joe Sandbox View / Context IPs No context Domains No context
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-