ID: 285108 Cookbook: urldownload.jbs Time: 15:48:53 Date: 14/09/2020 Version: 29.0.0 Ocean Jasper Table of Contents Table of Contents 2 Analysis Report https://docs.google.com/document/d/1_vA- f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 5 Signature Overview 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 10 Private 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Created / dropped Files 12 Static File Info 25 No static file info 25 Network Behavior 25 Network Port Distribution 25 TCP Packets 26 UDP Packets 27 DNS Queries 28 DNS Answers 28 HTTPS Packets 29 Code Manipulations 29 Statistics 29 Behavior 29 System Behavior 30 Analysis Process: cmd.exe PID: 6652 Parent PID: 1712 30 General 30 Copyright null 2020 Page 2 of 32 File Activities 30 File Created 30 Analysis Process: conhost.exe PID: 6660 Parent PID: 6652 30 General 30 Analysis Process: wget.exe PID: 6700 Parent PID: 6652 31 General 31 File Activities 31 File Created 31 Analysis Process: iexplore.exe PID: 7092 Parent PID: 5560 31 General 31 File Activities 31 Registry Activities 32 Analysis Process: iexplore.exe PID: 6320 Parent PID: 7092 32 General 32 File Activities 32 Registry Activities 32 Disassembly 32 Code Analysis 32 Copyright null 2020 Page 3 of 32 Analysis Report https://docs.google.com/document/d/1_…vA-f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic Overview General Information Detection Signatures Classification Sample URL: https://docs.google.c om/document/d/1_vA-f3_io Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam… 9FgNvQRShSMX2g543Js Queries the volume information (nam Ge8iL2d_loyVtIk/mobileba sic Analysis ID: 285108 Most interesting Screenshot: Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80% Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Startup System is w10x64 cmd.exe (PID: 6652 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://docs.google.com/document/d/1_vA-f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6700 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://docs.google.com/document/d/1_vA-f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) iexplore.exe (PID: 7092 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\mobilebasic.html MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 6320 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7092 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Copyright null 2020 Page 4 of 32 Sigma Overview No Sigma rule has matched Signature Overview • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 2 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote System SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Discovery 1 Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright null 2020 Page 5 of 32 Hide Legend Legend: Process Signature Created File Behavior Graph DNS/IP Info ID: 285108 Is Dropped URL: https://docs.google.com/doc... Startdate: 14/09/2020 Is Windows Process Architecture: WINDOWS Number of created Registry Values Score: 0 Number of created Files started started Visual Basic Delphi iexplore.exe cmd.exe Java .Net C# or VB.NET 11 82 2 C, C++ or other language started started Is mal i c i o ustsarted Internet iexplore.exe wget.exe conhost.exe 4 75 2 googlehosted.l.googleusercontent.com 192.168.2.1 172.217.22.33, 443, 49717, 49718 lh4.googleusercontent.com lh3.googleusercontent.com unknown GOOGLEUS unknown United States Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2020 Page 6 of 32 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://docs.google.com/document/d/1_vA- 0% Virustotal Browse f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic https://docs.google.com/document/d/1_vA- 0% Avira URL Cloud safe f3_io9FgNvQRShSMX2g543JsGe8iL2d_loyVtIk/mobilebasic Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link crl.pki.goog/gsr2/gsr2.crl 3% Virustotal Browse Copyright null 2020 Page 7 of 32 Source Detection Scanner Label Link crl.pki.goog/gsr2/gsr2.crl 0% Avira URL Cloud safe crl.pki.goog/GTS1O1core.crl 1% Virustotal Browse crl.pki.goog/GTS1O1core.crl 0% Avira URL Cloud safe www.broofa.com 0% Virustotal Browse www.broofa.com 0% URL Reputation safe www.broofa.com 0% URL Reputation safe www.broofa.com 0% URL Reputation safe https://support.google/Desktop/download/mobilebasic.html.com/accounts/answer/32050c.htmlRoot 0% Avira URL Cloud safe pki.goog/gsr2/GTS1O1.crt0 0% Virustotal Browse pki.goog/gsr2/GTS1O1.crt0 0% URL Reputation safe pki.goog/gsr2/GTS1O1.crt0 0% URL Reputation safe pki.goog/gsr2/GTS1O1.crt0 0% URL Reputation safe ocsp.pki.goog/gsr202 0% Virustotal Browse ocsp.pki.goog/gsr202 0% URL Reputation safe ocsp.pki.goog/gsr202 0% URL Reputation safe ocsp.pki.goog/gsr202 0% URL Reputation safe https://pki.goog/repository/0 0% Virustotal Browse https://pki.goog/repository/0 0% URL Reputation safe https://pki.goog/repository/0 0% URL Reputation safe https://pki.goog/repository/0 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crlJ 0% Avira URL Cloud safe https://pki.goog/repository/ 0% Virustotal Browse https://pki.goog/repository/ 0% Avira URL Cloud safe ocsp.pki.goog/gts1o1core0 0% URL Reputation safe ocsp.pki.goog/gts1o1core0 0% URL Reputation safe ocsp.pki.goog/gts1o1core0 0% URL Reputation safe crl.pki.goog/GTS1O1core.crl0 0% Virustotal Browse crl.pki.goog/GTS1O1core.crl0 0% URL Reputation safe crl.pki.goog/GTS1O1core.crl0 0% URL Reputation safe crl.pki.goog/GTS1O1core.crl0 0% URL Reputation safe pki.goog/gsr2/GTS1O1.crt 0% Virustotal Browse pki.goog/gsr2/GTS1O1.crt 0% Avira URL Cloud safe ocsp.pki.goog/gsr2 0% Virustotal Browse ocsp.pki.goog/gsr2 0% Avira URL Cloud safe www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crl0? 0% Virustotal Browse crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation googlehosted.l.googleusercontent.com 172.217.22.33 true false high lh3.googleusercontent.com unknown unknown false high lh4.googleusercontent.com unknown unknown false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://staging-realtimesupport- operatordeferred_bin_base__en[ false high googleapis.sandbox.youtube.com 1].js.6.dr crl.pki.goog/gsr2/gsr2.crl wget.exe, 00000003.00000003.21 false 3%, Virustotal, Browse unknown 6016032.0000000002B55000.00000 Avira URL Cloud: safe 004.00000001.sdmp www.apache.org/licenses/LICENSE-2.0 32050[1].htm.6.dr false high https://schema.org/Thing