Automated Malware Analysis Report For

Automated Malware Analysis Report For

ID: 123496 Cookbook: browseurl.jbs Time: 20:16:32 Date: 15/04/2019 Version: 25.0.0 Tiger's Eye Table of Contents Table of Contents 2 Analysis Report http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Phishing: 6 Networking: 6 System Summary: 6 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 9 Thumbnails 9 Startup 10 Created / dropped Files 10 Domains and IPs 22 Contacted Domains 22 Contacted URLs 22 URLs from Memory and Binaries 22 Contacted IPs 23 Public 24 Static File Info 24 No static file info 24 Network Behavior 24 Snort IDS Alerts 24 Network Port Distribution 24 TCP Packets 25 UDP Packets 26 DNS Queries 27 DNS Answers 27 HTTP Request Dependency Graph 28 HTTP Packets 28 HTTPS Packets 30 Code Manipulations 32 Copyright Joe Security LLC 2019 Page 2 of 34 Statistics 32 Behavior 32 System Behavior 32 Analysis Process: iexplore.exe PID: 2924 Parent PID: 724 32 General 33 File Activities 33 Registry Activities 33 Analysis Process: iexplore.exe PID: 148 Parent PID: 2924 33 General 33 File Activities 33 Registry Activities 33 Disassembly 34 Copyright Joe Security LLC 2019 Page 3 of 34 Analysis Report http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer gwea.com Overview General Information Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 123496 Start date: 15.04.2019 Start time: 20:16:32 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 4s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.win@3/45@5/4 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://www.kryptoslogic.com/ Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Detection Strategy Score Range Reporting Whitelisted Detection Threshold 48 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2019 Page 4 of 34 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Copyright Joe Security LLC 2019 Page 5 of 34 Mitre Att&ck Matrix Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Port Monitors File System Credential System Service Application Data from Local Data Standard Non- Remote Helper DLL Logical Offsets Dumping Discovery Deployment System Encrypted 1 Application Layer Management Software Protocol 3 Replication Service Port Monitors Accessibility Binary Padding Network Application Remote Services Data from Exfiltration Over Standard Through Execution Features Sniffing Window Removable Other Network Application Layer Removable Discovery Media Medium Protocol 3 Media Signature Overview • Phishing • Networking • System Summary Click to jump to signature section Phishing: META author tag missing META copyright tag missing Networking: Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found graphical window changes (likely an installer) Uses new MSVCR Dlls Copyright Joe Security LLC 2019 Page 6 of 34 Behavior Graph Hide Legend Behavior Graph Legend: ID: 123496 Process URL: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Startdate: 15/04/2019 Signature Architecture: WINDOWS Created File Score: 48 DNS/IP Info Is Dropped Is Windows Process www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Number of created Registry Values started Number of created Files Visual Basic Snort IDS alert for network traffic (e.g. Delphi based on Emerging Threat rules) Java .Net C# or VB.NET C, C++ or other language iexplore.exe Is malicious Internet 6 84 started iexplore.exe 1 65 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com cdnjs.cloudflare.com 104.17.244.81, 49802, 49803, 80 104.19.199.151, 443, 49813, 49814 2 other IPs or domains unknown unknown United States United States Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Source Detection Scanner Label Link www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 2% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link www.kryptoslogic.com 0% virustotal Browse Copyright Joe Security LLC 2019 Page 7 of 34 Source Detection Scanner Label Link static.kryptoslogicsinkhole.com 0% virustotal Browse URLs Source Detection Scanner Label Link https://www.kryptoslogic.com/favicon.png 0% Avira URL Cloud safe www.iuqerfic.com/fjhgosurijfaewrwergwea.com/Root 0% Avira URL Cloud safe https://www.kryptoslogic.com/terms 0% Avira URL Cloud safe www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ 2% virustotal Browse www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ 0% Avira URL Cloud safe https://www.kryptoslogic.com/fjhgosurijfaewrwergwea.com/ 0% Avira URL Cloud safe static.kryptoslogicsinkhole.com/style.css 0% virustotal Browse static.kryptoslogicsinkhole.com/style.css 0% Avira URL Cloud safe www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/4Sinkholed 0% Avira URL Cloud safe https://www.kryptoslogic.com/products/telltale/ 0% Avira URL Cloud safe https://www.kryptoslogifjaposdfjhgosurijfaewrwergwea.com/ 0% Avira URL Cloud safe https://fontawesome.comhttps://fontawesome.comFont 0% Avira URL Cloud safe www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico 0% virustotal Browse www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/favicon.ico 0% Avira URL Cloud safe https://www.kryptoslogic.com/ 0% virustotal Browse https://www.kryptoslogic.com/ 0% Avira URL Cloud safe https://www.kryptoslogic.com/images/logo.svg 0% Avira URL Cloud safe www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Root 0% Avira URL Cloud safe https://www.kryptoslogic.com/index.xml 0% Avira URL Cloud safe https://www.kryptoslogic.com/privacy 0% Avira URL Cloud safe https://www.kryptoslogic.com/images/dashboard.png 0% Avira URL Cloud safe https://telltale.kryptoslogic.com/auth/signup/ 0% Avira URL Cloud safe https://www.kryptoslogic.com/LCyber 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Copyright Joe Security LLC 2019 Page 8 of 34 Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2019 Page 9 of 34 Startup System is w10x64 iexplore.exe (PID: 2924 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 148 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2924 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Created / dropped Files C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27CD80B4-5FF6-11E9-AAD9-C25F135D3C65}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 30296 Entropy (8bit): 1.850766801604863 Encrypted: false MD5: 0BD629E0429078CAF6379F97BB0CE632 SHA1: 6B58C93CD2C7ED351358346DF18DDD80EBCE93E6 SHA-256: 1FB9C79B995CBD031A8FC29C53C6CAF0104572777C98AA263DBEE7326816F2FC SHA-512: D5D27305BEA284E3D45BDE1F0FC80FB2A7E9D12D60DD4CD922E81A2C8B0C8A9DD82C88A5DA48A7A32278D02523CFC788AC18A14249CFC7ABEA553DAB27889 DFB Malicious: false Reputation: low Preview: .............................................................................................................................................................................................................................................................................. ..................................................................................................................................................................................................................................................R.o.o.t.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    34 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us