Automated Malware Analysis Report For

Automated Malware Analysis Report For

ID: 396299 Cookbook: urldownload.jbs Time: 09:35:05 Date: 23/04/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report https://us.softpedia-secure- download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 No static file info 9 Network Behavior 9 Network Port Distribution 10 TCP Packets 10 UDP Packets 10 DNS Queries 11 DNS Answers 11 HTTPS Packets 11 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 11 Analysis Process: cmd.exe PID: 5548 Parent PID: 2128 11 General 12 File Activities 12 File Created 12 Analysis Process: conhost.exe PID: 5536 Parent PID: 5548 12 General 12 Analysis Process: wget.exe PID: 6028 Parent PID: 5548 12 General 12 File Activities 13 File Created 13 Disassembly 13 Code Analysis 13 Copyright Joe Security LLC 2021 Page 2 of 13 Analysis Report https://us.softpedia-secure-download.co…m:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe Overview General Information Detection Signatures Classification Sample URL: https://us.softpedia-s ecure- DDeettteeccttteedd ppoottteenntttiiiaalll ccrrryypptttoo fffuunncctttiiioonn download.com:443/dl/4b98 UDUseseteessc ctceoodd eep ootbbefffnuutssiacclaa ctttiiriooynnp ttttoee ccfuhhnnciiiqqtiuuoeenss (((… b6dbc02a94c36aff3c7686b dbd31/60813f0d/30081879 Uses code obfuscation techniques ( 3/drivers/keyboard/sp1009 Ransomware 07.exe Miner Spreading Analysis ID: 396299 mmaallliiiccciiioouusss malicious Infos: Evader Phishing sssuusssppiiiccciiioouusss suspicious Most interesting Screenshot: cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 80% Startup System is w10x64 cmd.exe (PID: 5548 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/ 300818793/drivers/keyboard/sp100907.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6028 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp10 0907.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright Joe Security LLC 2021 Page 3 of 13 • Compliance • Networking • System Summary • Data Obfuscation • Malware Analysis System Evasion • Language, Device and Operating System Detection Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Collected Over Other Channel 1 2 Insecure Track Device System Instrumentation Dumping Discovery 1 Data 1 Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 2 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information 1 Account System Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Discovery 1 Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 13 Hide Legend Legend: Behavior Graph Process ID: 396299 Signature URL: https://us.softpedia-secure... Created File Startdate: 23/04/2021 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 1 Is Windows Process Number of created Registry Values started Number of created Files Visual Basic cmd.exe Delphi Java 2 .Net C# or VB.NET C, C++ or other language started started Is malicious Internet wget.exe conhost.exe 2 us.softpedia-secure-download.com 5.35.211.214, 443, 49709 GTSCEGTSCentralEuropeAntelGermanyCZ Romania Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 13 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://us.softpedia-secure- 0% Avira URL Cloud safe download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp10 0907.exe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs No Antivirus matches Copyright Joe Security LLC 2021 Page 6 of 13 Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation us.softpedia-secure-download.com 5.35.211.214 true false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://us.softpedia-secure- wget.exe, 00000003.00000002.21 false high download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/6 6184192.0000000001376000.00000 0813f0d/300818793/ 004.00000040.sdmp https://us.softpedia-secure- wget.exe, 00000003.00000002.21 false high download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813 6184192.0000000001376000.00000 f0d/300818793/driv 004.00000040.sdmp, cmdline.out.3.dr Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Domain Country Flag ASN ASN Name Malicious 5.35.211.214 us.softpedia-secure- Romania 5588 GTSCEGTSCentralEuropeA false download.com ntelGermanyCZ General Information Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 396299 Start date: 23.04.2021 Start time: 09:35:05 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 45s Hypervisor based Inspection enabled: false Report type: light Copyright Joe Security LLC 2021 Page 7 of 13 Cookbook file name: urldownload.jbs Sample URL: https://us.softpedia-secure-download.com:443/dl/ 4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818 793/drivers/keyboard/sp100907.exe Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.win@4/2@1/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 92.122.145.220, 104.43.139.144 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, e12564.dspb.akamaiedge.net, store-images.s- microsoft.com, blobcollector.events.data.trafficmanager.net, store- images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net Execution Graph export aborted for target wget.exe, PID 6028 because there are no executed function Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: https://us.softpedia-secure- download.com:443/dl/4b98b6dbc02a94c36aff3c768 6bdbd31/60813f0d/300818793/drivers/keyboard/sp 100907.exe Simulations Behavior and APIs No simulations Joe Sandbox View / Context IPs No context Domains Copyright Joe Security LLC 2021 Page 8 of 13 No context ASN No context JA3 Fingerprints No context Dropped Files No context Created / dropped Files C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    13 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us