ID: Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:17:42 Date: 12/04/2018 Version:

Transcription

1 ID: Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:1:42 Date: 12/04/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview Data Obfuscation: System Summary: Anti Debugging: Malware Analysis System Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General Static PE Info General Entrypoint Preview Data Directories Sections Resources Imports Possible Origin Network Behavior Code Manipulations Statistics System Behavior Disassembly Copyright Joe Security LLC 2018 Page 2 of 11

3 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 08:1:42 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 3m 2s false light 11youtube3.com default.jbs Analysis system description: Windows SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 0, Acrobat Reader DC 1, Flash 2, Java ) Number of analysed new started processes analysed: 0 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: Errors: MAL EGA enabled HDC enabled mal48.wincom@0/0@0/0 Unable to connect to analysis machine: w, W_2, timeout exceeded, no analysis of the sample was performed Nothing to analyse, Joe Sandbox has not found any analysis process or sample Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold false Copyright Joe Security LLC 2018 Page 3 of 11

4 Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Obfuscation Data Summary System Debugging Anti Malware Analysis System Evasion Copyright Joe Security LLC 2018 Page 4 of 11

5 Click to jump to signature section Data Obfuscation: Sample is packed with UPX System Summary: Submitted file has a suspicious file extension PE file contains strange resources PE file has section (not.text) which is very likely to contain packed code (zlib compression ratio < 0.011) Classification label Anti Debugging: Program does not show much activity (idle) Malware Analysis System Evasion: Program does not show much activity (idle) Behavior Graph Copyright Joe Security LLC 2018 Page 5 of 11

6 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Behavior Graph Number of created Registry Values Number of created Files ID: Sample: 11youtube3.com Startdate: 12/04/2018 Architecture: WINDOWS Score: 48 Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious Submitted file has a suspicious file extension Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample No Antivirus matches No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 2018 Page of 11

7 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context No context Created / dropped Files No created / dropped files found Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Copyright Joe Security LLC 2018 Page of 11

8 Static File Info General File type: Entropy (8bit): PE32 executable (GUI) Intel 8038, for MS Windows, UPX compressed TrID: Win32 Executable (generic) a ( /4) 99.3% UPX compressed Win32 Executable (3051/9) 0.30% Win32 EXE Yoda's Crypter (251/9) 0.2% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% File name: File size: MD5: SHA1: SHA25: SHA512: File Content Preview: 11youtube3.com b092bd2842bad4c13ab3b9b01 c8fd51855c45be4fdfdade88cfb3a313309c9b 2f4cc b85d8ef34a1403cc258cab083951a 83c3f240a945d19f ff12edb553f8ed232d8f0e41f2a8cc98d04 ee13e1bed4a12522a411fc8baa4ad43d9b4de ca35915e181a18e8ec5db134 MZ...@...!..L.!Th is program cannot be run in DOS mode...$ pe..l... Static PE Info General Entrypoint: Entrypoint Section: Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: 0x80b4a0 UPX1 false 0x windows gui LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED Time Stamp: 0x0 [Thu Jan 1 00:00: UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 5d02fde12eb0fb22fe8e05e50da0 Entrypoint Preview Instruction pushad mov esi, h lea edi, dword ptr [esi h] push edi or ebp, FFFFFFFFh jmp 0000F224DCBAE92h mov al, byte ptr [esi] inc esi mov byte ptr [edi], al inc edi Copyright Joe Security LLC 2018 Page 8 of 11

9 Instruction jne 0000F224DCBAE89h jc 0000F224DCBAEFh mov eax, h jne 0000F224DCBAE89h adc eax, eax jnc 0000F224DCBAE1h jne 0000F224DCBAE8Bh jnc 0000F224DCBAEh xor ecx, ecx sub eax, 03h jc 0000F224DCBAE8Fh shl eax, 08h mov al, byte ptr [esi] inc esi xor eax, FFFFFFFFh je 0000F224DCBAEFh mov ebp, eax jne 0000F224DCBAE89h adc ecx, ecx jne 0000F224DCBAE89h adc ecx, ecx jne 0000F224DCBAEA2h inc ecx jne 0000F224DCBAE89h adc ecx, ecx jnc 0000F224DCBAE1h jne 0000F224DCBAE8Bh jnc 0000F224DCBAEh add ecx, 02h cmp ebp, FFFFF300h adc ecx, 01h lea edx, dword ptr [edi+ebp] cmp ebp, FFFFFFFCh jbe 0000F224DCBAE91h mov al, byte ptr [edx] inc edx Copyright Joe Security LLC 2018 Page 9 of 11

10 Instruction mov byte ptr [edi], al inc edi dec ecx jne 0000F224DCBAE9h jmp 0000F224DCBADE8h mov eax, dword ptr [edx] Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xc514 0x130.rsrc IMAGE_DIRECTORY_ENTRY_RESOURCE 0xc000 0x514.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics UPX0 0x1000 0x000 0x0 False 0 empty 0.0 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_ DATA, IMAGE_SCN_MEM_READ UPX1 0x000 0x5000 0x400 False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ.rsrc 0xc000 0x1000 0x800 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_ICON 0xc0d8 0x2e8 data English United States RT_ICON 0xc3c4 0x128 GLS_BINARY_LSB_FIRST English United States RT_GROUP_ICON 0xc4f0 0x22 MS Windows icon resource - 2 icons, 32x32, 1-colors English United States Imports DLL KERNEL32.DLL ADVAPI32.dll MSVCRT.dll USER32.dll WS2_32.dll Import LoadLibraryA, GetProcAddress, ExitProcess RegCloseKey time wsprintfa gethostname Possible Origin Language of compilation system Country where language is spoken Map English United States Copyright Joe Security LLC 2018 Page 10 of 11

11 Network Behavior No network behavior found Code Manipulations Statistics System Behavior Disassembly Copyright Joe Security LLC 2018 Page 11 of 11