ID: Sample Name: consulta.cpf- CNPJ.exe Cookbook: default.jbs Time: 21:07:22 Date: 14/10/2017 Version:

Size: px

Start display at page:

Download "ID: Sample Name: consulta.cpf- CNPJ.exe Cookbook: default.jbs Time: 21:07:22 Date: 14/10/2017 Version:"

Fay McCoy
5 years ago
Views:

1 ID: Sample Name: consulta.cpf- CNPJ.exe Cookbook: default.jbs Time: 21:07:22 Date: 14/10/2017 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Static PE Info General Entrypoint Preview Data Directories Sections Resources Imports Version Infos Network Behavior Network Port Distribution Table of Contents Copyright Joe Security LLC 2017 Page 2 of

3 TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics System Behavior Analysis Process: consulta.cpf-cnpj.exe PID: 3224 Parent PID: 2964 General File Activities File Created Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 1

Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 34235 Start time: 21:07:22 Joe Sandbox Product: CloudBasic Start date: 14.10.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 21:07:22 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 3m 15s false light consulta.cpf-cnpj.exe default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal60.evad.winexe@1/0@5/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Found application associated with file extension:.exe Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, WMIADAP.exe, dllhost.exe Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: consulta.cpf-cnpj.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2017 Page 4 of 1

5 Strategy Score Range Further Analysis Required? Threshold false Confidence Classification Ransomware Evader Spreading malicious malicious malicious suspicious suspicious suspicious Exploiter Phishing clean clean clean Spyware Banker Adware Trojan / Bot Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Signature Overview Copyright Joe Security LLC 2017 Page 5 of 1

6 AV Detection Networking System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for domain / URL Antivirus detection for submitted file Networking: Downloads files from webservers via HTTP Performs DNS lookups Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data HTTP GET or POST without a user agent System Summary: PE file contains a COM descriptor data directory Uses new MSVCR Dlls Contains modern PE file flags such as dynamic base (ASLR) or NX PE file contains a debug data directory Binary contains paths to debug symbols.net source code contains long base64-encoded strings Classification label PE file has an executable.text section and no other executable section Parts of this applications are using the.net runtime (Probably coded in C#) Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Creates mutexes Reads the hosts file Sample file is different than original file name gathered from version info HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Malware Analysis System Evasion: Copyright Joe Security LLC 2017 Page 6 of 1

Contains long sleeps (>= 3 min) May sleep (evasive loops) to hinder dynamic analysis Sample execution stops while process was sleeping (likely an evasion) Hooking and other Techniques for Hiding and

7 Contains long sleeps (>= 3 min) May sleep (evasive loops) to hinder dynamic analysis Sample execution stops while process was sleeping (likely an evasion) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Behavior Graph ID: Sample: consulta.cpf-cnpj.e... Startdate: 14/10/2017 Architecture: WINDOWS Score: 60 started consulta.cpf-cnpj.e... Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language 12 4 Is malicious atualiacaotokenclientes.com , 0 DigitalEnergyTechnologiesChileSpACL Chile 5 similar packets combined: atualiacaotokenclie... Sample execution stops while process was sleeping (likely an evasion) Simulations Behavior and APIs No simulations Copyright Joe Security LLC 2017 Page 7 of 1

8 Antivirus Detection Initial Sample Source Detection Cloud Link consulta.cpf-cnpj.exe 4% virustotal Browse Dropped Files No Antivirus matches Domains Source Detection Cloud Link atualiacaotokenclientes.com 6% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context MalhaFinaApp.exe 9b12c0617c26fb330406e3e6f3 2f5c5dbe2652f1c6e3c3464e cd6f14de16 ConsultaCPF.CNPJ- App.exe APPMalhaFina..exe Consultar..CNPJ- CPF..exe malicious Browse atualiacaotokenclientes.co m/ zip d6bb6597d0603e7e572917bc malicious Browse atualiacaotokenclientes.co dc9fc52ec7e1d21f133bc6f6 m/ zip 3aa236daae 3f07a7bbff39dfed27b f5bb4435b2e b06d4456f4 malicious Browse atualiacaotokenclientes.co m/ zip f09ee6c037bb7e726ca1535f1 malicious Browse atualiacaotokenclientes.co 3709cf a0a1271 m/ zip 7669d3b93d2 Domains Copyright Joe Security LLC 2017 Page of 1

9 Match Associated Sample Name / URL SHA 256 Detection Link Context atualiacaotokenclientes.com MalhaFinaApp.exe 9b12c0617c26fb330406e3e6f3 malicious Browse f5c5dbe2652f1c6e3c3464ecd 6f14de16 ConsultaCPF.CNPJ- App.exe APPMalhaFina..exe d6bb6597d0603e7e572917bc malicious Browse dc9fc52ec7e1d21f133bc6f63 aa236daae 3f07a7bbff39dfed27b malicious Browse f5bb4435b2e b0 6d4456f4 Consultar..CNPJ-CPF..exe f09ee6c037bb7e726ca1535f13 malicious Browse cf a0a d3b93d2 ASN Match Associated Sample Name / URL SHA 256 Detection Link Context DigitalEnergyTechnologiesChileSpACL MalhaFinaApp.exe 9b12c0617c26fb330406e3e6f3 malicious Browse f5c5dbe2652f1c6e3c3464ecd 6f14de16 ConsultaCPF.CNPJ- App.exe APPMalhaFina..exe d6bb6597d0603e7e572917bc malicious Browse dc9fc52ec7e1d21f133bc6f63 aa236daae 3f07a7bbff39dfed27b malicious Browse f5bb4435b2e b0 6d4456f4 Consultar..CNPJ-CPF..exe f09ee6c037bb7e726ca1535f13 malicious Browse cf a0a d3b93d2 Dropped Files No context Screenshot Copyright Joe Security LLC 2017 Page 9 of 1

10 Startup System is w7 cleanup consulta.cpf-cnpj.exe (PID: 3224 cmdline: 'C:\Users\user\Desktop\consulta.CPF-CNPJ.exe' MD5: 21AD9FBCA4BBE5C1B12B67A95CC794CF) Created / dropped Files No created / dropped files found Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection atualiacaotokenclientes.com true false 6%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 2017 Page 10 of 1

11 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious Chile DigitalEnergyTechnologiesChileSp ACL false Static File Info General File type: PE32 executable (GUI) Intel 036 Mono/.Net assemb ly, for MS Windows TrID: Win32 Executable (generic) a ( /4) 99.23% Generic CIL Executable (.NET, Mono, etc.) (73296/5) 0.73% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: File size: MD5: SHA1: SHA256: SHA512: File Content Preview: consulta.cpf-cnpj.exe 21ad9fbca4bbe5c1b12b67a95cc794cf 4b436a66d1942ce1f29a5679f d eea0b eb765cc3a9b0336fc202463f51d3d2 21e629d41c2aceb6b 4ad1964a14ef9e1c4cc6cb7dfe393134effa92c33fd1 f44206c3cbccd09dd0c7492bf9acea5c d2dea99 caa0eb2a05d739eab6d754a15c5f1 MZ...@...!..L.!Th is program cannot be run in DOS mode...$...pe..l...^..y..."...0..j...ri......@ @... File Icon Static PE Info Copyright Joe Security LLC 2017 Page 11 of 1

12 General Entrypoint: 0x Entrypoint Section:.text Digitally signed: false Imagebase: 0x Subsystem: windows gui Image File Characteristics: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x59E1E25E [Sat Oct 14 10:09: UTC] TLS Callbacks: CLR (.Net) Version: v OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744 Entrypoint Preview Instruction jmp dword ptr [ h] push eax dec ebx add eax, h add byte ptr [eax+4bh], dl add dword ptr [edx], eax pop ss or edx, dword ptr [eax+eax] push eax dec ebx add eax, dword ptr [esp+edx] Copyright Joe Security LLC 2017 Page 12 of 1

13 Instruction Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x6900 0x4f.text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x000 0x3fc.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0xa000 0xc.reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x67c 0x1c.text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 Copyright Joe Security LLC 2017 Page 13 of 1

14 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x.text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x200 0x4.text IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x2000 0x4970 0x4a00 False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ.rsrc 0x000 0x3fc 0x400 False data IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_READ.reloc 0xa000 0xc 0x200 False dbase IV DBT of T9.DBF, blocks size 12, next free block index IMAGE_SCN_CNT_INITIALIZE D_DATA, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_VERSION 0x05 0x39e data Imports DLL mscoree.dll Import _CorExeMain Version Infos Description Data Translation 0x0000 0x04b0 LegalCopyright 2017 Assembly Version InternalName hestmastering.exe FileVersion CompanyName Hest LegalTrademarks Hest Comments Hest Mastering Automatic ProductName Hest Mastering Automatic ProductVersion FileDescription Hest Mastering Automatic OriginalFilename hestmastering.exe Network Behavior Network Port Distribution Total Packets: 21 0 (HTTP) 53 (DNS) Copyright Joe Security LLC 2017 Page 14 of 1

15 TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :09: CEST Oct 14, :09: CEST Oct 14, :09: CEST Oct 14, :09: CEST Oct 14, :10: CEST Oct 14, :10: CEST UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Copyright Joe Security LLC 2017 Page 15 of 1

16 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Oct 14, :0: CEST x5f44 Standard query (0) Oct 14, :0: CEST x5f44 Standard query (0) Oct 14, :0: CEST x5f44 Standard query (0) Oct 14, :0: CEST x5f44 Standard query (0) Oct 14, :0: CEST x5f44 Standard query (0) atualiacao A (IP address) tokenclientes.com atualiacao A (IP address) tokenclientes.com atualiacao A (IP address) tokenclientes.com atualiacao A (IP address) tokenclientes.com atualiacao A (IP address) tokenclientes.com IN (0x0001) IN (0x0001) IN (0x0001) IN (0x0001) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST Oct 14, :0: CEST x5f44 No error (0) atualiacao tokenclien tes.com x5f44 No error (0) atualiacao tokenclien tes.com x5f44 No error (0) atualiacao tokenclien tes.com x5f44 No error (0) atualiacao tokenclien tes.com x5f44 No error (0) atualiacao tokenclien tes.com A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) HTTP Request Dependency Graph atualiacaotokenclientes.com HTTP Packets Timestamp Source Port Dest Port Source IP Dest IP Header Oct 14, :0: CEST GET / zip HTTP/1.1 Host: atualiacaotokenclientes.com Connection: Keep-Alive Oct 14, :0: CEST HTTP/ Not Found Date: Sat, 14 Oct :0:15 GMT Server: Apache/2.4.6 (CentOS) PHP/ Content-Length: 21 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-59-1 Data Raw: 3c f d 4c c d 2f 2f f 2f d 4c e 30 2f 2f 45 4e 22 3e 0a 3c d 6c 3e 3c e 0a 3c c 65 3e e 6f f 75 6e 64 3c 2f c 65 3e 0a 3c 2f e 3c 62 6f e 0a 3c e 4e 6f f 75 6e 64 3c 2f e 0a 3c 70 3e c 20 2f e 7a e 6f f 75 6e f 6e e 3c 2f 70 3e 0a 3c 2f 62 6f e 3c 2f d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head>< body><h1>not Found</h1><p>The requested URL / zip was not found on this server.</p></body></ht ml> 1 Total Bytes Transfered (KB) 0 Copyright Joe Security LLC 2017 Page 16 of 1

17 Timestamp Source Port Dest Port Source IP Dest IP Header Oct 14, :0: CEST HTTP/ Not Found Date: Sat, 14 Oct :0:15 GMT Server: Apache/2.4.6 (CentOS) PHP/ Content-Length: 21 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-59-1 Data Raw: 3c f d 4c c d 2f 2f f 2f d 4c e 30 2f 2f 45 4e 22 3e 0a 3c d 6c 3e 3c e 0a 3c c 65 3e e 6f f 75 6e 64 3c 2f c 65 3e 0a 3c 2f e 3c 62 6f e 0a 3c e 4e 6f f 75 6e 64 3c 2f e 0a 3c 70 3e c 20 2f e 7a e 6f f 75 6e f 6e e 3c 2f 70 3e 0a 3c 2f 62 6f e 3c 2f d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head>< body><h1>not Found</h1><p>The requested URL / zip was not found on this server.</p></body></ht ml> 2 Total Bytes Transfered (KB) Code Manipulations Statistics System Behavior Analysis Process: consulta.cpf-cnpj.exe PID: 3224 Parent PID: 2964 General Start time: 21:07:56 Start date: 14/10/2017 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Users\user\Desktop\consulta.CPF-CNPJ.exe false 'C:\Users\user\Desktop\consulta.CPF-CNPJ.exe' 0x bytes 21AD9FBCA4BBE5C1B12B67A95CC794CF.Net C# or VB.NET File Activities File Created File Path Access Attributes Options Completion Count C:\ProgramData\BELEZASOFT read data or list directory and synchronize normal Source Address Symbol directory file and success or wait 1 55B191 CreateDirectoryW synchronous io non alert and open for backup ident and open reparse point Copyright Joe Security LLC 2017 Page 17 of 1

18 File Path Access Attributes Options Completion Count C:\ProgramData\BELEZASOFT\ zip read attributes and synchroniz e and generic write none synchronous io non alert and n on directory file and open no recall Source Address Symbol success or wait 1 55B62F CreateFileW Registry Activities Key Path Completion Count Source Address Symbol Key Path Name Type Data Completion Count Source Address Symbol Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 1 of 1

ID: Sample Name: CRP_Force_Tool.exe Cookbook: default.jbs Time: 20:11:41 Date: 20/07/2018 Version:

ID: Sample Name: CRP_Force_Tool.exe Cookbook: default.jbs Time: 20:11:41 Date: 20/07/2018 Version: ID: 699 Sample Name: CRP_Force_Tool.exe Cookbook: default.jbs Time: 20:11:41 Date: 20/0/201 Version: 23.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence