ID: Cookbook: urldownload.jbs Time: 02:55:04 Date: 01/02/2018 Version:

Transcription

1 ID: 4441 Cookbook: urldownload.jbs Time: 02:55:04 Date: 01/02/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior TCP Packets UDP Packets ICMP Packets DNS Queries DNS Answers Code Manipulations Statistics System Behavior Analysis Process: wget.exe PID: 304 Parent PID: 472 General File Activities Disassembly Code Analysis Copyright Joe Security LLC 201 Page 2 of

3 Copyright Joe Security LLC 201 Page 3 of 12

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: 4441 Start time: 02:55:04 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 1m 21s false light urldownload.jbs =https%3a%2f%2fgoo.gl%2f6nqbek&data=02%7 c01%7cbarrisi%40trueblue.com%7c4220f979f a d010d56d1bcb%7cc2c09bd09a1a4a b14471a37d391763%7c0%7c1%7c &sdata=xwxopzcqhiwys7mondm7wlyb%2 bjw5ptjzrjowmwr%2bawi%3d&reserved=0 Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean0.win@1/0@5/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Unable to download file Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of 12

5 Strategy Score Range Further Analysis Required? Threshold false Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Copyright Joe Security LLC 201 Page 5 of 12

6 Networking System Summary HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Networking: Performs DNS lookups Urls found in memory or binary data System Summary: Classification label HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Behavior Graph Copyright Joe Security LLC 201 Page 6 of 12

7 Hide Legend Behavior Graph ID: 4441 URL: Startdate: 01/02/201 Architecture: WINDOWS Score: 0 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic na01.safel started Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious wget.exe..., 53, 6161 GOOGLE-GoogleIncUS United States Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains Source Detection Cloud Link na01.safel 0% virustotal Browse Copyright Joe Security LLC 201 Page 7 of 12

8 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 201 Page of 12

9 Startup System is w7 wget.exe (PID: 304 cmdline: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:.0) like Gecko' ' fa d010d56d1bcb%7cc2c09bd09a1a4ab14471a37d391763%7c0%7c1%7c &sdata=xwxopzcqhiwys7mondm7wlyb%2bjw5ptjzrjowmwr%2ba wi%3d&reserved=0' MD5: 34C709455BFEFB9B0E976BAD13AF4) cleanup Created / dropped Files No created / dropped files found Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection na01.safel true false 0%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 201 Page 9 of 12

10 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious... United States GOOGLE-GoogleIncUS false Static File Info No static file info Network Behavior TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Feb 1, :55: CET Feb 1, :55: CET Feb 1, :55: CET Feb 1, :55: CET Feb 1, :55: CET Feb 1, :56: CET Feb 1, :56: CET Feb 1, :56: CET UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Feb 1, :55: CET Feb 1, :55: CET Feb 1, :55: CET Feb 1, :55: CET Feb 1, :55: CET Feb 1, :56: CET Feb 1, :56: CET Feb 1, :56: CET Copyright Joe Security LLC 201 Page 10 of 12

11 ICMP Packets Timestamp Source IP Dest IP Checksum Code Type Feb 1, :56: CET d017 (Port unreachable) Feb 1, :56: CET d017 (Port unreachable) Feb 1, :56: CET d017 (Port unreachable) Destination Unreachable Destination Unreachable Destination Unreachable DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Feb 1, :55: CET xea2 Standard query (0) Feb 1, :55: CET xea2 Standard query (0) Feb 1, :55: CET xea2 Standard query (0) Feb 1, :55: CET xea2 Standard query (0) Feb 1, :55: CET xea2 Standard query (0) na01.safel A (IP address) na01.safel A (IP address) na01.safel A (IP address) na01.safel A (IP address) na01.safel A (IP address) IN (0x0001) IN (0x0001) IN (0x0001) IN (0x0001) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Feb 1, xea2 No error (0) na01.safel 02:56: CET Feb 1, xea2 No error (0) na01.safel 02:56: CET Feb 1, xea2 No error (0) na01.safel 02:56: CET A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) Code Manipulations Statistics System Behavior Analysis Process: wget.exe PID: 304 Parent PID: 472 General Start time: 02:55:19 Start date: 01/02/201 Path: Wow64 process (32bit): C:\Windows\System32\wget.exe false Copyright Joe Security LLC 201 Page of 12

12 Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --useragent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:.0) like Gecko' ' a01.safel/?url=https%3a%2f%2fgoo.gl%2f6nqbek&data=02% 7c01%7cbarrisi%40trueblue.com%7c4220f979fa d010d56d1bcb%7cc2c09bd09a1a4 ab14471a37d391763%7c0%7c1%7c &sdata=xwxopzcqhiwys7m ondm7wlyb%2bjw5ptjzrjowmwr%2bawi%3d&reserved=0' 0x bytes 34C709455BFEFB9B0E976BAD13AF4 C, C++ or other language low File Activities File Path Offset Length Value Ascii Completion Count Source Address Symbol Disassembly Code Analysis Copyright Joe Security LLC 201 Page 12 of 12