ID: Sample Name: Extra.exe Cookbook: default.jbs Time: 10:28:42 Date: 05/02/2018 Version:

Transcription

1 ID: Sample Name: Extra.exe Cookbook: default.jbs Time: :2:42 Date: 05/02/201 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Static PE Info General Entrypoint Preview Data Directories Sections Resources Imports Version Infos Possible Origin Network Behavior Code Manipulations Statistics System Behavior Table of Contents Copyright Joe Security LLC 201 Page 2 of

3 Analysis Process: Extra.exe PID: 3536 Parent PID: 3216 General File Activities File Created File Written Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 14

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: :2:42 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 3m 20s false light Extra.exe default.jbs Analysis system description: Windows 7 SP1 (with Office 20 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean1.winexe@1/1@0/0 HCA Information: Successful, ratio: 0% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Found application associated with file extension:.exe Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: Extra.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of 14

5 Strategy Score Range Further Analysis Required? Threshold false Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Copyright Joe Security LLC 201 Page 5 of 14

6 System Summary Anti Debugging HIPS / PFW / Operating System Protection Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section System Summary: Binary contains paths to development resources Classification label Creates files inside the user directory Creates temporary files PE file has an executable.text section and no other executable section Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Uses an in-process (OLE) Automation server Sample file is different than original file name gathered from version info HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Copyright Joe Security LLC 201 Page 6 of 14

7 Hide Legend ID: Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Sample: Extra.exe Startdate: 05/02/201 Architecture: WINDOWS Score: 1 Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious started Extra.exe 2 Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Source Detection Cloud Link Extra.exe 3% virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 201 Page 7 of 14

8 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 201 Page of 14

9 Startup System is w7 Extra.exe (PID: 3536 cmdline: 'C:\Users\user\Desktop\Extra.exe' MD5: 3EB7B25E71F61735C50F97F07BB47) cleanup Created / dropped Files C:\Users\user\Desktop\logFebruary201.txt File Type: ASCII text, with CRLF line terminators Size (bytes): 5 Entropy (bit): Encrypted: false MD5: 2E4A5B3E2E907E4BD7DADC39C224EE70 SHA1: A0EFA4FDD5DF9CE599A356D0646C952DF967A3C SHA-256: 161EE6C35B91D21415C759EF14276B77AA4B3AD1EEF36942D6D3321FA5 SHA-512: C6F3BFBB562502DDE73F9222E0E03A66DBB0C427ED44BE5B62561B593B005BE1FDE 19CC0A20AD9A573D7BBBD DB02B70A Malicious: false Reputation: low Copyright Joe Security LLC 201 Page 9 of 14

10 Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info General File type: Entropy (bit): PE32 executable (GUI) Intel 036, for MS Windows TrID: Win32 Executable (generic) a (002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (2127/2) 0.1% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: Extra.exe File size: MD5: SHA1: SHA256: SHA512: File Content Preview: 3eb7b25e71f61735c50f97f07bb47 91af6f609f960459b671cfc5e364595f339baaf 405a3b67d d3c40c2395def0f15b5d16c0e711e ececbf497b5a61 c370dbb9434b6d43c3bea01b7e91df40a1dcb0a03 cf51fae4f03ba1a5951daafbcb c616ef1b74 cb66b5cdf62c0ad0cb05b6e9073f3996 MZ...@...!..L.!Th is program cannot be run in DOS mode...$...} p...?...rich9...pe..l...?.hz....p...p...p...@... File Icon Static PE Info General Entrypoint: Entrypoint Section: Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: Time Stamp: TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 0x401b70.text false 0x windows gui LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED 0x5A6093F [Wed Jan 24 04:19: UTC] aecdfd370911cddd6066ec66601efd Entrypoint Preview Copyright Joe Security LLC 201 Page of 14

11 Instruction push h call 00007F31B4B05E3h xor byte ptr [eax], al inc eax add byte ptr [esi-22h], ch frstor [ebp+edi-63b59c4eh] lodsd lea ebx, ebx xor al, 4Dh jmp far 0000h : FDh add byte ptr [ecx], al add byte ptr [eax+72h], dl outsd push h arpl word ptr [ecx+esi+00h], si add bh, bh int3 xor dword ptr [eax], eax sbb dword ptr [edi], eax cmp byte ptr [edi], Eh xchg dword ptr [E5AE4Fh+esi], ebp test byte ptr [ebx-51h], ah jmp far fword ptr [ecx] fistp dword ptr [esi+24h] jnle 00007F31B4B05F1h mov al, byte ptr [20A4F4h] push 1C756E4h cmp cl, byte ptr [edi-53h] xor ebx, dword ptr [ecx-4ee309ah] or al, 00h stosb add byte ptr [eax-2dh], ah xchg eax, ebx Copyright Joe Security LLC 201 Page 11 of 14

12 Instruction push Ah xor dword ptr [ h], ecx add byte ptr [esi+72h], ah insd jne 00007F31B4B05966h popad insd popad add byte ptr [45000F01h], cl Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x x2.text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x2b000 0x74.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x22 0x20 IMAGE_DIRECTORY_ENTRY_IAT 0x00 0x23.text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x00 0x26e 0x27000 False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ.data 0x2000 0x2204 0x00 False data 0.0 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ.rsrc 0x2b000 0x74 0x2000 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_ICON 0x2b3cc 0xca data RT_GROUP_ICON 0x2b3b 0x14 MS Windows icon resource - 1 icon RT_VERSION 0x2b0f0 0x2c data English United States Imports DLL Import Copyright Joe Security LLC 201 Page 12 of 14

13 DLL MSVBVM60.DLL Import vbavarsub, vbavartstgt, vbastri2, _CIcos, _adj_fptan, vbastri4, vbavarmove, vbavarvargnofree, vbafreevar, vbalateidcall, vbastrvarmove, vbalenbstr, vbafreevarlist, vbaend, _adj_fdiv_m64, vbafreeobjlist, _adj_fprem1, vbaresume, vbastrcat, vbalsetfixstr, vbasetsystemerror, vbahresultcheckobj, vbalenvar, _adj_fdiv_m32, vbaarydestruct, vbavarcmpge, vbacyerrvar, vbavarforinit, vbaexitproc, vbaonerror, vbaobjset, _adj_fdiv_m16i, vbaobjsetaddref, _adj_fdivr_m16i, vbaboolvar, vbastrfixstr, vbavartstlt, vbaboolvarnull, _CIsin, vbachkstk, EVENT_SINK_AddRef, vbagenerateboundserror, vbastrcmp, vbaaryconstruct2, vbavartsteq, vbai2i4, vbaobjvar, DllFunctionCall, vbavaror, vbacysub, vbaredimpreserve, _adj_fpatan, vbafixstrconstruct, vbalateidcallld, vbaredim, vbarcy, vbastrr, EVENT_SINK_Release, vbanew, vbaui1i2, _CIsqrt, vbalateidcallst, vbavarand, EVENT_SINK_QueryInterface, vbafpcmpcy, vbaexcepthandler, vbastrtounicode, _adj_fprem, _adj_fdivr_m64, vbai2str, vbavarcmple, vbafpexception, vbastrvarval, vbavarcat, vbadatevar, vbai2var, vbalsetfixstrfree, _CIlog, vbaerroroverflow, vbanew2, _adj_fdiv_m32i, _adj_fdivr_m32i, vbastrcopy, vbavarnot, vbafreestrlist, vbavarcmplt, _adj_fdivr_m32, vbarvar, _adj_fdiv_r, vbavartstne, vbavarsetvar, vbai4var, vbavarcmpeq, vbafpcy, vbavaradd, vbalatememcall, vbastrtoansi, vbafreevarg, vbavardup, vbavarcopy, vbavarlatememcallld, _CIatan, vbastrmove, vbacastobj, vbai2errvar, _allmul, vbalateidst, _CItan, vbavarfornext, _CIexp, vbastrcy, vbafreestr, vbafreeobj, vbai4errvar Version Infos Description Data Translation 0x0409 0x04b0 LegalCopyright (C) Indocement Tunggal Prakarsa, InternalName Extra FileVersion CompanyName Indocement Tunggal Prakarsa ProductName Belt Conveyor Program ProductVersion OriginalFilename Extra.exe Possible Origin Language of compilation system Country where language is spoken Map English United States Network Behavior No network behavior found Code Manipulations Statistics System Behavior Analysis Process: Extra.exe PID: 3536 Parent PID: 3216 General Copyright Joe Security LLC 201 Page of 14

14 Start time: :29:26 Start date: 05/02/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Users\user\Desktop\Extra.exe false 'C:\Users\user\Desktop\Extra.exe' 0x bytes 3EB7B25E71F61735C50F97F07BB47 Visual Basic low File Activities File Created File Path Access Attributes Options Completion Count C:\Users\user\Desktop\logFebruary201.txt read attributes and synchroniz e and generic read and generic write normal synchronous io non alert and n on directory file Source Address Symbol success or wait 1 6B33353E CreateFileW File Written File Path Offset Length Value Ascii Completion Count C:\Users\user\Desktop\logFebruary201.txt unknown 56 4c 6f a a f d e 30 2e f e Source Address Symbol Log 05 Feb 201 success or wait 1 6B333FBE WriteFile :29:2 BC Extra Program opened C:\Users\user\Desktop\logFebruary201.txt unknown 2 0d 0a.. success or wait 1 6B333FBE WriteFile Disassembly Code Analysis Copyright Joe Security LLC 201 Page 14 of 14