ID: Cookbook: browseurl.jbs Time: 17:39:02 Date: 22/03/2018 Version:

Transcription

1 ID: 5139 Cookbook: browseurl.jbs Time: 17:39:02 Date: 22/03/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior TCP Packets UDP Packets ICMP Packets DNS Queries DNS Answers Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3764 Parent PID: 54 General File Activities 17 Copyright Joe Security LLC 201 Page 2 of

3 Registry Activities Analysis iexplore.exe PID: 316 Parent PID: 3764 General File Activities Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 1

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: 5139 Start time: 17:39:02 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 4s light browseurl.jbs jamloop.zrbcn.pw Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean0.win@3/11@5/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, WmiApSrv.exe, dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 316 because there are no executed function Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 201 Page 4 of 1

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Copyright Joe Security LLC 201 Page 5 of 1

6 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview Networking System Summary Click to jump to signature section Networking: Social media urls found in memory data Downloads files Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Behavior Graph Copyright Joe Security LLC 201 Page 6 of 1

7 Behavior Graph ID: 5139 URL: jamloop.zrbcn.pw Startdate: 22/03/201 Architecture: WINDOWS Score: 0 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values Number of created Files iexplore.exe 34 Visual Basic Delphi Java.Net C# or VB.NET unknown unknown started C, C++ or other language Is malicious iexplore.exe 13..., 5156, 52046, GOOGLE-GoogleIncUS United States jamloop.zrbcn.pw Simulations Behavior and APIs Time Type Description 17:39:42 API Interceptor 573x Sleep call for process: iexplore.exe modified Antivirus Detection Initial Sample Detection Cloud Link jamloop.zrbcn.pw 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Detection Cloud Link jamloop.zrbcn.pw 0% virustotal Browse Copyright Joe Security LLC 201 Page 7 of 1

8 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 201 Page of 1

9 Startup System is w7 iexplore.exe (PID: 3764 cmdline: '' -Embedding CA1F703CD66567E132D2946FB55750) iexplore.exe (PID: 316 cmdline: '' SCODEF:3764 CREDAT: /prefetch:2 CA1F703CD66567E132D2946FB55750) cleanup Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\JavaDeployReg.log File Type: Size (bytes): 9 Entropy (bit): ASCII text, with CRLF line terminators 3CB32F C53073A6A271DF61A10 2B416CC1E33655BBA665D9976C6D657AE E1D64E90D40A50D0293E1AB346A77C205A07A13E25BC2E01C EF50BEA FC3DD3DEA31596A31B2AFD1B1D772757B6A490F20C61D0BFF71F229A73661EB90F A71CC2CAB A4BDB3A96 Copyright Joe Security LLC 201 Page 9 of 1

10 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF0746F293D TMP File Type: FoxPro FPT, blocks size 25, next free block index Size (bytes): 4217 Entropy (bit): B7D3C330E32FC372EFE90CC61D E0975A7CFCB1E9A303ECFC B356A2BA 23FBFE C06BC56EB2C15A2BE2D9B46A22DB9DEED4074D043 73C33BEA02AF0CE79A5CC2F4E5337B1604B051191A564B070404C99BA79190D214363EFA05C7C97AB6EA94D E3DA13D2C27FCB953B44C07EE46C0D5ABECD0 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF33FCF4B5A7B5632F.TMP File Type: FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): BF4DB A92A37625F72AB09 EBD37E7D169B90E E0F AC4351A1B11A950C42AA60A512767A97E34D1DD F5E1AB7 EEEFBBB73E60D03C099A4551EAB93DE775925C92A46E01145B14FDB57035AEFB7A0CE37B9DC67CBB3 DF219F19E35D70207A044BC EAEF C:\Users\SAMTAR~1\AppData\Local\Temp\~DF6473CA59CFE19F3.TMP File Type: data Size (bytes): Entropy (bit): A969A35B11035D7F13A04FA1D DA691BA7CC9EAA6550D BA476 77A4FFDEE623CEF5F431DB3F427BC934A4C1CC119B6FA02DE50C01DC4BA AEB7EA39F0D7D7FCDDA19930DB65A6F6179F DC447DA369DFA3535DF25C2B6D A1AD95 217DE2EB2570A66E9C2F96A2C60F6AAC35FF0 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9EC DEF-11E-B3E3-CCDA62336E41}.dat File Type: Size (bytes): 4660 Microsoft Word Document Entropy (bit): B1551A E17DB0A40F6CFB3602 2FFCAB4DF00655E32F F0EE6BB2 9D9C3DD773ECBFEF404E2AEFF072414BCFF62D7A014F9FDCE302B1CDA6572 6B51404B40090FE51031F130FFF2DB96C2B0215AF1DDBFAC5BDDE2E22D732FCD16227B E7EB7 030D26D31D9162FD9724CF7DBEBBD2B1E6BA C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9EC DEF-11E-B3E3-CCDA62336E41}.dat File Type: Size (bytes): 2272 Microsoft Word Document Entropy (bit): B46C30970E63D96CD03F3E001A3967B B96BD03AF930FC0D312B45DF7E46FF97CF422 C1FC1220EBBAFCA9DCAF307A0202FD4AABEF694D9B5BB694CDA2E720D67D 036C1B41A5AA00B356C2A76D D2FA5049B419CAB743762D16C29CE47C01740D12DC000BC4BEB9FBD7 1074C90E664D51B2DB3092F0A695A3F7D3EE Copyright Joe Security LLC 201 Page 10 of 1

11 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9EC DEF-11E-B3E3-CCDA62336E41}.dat C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AEACB90-2DEF-11E-B3E3-CCDA62336E41}.dat File Type: Size (bytes): Microsoft Word Document Entropy (bit): E410611B356AB10373F B43 794AF97ED9F904DDDC7CEEC1D3EAF1071E7F5 E9ECBDD2AEE42C939DD0E5AC00BBD0CA5249AC715B3A64ACDBF23A5631E C2730CC24369CD39C6CE06C1B BD775F97C437D9171F3F229E2FDAC6EC90C6146CB63596B3C09D F076453E79D91CA4B63B326CB9DB0496A4B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\NewErrorPageTemplate[1] File Type: Size (bytes): 1310 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators CDF1E591D9CBFB47A7F97A2BCDB70B9 F12010DFAACDECAD77B70A3E71C707CF D95C6FB16136C795BB63E53FE0B11F9E406494BB575B3B0D60C5F651BD 977DCC2C64ACAF0E5970CEF1A7A72C9F9DC6BB2DA54F057E053CE939E4AB01B163EB7A505E093ABC44 ECAD9D060FDC3E67E2AC67FEE4D070A4CC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\dnserror[1] File Type: Size (bytes): 157 Entropy (bit): HTML document, UTF- Unicode (with BOM) text, with CRLF line terminators 73C70B34B5FF15D3A94B9D E9EAA065BD655A1B176E13615FD7E6EF96230A9 3EBD3432A436B4EBA1F3D5F1252E7BD13744A B469C13FCF4 927DCD4ACFDEB0F970CB4EE3F05916B37E1E4E04733ED3356F77CA044D2145E1ABDD4F7CE1C6CA23C1E B1797CC56C4C7E73F60E0FC0D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\httpErrorPagesScripts[1] File Type: Size (bytes): 714 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators 3F57B71CB3EF114DD0B B7B CE6A63F996DF3A1CCCB1720E21204B25E023C 46E019FA34465F4ED096A9665D127B AD2E9BE01EDB1DDBC94D3AD CBF4EF52332AE7EA605F910AD6FA4BC FA4F0943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5 BA16B5A64A23AF0C11EEFBF69625BF9F90CFA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\errorPageStrings[1] File Type: UTF- Unicode (with BOM) text, with CRLF line terminators Size (bytes): 3470 Entropy (bit): B26ECFA5E37D4B5EC61FCDD3F04FA Copyright Joe Security LLC 201 Page 11 of 1

12 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\errorPageStrings[1] B69CD71F6FE35A9CE0D7EA17B5F1B2BAD9EAFA 7F7D1069CAA52C1CEB36E1D9FE6A9C17ECBEFF1F66FC5EBFEB541723A 1676D43B977C07A3F6A5473F12FD16E564703A1CB9771D0F19B EE7940C33A010F0DC521E57332EC4 C4DD693C6A2323C97750E C3F4 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation jamloop.zrbcn.pw true 0%, virustotal, Browse unknown Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious... United States GOOGLE-GoogleIncUS unknown unknown unknown Static File Info No static file info Network Behavior TCP Packets Timestamp Port Dest Port IP Dest IP Mar 22, :40: CET Copyright Joe Security LLC 201 Page 12 of 1

13 Timestamp Port Dest Port IP Dest IP Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Copyright Joe Security LLC 201 Page 13 of 1

14 Timestamp Port Dest Port IP Dest IP Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET UDP Packets Timestamp Port Dest Port IP Dest IP Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Copyright Joe Security LLC 201 Page 14 of 1

15 Timestamp Port Dest Port IP Dest IP Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Copyright Joe Security LLC 201 Page 15 of 1

16 Timestamp Port Dest Port IP Dest IP Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET Mar 22, :40: CET ICMP Packets Timestamp IP Dest IP Checksum Code Type Mar 22, :40: CET cfff (Port unreachable) Destination Unreachable DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Mar 22, :40: CET x49ff Standard query (0) Mar 22, :40: CET x49ff Standard query (0) Mar 22, :40: CET x49ff Standard query (0) Mar 22, :40: CET x49ff Standard query (0) Mar 22, :40: CET x49ff Standard query (0) jamloop.zrbcn.pw A (IP address) jamloop.zrbcn.pw A (IP address) jamloop.zrbcn.pw A (IP address) jamloop.zrbcn.pw A (IP address) jamloop.zrbcn.pw A (IP address) IN (0x0001) IN (0x0001) IN (0x0001) IN (0x0001) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Mar 22, x49ff No error (0) jamloop.zrbcn.pw A (IP address) IN (0x0001) 17:40: CET Mar 22, x49ff No error (0) jamloop.zrbcn.pw A (IP address) IN (0x0001) 17:40: CET Mar 22, x49ff No error (0) jamloop.zrbcn.pw A (IP address) IN (0x0001) 17:40: CET Mar 22, x49ff No error (0) jamloop.zrbcn.pw A (IP address) IN (0x0001) 17:40: CET Mar 22, x49ff No error (0) jamloop.zrbcn.pw A (IP address) IN (0x0001) 17:40: CET Code Manipulations Statistics Behavior Copyright Joe Security LLC 201 Page 16 of 1

17 iexplore.exe iexplore.exe Click to jump to process System Behavior Analysis iexplore.exe PID: 3764 Parent PID: 54 General Start time: 17:39:42 Start date: 22/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' -Embedding 0xd bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis iexplore.exe PID: 316 Parent PID: 3764 Copyright Joe Security LLC 201 Page 17 of 1

18 General Start time: 17:39:43 Start date: 22/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' SCODEF:3764 CREDAT: /prefetch:2 0xd bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Old Data New Data Completion Count Disassembly Code Analysis Copyright Joe Security LLC 201 Page 1 of 1