ID: Sample Name: Commercial Card Services CTO Quality Control Checklist v9.docm Cookbook: defaultwindowsofficecookbook.jbs Time: 15:52:31 Date:

Transcription

1 ID: 244 Sample Name: Commercial Card Services CTO Quality Control Checklist v9.docm Cookbook: defaultwindowsofficecookbook.jbs Time: 15:52:31 Date: 05/10/201 Version: Fire Opal

2 Table of Contents Table of Contents Analysis Report Commercial Card Services CTO Quality Control Checklist v9.docm Overview Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Thumbnails Startup Created / dropped Files Domains and IPs Contacted Domains Contacted IPs Static File Info File Icon Static OLE Info OLE File "word/vbaproject.bin" Indicators Streams with VBA VBA File Name: ThisDocument.cls, Stream Size: 24 VBA Code Keywords VBA Code Streams Stream Path: PROJECT, ASCII text, with CRLF line terminators, Stream Size: 43 Stream Path: PROJECTwm,, Stream Size: 41 Stream Path: VBA/_VBA_PROJECT,, Stream Size: 2920 Stream Path: VBA/dir,, Stream Size: Copyright Joe Security LLC 201 Page 2 of 15

3 Network Behavior Code Manipulations Statistics System Behavior Analysis WINWORD.EXE PID: 326 Parent PID: 3064 File Activities File Read Registry Activities Disassembly Copyright Joe Security LLC 201 Page 3 of 15

4 Analysis Report Commercial Card Services CTO Quality Control Checklist v9.docm Overview Information Joe Sandbox Version: Analysis ID: Fire Opal Start date: Start time: 15:52:31 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: CloudBasic 0h 2m 51s light Commercial Card Services CTO Quality Control Checklist v9.docm defaultwindowsofficecookbook.jbs Analysis system description: Windows SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 1, Flash 26, Java ) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: EGA enabled HDC enabled GSI enabled (VBA) Timeout CLEAN clean2.windocm@1/9@0/0 Adjust boot time Found application associated with file extension:.docm Found Word or Excel or PowerPoint or XPS Viewer Simulate clicks Number of clicks 9 Scroll down Close Viewer Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Copyright Joe Security LLC 201 Page 4 of 15

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice No malicious behavior found, analyze the document also on other version of Office / Acrobat Copyright Joe Security LLC 201 Page 5 of 15

6 Signature Overview Networking System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Downloads files System Summary: Document contains embedded VBA macros Document contains no OLE stream with summary information Document has an unknown application name Document misses a certain OLE stream usually present in this Microsoft Office document type Classification label Creates files inside the user directory Creates temporary files Document contains summary information with irregular field values Reads ini files Found graphical window changes (likely an installer) Checks if Microsoft Office is installed Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 201 Page 6 of 15

7 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Behavior Graph ID: 244 Sample: Commercial Card Services CTO Quality Control Checklist v9.docm Startdate: 05/10/201 Architecture: WINDOWS Score: 2 started Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious WINWORD.EXE 5 2 Simulations Behavior and APIs Time Type Description 15:52:41 API Interceptor 3x Sleep call for process: WINWORD.EXE modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 201 Page of 15

8 No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 201 Page of 15

9 Startup System is w WINWORD.EXE (PID: 326 cmdline: 'C:\Program Files\Microsoft Office\Office\WINWORD.EXE' /n 'C:\Users\user\Desktop\Commercial Card Services CTO Quality Control Ch ecklist v9.docm 5D9FF0BE2A90D ACFD9D) cleanup Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\mso33E.tmp C:\Program Files\Microsoft Office\Office\WINWORD.EXE GIF image, version 9a, 15 x 15 Size (bytes): 663 Entropy (bit): ED3C1C40B6BA4F40DB15529D5443DEC 31AF99BB64A0461E0A42EA956F9E0E0BCCA 039FE9B4E6D3D561E32D4AF50E6CA0DB6BB395BE2BF2B9E609A Copyright Joe Security LLC 201 Page 9 of 15

10 C:\Users\HERBBL~1\AppData\Local\Temp\mso33E.tmp SHA-5: CB65B9AFBB910B664DBC5C5064ED96A262ED5DFFAB34D1EDBCD01E0004F230D420F2BD9CEE9 00D9D5FBADC5CB46DA4BC43293BAA041 moderate, very likely benign file C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E5BA9.png Size (bytes): 50 Entropy (bit): SHA-5: C:\Program Files\Microsoft Office\Office\WINWORD.EXE PNG image, 599 x 34, -bit colormap, non-interlaced B43BA6BEEECD430C2FF63FAE0 AD402F03E00F4D53016CFDE4B65444 ED4FDC3C5F42EDF1EFB3CFFFC1F1B56FB9E099B6D9F64B9E46F3C6DA 44D94FC30AC921BB5B54D30A235CAD050EBD3EC11629D2BE42C15294C41B39C06D AEF 2CA5B64A50F06CDC21FC2C9E2DE40E52E low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6CACC2AB-B6B-401-AE6-A1E1EA651EA}.tmp C:\Program Files\Microsoft Office\Office\WINWORD.EXE Size (bytes): 1536 Entropy (bit): SHA-5: 441BB5B19EA3E494AEC31C109 F0B9FA1CE41F5C923FCB5D6DE429EDB95F 5ABEF9F62DD2CD CC66CAB4DD95AD05FEDAD5FA9F 2B40F2ED5F56C6C11C065B409ECB21E0F0BB6569FD3D46942BEB6B9409B39010AC49256E3AFB 52366ED36F34CBBBF1E95F6FC935 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6F0AD6BE-DDA-45E3-A6F-2CF3B2C4}.tmp C:\Program Files\Microsoft Office\Office\WINWORD.EXE Size (bytes): 1 Entropy (bit): SHA-5: 6E1C1A0CEA0C6E409CD5CB9663F0FCD 0D1BB9F230935A2A5A1CC1DA25CB5B1B0BFE5 6D2AE6DE6CCE22B0C9B51D195F33A EF4F50E6FC4F5FB91 942EC10190DF2F500640FC6D5A165FDE05EBF225B1B556C69194FC06FB19E9B3C63235FE6 E1AB0AE5B5A30436ADCADEF2D0A62039 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EF44C25-DC5B-4CB-ACD AC331}.tmp C:\Program Files\Microsoft Office\Office\WINWORD.EXE Size (bytes): 1024 Entropy (bit): SHA-5: 5D4D94EEE06BBB0AF B23A DBB1119C04F116EFAE241DD3E6E C0D60AF4D3343CA6460B0006AA2CEDBCCC4D432055D99CC5FD1 95F3AE4CAFCCED5EAF C34D5F910E5CA2D116690F2FBECCB25F9CF50BBFC22BD5E1A66A 1B3F09E1C54AFDA519624BC2BB2F2BA4 high, very likely benign file C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Commercial Card Services CTO Quality Control Checklist v9.lnk C:\Program Files\Microsoft Office\Office\WINWORD.EXE MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=sun Sep :59:2 201, mtime=sun Sep 24 :59:2 201, atime=fri Oct 5 :52:39 201, length=4194, window=hide Size (bytes): 250 Copyright Joe Security LLC 201 Page 10 of 15

11 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Commercial Card Services CTO Quality Control Checklist v9.lnk Entropy (bit): SHA-5: F4FB00D0261D521EFE64ABB425 61E0AD35B5B335E9D601B3CAAACC0F00C C51FDB3C4F1F9AE0C24ADCEC4A63092A6A6E49ADAA6 6A952C2D4462CE1EB006C35536C2F94EBC6F FBF93419CAF99D693CE6DFCDF9A2E06D AB62D30290EA5E396B9E9A5055CE2690B low C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Size (bytes): 211 C:\Program Files\Microsoft Office\Office\WINWORD.EXE ASCII text, with CRLF line terminators Entropy (bit): SHA-5: 62FD5095EAF56FA35DA D1DBF900D9E62D B54FDF6C5 D4FACEEBAD605EF3CB02ED2461DDA6EEBC6DE6C023EAFCD09CD E FAD96D26405D35CC6E4F4A630B4D5FECBF5ACDE095F36ECB6F24FE39DD2FD2D1 C9FD10F0C966610B46B0D439FCFA50FF4E low C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm C:\Program Files\Microsoft Office\Office\WINWORD.EXE Size (bytes): 162 Entropy (bit): SHA-5: FF291ADF1F426EE3AA31EA36ADEC1C 9E64BCB59C91D0C9B02D3ECD04239B5C5 0B022FEFDA6C2FEEA4C0B236E6FF5EA90DFF2CE43ED44CD5FB4AE36 A4CCFF54304DBB444FFFEF002A3DEB66CBEE D30BCED4EA4D346645E1F5B6F6BAADB1E F96116F900B61F951B5FCC39BABB319C5A2 high, very likely benign file C:\Users\user\Desktop\~$mmercial Card Services CTO Quality Control Checklist v9.docm C:\Program Files\Microsoft Office\Office\WINWORD.EXE Size (bytes): 162 Entropy (bit): SHA-5: FF291ADF1F426EE3AA31EA36ADEC1C 9E64BCB59C91D0C9B02D3ECD04239B5C5 0B022FEFDA6C2FEEA4C0B236E6FF5EA90DFF2CE43ED44CD5FB4AE36 A4CCFF54304DBB444FFFEF002A3DEB66CBEE D30BCED4EA4D346645E1F5B6F6BAADB1E F96116F900B61F951B5FCC39BABB319C5A2 high, very likely benign file Domains and IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Copyright Joe Security LLC 201 Page 11 of 15

12 Static File Info File type: Microsoft Word 200+ Entropy (bit): TrID: File name: File size: 5605 SHA256: SHA5: Word Microsoft Office Open XML Format document with Macro (52004/1) 53.61% Word Microsoft Office Open XML Format document (41004/1) 42.2% ZIP compressed archive (4004/1) 4.% Commercial Card Services CTO Quality Control Checklist v9.docm 1c694b5dbe91fec43b2c0e553 1c011ba6cd09e6e45ea93ba302d34af25e9bf963 db621b93a22350ceb225bd392d15cb246d42ca245d 3cbd5d22e0b1f2de 4abde1f499f421e50da2334d334e2bc4acb0624d 1c2f152cddc1194e05afb540b160ffdfe3cfb96e2302 c34ca65111ec2a4696a6fed0cc4d2bd File Content Preview: PK...!..G...[Content_Types].xml...( File Icon Static OLE Info Document Type: OpenXML Number of OLE Files: 1 OLE File "word/vbaproject.bin" Indicators Has Summary Info: Application Name: unknown Encrypted Document: Contains Word Document Stream: Contains Workbook/Book Stream: Contains PowerPoint Document Stream: Contains Visio Document Stream: Contains ObjectPool Stream: Flash Objects Count: 0 Contains VBA Macros: True Streams with VBA VBA File Name: ThisDocument.cls, Stream Size: 24 Stream Path: VBA File Name: Stream Size: 24 VBA/ThisDocument ThisDocument.cls Data ASCII: ] ^ *. S.. # L A.. G t O. s 6. a G. X +.,. } x M E Data Raw: ce e ff ff ff ff d d b1 a2 da 5e ff ff a b6 00 ff ff ff ff ff ff ff ff ff ff ff ff a e e 23 4c 41 b d3 02 1c b6 ab d2 d ba d3 b1 d6 4 4f a e 61 e6 f VBA Code Keywords Copyright Joe Security LLC 201 Page of 15

13 Keyword Private VB_Exposed Attribute VB_Creatable VB_Name VB_PredeclaredId VB_GlobalNameSpace VB_Base VB_Customizable VB_TemplateDerived "ThisDocument" VBA Code Streams Stream Path: PROJECT, ASCII text, with CRLF line terminators, Stream Size: 43 Stream Path: Stream Size: 43 PROJECT Entropy: Base64 Encoded: Data ASCII: ASCII text, with CRLF line terminators True I D = " { F 2 D F 6 D E 4 - A 3-4 E 0 - B 2 1 F - C A 1 E E F } ".. D o c u m e n t = T h i s D o c u m e n t / & H N a m e = " P r o j e c t ".. H e l p C o n t e x t I D = " 0 ".. V e r s i o n C o m p a t i b l e 3 2 = " ".. C M G = " ".. D P B = " 4 A C D D 9 1 ".. G C = " ".... [ H o s t E x t e n d e r I n f o ].. & H 0 0 Data Raw: d 22 b d d d d d 22 0d 0a 44 6f d 65 6e 4 3d f d 65 6e 4 2f d 0a 4e 61 6d 65 3d f 6a d 0a c f 6e d d 0a f 6e 43 6f 6d Stream Path: PROJECTwm,, Stream Size: 41 Stream Path: Stream Size: 41 PROJECTwm Entropy: Base64 Encoded: Data ASCII: T h i s D o c u m e n t. T. h. i. s. D. o. c. u. m. e. n. t..... Data Raw: f d 65 6e f d e Stream Path: VBA/_VBA_PROJECT,, Stream Size: 2920 Stream Path: Stream Size: 2920 VBA/_VBA_PROJECT Entropy: Base64 Encoded: Data ASCII:. a *. \\. G. { E. F C }. # #. 9. #. C. :. \\. P. R. O. G. R. A. ~. 2. \\. C. O. M. M. O. N. ~. 1. \\. M. I. C. R. O. S. ~. 1. \\. V. B. A. \\. V. B. A.. \\. V. B. E.... D. L. L. #. V. i. s. u. a. l.. B. a. s. i. c.. F. Data Raw: cc ff e fa 00 2a 00 5c b d d d d d e Stream Path: VBA/dir,, Stream Size: 2 Copyright Joe Security LLC 201 Page of 15

14 Stream Path: Stream Size: 2 VBA/dir Entropy: Base64 Encoded: Data ASCII: *..... p.. H..... d P r o j e c t. Q. =..... l q < ].... J. <..... r s t d. o l e >.. s. t.. d. o. l. e P... h. % ^.. *. \\ G { C } # # 0 # C :. \\ W i n d o w s. \\ S y s W O W 6. 4 \\. e 2. t l b. # O L E A u t. o m a t i o n. `.... E N o r m a l.. E N. C r. m. a Q. F *. \\ C.... l ` < ]. Data Raw: True 01 0a b a e c f 6a d ad 02 0a c d6 1 3c 5d 0e 00 0c 02 4a 3c 02 0a f 6c 65 3e f 00 6c d e a 00 5c 4 b Network Behavior No network behavior found Code Manipulations Statistics System Behavior Analysis WINWORD.EXE PID: 326 Parent PID: 3064 Start time: 15:52:41 Start date: 05/10/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Microsoft Office\Office\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office\WINWORD.EXE' /n 'C:\Users\user\Deskt op\commercial Card Services CTO Quality Control Checklist v9.docm 0x2f bytes 5D9FF0BE2A90D ACFD9D true C, C++ or other language high File Activities File Path Access Attributes Options Completion Count Address Symbol File Path Completion Count Address Symbol Old File Path New File Path Completion Count Address Symbol Copyright Joe Security LLC 201 Page of 15

15 File Path Offset Length Value Ascii Completion Count Address Symbol File Read File Path Offset Length Completion Count Address C:\Windows\Fonts\StaticCache.dat unknown 60 success or wait 1 5FEC341 ReadFile Symbol Registry Activities Key Path Completion Count Address Symbol Key Path Name Type Data Completion Count Address Symbol Key Path Name Type Old Data New Data Completion Count Address Symbol Disassembly Copyright Joe Security LLC 201 Page 15 of 15