ID: Sample Name: 9_outputBE69DAF.exe Cookbook: default.jbs Time: 17:52:22 Date: 08/02/2018 Version:

Transcription

1 ID: Sample Name: 9_outputBE69DAF.exe Cookbook: default.jbs Time: 17:52:22 Date: 0/02/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview Networking: Boot Survival: Persistence and Installation Behavior: Data Obfuscation: System Summary: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static PE Info Entrypoint Preview Data Directories Sections Resources Imports Version Infos Possible Origin Copyright Joe Security LLC 201 Page 2 of 17

3 Network Behavior Code Manipulations Statistics Behavior System Behavior Analysis Process: 9_outputBE69DAF.exe PID: 3476 Parent PID: 32 File Activities File Created File Written Analysis Process: wscript.exe PID: 3552 Parent PID: 3476 File Activities Registry Activities Key Created Analysis Process: explorer.exe PID: 3600 Parent PID: 3172 File Activities File Created Analysis Process: explorer.exe PID: 362 Parent PID: 54 Registry Activities Analysis Process: wscript.exe PID: 3656 Parent PID: 362 File Activities Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 17

4 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 17:52:22 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 3m 56s light 9_outputBE69DAF.exe default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal52.winexe@7/2@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Found application associated with file extension:.exe Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: 9_outputBE69DAF.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Copyright Joe Security LLC 201 Page 4 of 17

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Copyright Joe Security LLC 201 Page 5 of 17

6 Signature Overview Networking Boot Survival Persistence and Installation Behavior Data Obfuscation System Summary Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Networking: Urls found in memory or binary data Boot Survival: Creates an autostart registry key Creates autostart registry keys with suspicious values (likely registry only malware) Persistence and Installation Behavior: Drops PE files May use bcdedit to modify the Windows boot settings Data Obfuscation: PE file contains an invalid checksum System Summary: Found graphical window changes (likely an installer) Classification label Creates temporary files Executes visual basic scripts Launches a second explorer.exe instance PE file has an executable.text section and no other executable section Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server PE file contains strange resources Sample file is different than original file name gathered from version info Sample reads its own file content Potential malicious VBS script found (suspicious strings) Suspicious javascript / visual basic script found (invalid extension) Anti Debugging: Copyright Joe Security LLC 201 Page 6 of 17

7 Checks for debuggers (devices) Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Malware Analysis System Evasion: Found WSH timer for Javascript or VBS script (likely evasive script) Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Behavior Graph Legend: ID: Process Sample: 9_outputBE69DAF.exe Startdate: 0/02/201 Architecture: WINDOWS Score: 52 Signature Created File DNS/IP Info Is Dropped Hide Legend Suspicious javascript / visual basic script found (invalid extension) started Is Windows Process Number of created Registry Values started started Number of created Files Visual Basic 9_outputBE69DAF.exe explorer.exe Delphi Java explorer.exe 4 2.Net C# or VB.NET 1 dropped dropped C, C++ or other language Is malicious C:\Users\user\AppData\Local\...\filename.vbs, ASCII C:\Users\user\AppData\Local\...\filename.exe, PE32 started started Potential malicious VBS script found (suspicious strings) Suspicious javascript / visual basic script found (invalid extension) wscript.exe wscript.exe Creates autostart registry keys with suspicious values (likely registry only malware) Simulations Behavior and APIs Copyright Joe Security LLC 201 Page 7 of 17

8 Time Type Description 17:52:40 API Interceptor 5x Sleep call for process: explorer.exe modified from: 60000ms to: 100ms 17:52:40 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry Key Name C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Copyright Joe Security LLC 201 Page of 17

9 Dropped Files No context Screenshot Startup System is w7 9_outputBE69DAF.exe (PID: 3476 cmdline: 'C:\Users\user\Desktop\9_outputBE69DAF.exe' MD5: 3B6FBDB DC69E12D95BAC45F7C) wscript.exe (PID: 3552 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs' MD5: 979D74799EA6CB769A6DF5204A) explorer.exe (PID: 3600 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 362 cmdline: C:\Windows\explorer.exe /factory,{75dff2b c06-abb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935) wscript.exe (PID: 3656 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs' MD5: 979D74799EA6CB769A6DF5204A) cleanup Created / dropped Files C:\Users\user\AppData\Local\Temp\subfolder\filename.exe File Type: PE32 executable (GUI) Intel 036, for MS Windows Copyright Joe Security LLC 201 Page 9 of 17

10 C:\Users\user\AppData\Local\Temp\subfolder\filename.exe Size (bytes): Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: E417EB257639D6DCCEE0559C032A7 27D13E440F3B293C271C EC6DBFAF F4ACD D9B5BC5A61FF6BE25ABD24F21E1B95CEBA60721D36E DD71BA6E36774BFD372E B3EC43B7B DF1D1B7A24DEFB12C6ED0640ED96E5 F01D6BABBB704CB4175B0A6E63BD359 low C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs File Type: Size (bytes): 1024 ASCII text, with CRLF line terminators Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: B1DBF31CF926A246E9DF74291C5315 4F75FD774F21D496FBFE662E61EBC121E6ACF 7D992E3C4704D1960E7970D46F6EA7322EF76F34A A1EDCED5 472D26C1AB4AD3EE77D6CDE1D77B2DC5F4DC361BE DCAC122D7AF199C1425B4A110BFD4F4FF2D 01A3DE53E31D0CA1D19B937DD1175E4A712B42 true low Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info File type: Entropy (bit): PE32 executable (GUI) Intel 036, for MS Windows TrID: Win32 Executable (generic) a ( /4) 99.15% Win32 Executable Microsoft Visual Basic 6 (2127/2) 0.1% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: File size: MD5: SHA1: SHA256: SHA512: File Content Preview: 9_outputBE69DAF.exe 3b6fbdb dc69e12d95bac45f7c 2bf7930a564d5a1f945bfd2c6c6d6c42b10cf 9ff995c45b1feaeaf7f5b4f0a2ea31d62527fa46ec419a 4af9b e 1b409ac2ca2914fbf74d31b65ceb0519bfe64d71a49a 9ba2dded5bcd1b46960fdbb1cd949657f535a5b0b4b4 656f503396a1e64242a231c91ea3722a MZ...@...!..L.!Th is program cannot be run in DOS mode...$...o......d...=...rich...pe..l...6 Z......@... File Icon Copyright Joe Security LLC 201 Page 10 of 17

11 Static PE Info Entrypoint: Entrypoint Section: Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: Time Stamp: TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 0x4012d0.text 0x windows gui LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED 0x5A7C36AA [Thu Feb 11:3:1 201 UTC] 90d6aa543a60ad1d35f757ade Entrypoint Preview Instruction push Ch call 00007FC69F50CB5h xor byte ptr [eax], al inc eax add byte ptr [esi], dl inc esp fcom qword ptr [ebx+4db4671ah] test eax, 1BAEAFFh cmp ebx, dword ptr [edx h] add byte ptr [ecx], al add byte ptr [edx], ah inc edi je 00007FC69F50D37h dec ebx imul ebp, dword ptr [esp+61h], 36736C6Ch add byte ptr [eax+ecx*2+65h], dh imul esp, dword ptr [edi+6h], h dec esp xor dword ptr [eax], eax add byte ptr [edx-5fh], bh Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xdbfc4 0x2.text IMAGE_DIRECTORY_ENTRY_RESOURCE 0xdf000 0x6736.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 Copyright Joe Security LLC 201 Page 11 of 17

12 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x22 0x20 IMAGE_DIRECTORY_ENTRY_IAT 0x1000 0x104.text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x1000 0xdb444 0xdc000 False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ.data 0xdd000 0x1320 0x1000 False data 0.0 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ.rsrc 0xdf000 0x6736 0x7000 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_ICON 0xe50ce 0x66 dbase IV DBT of `.DBF, blocks size 4, block length 1536, next free block index 40, 1st item "\0027'#\210\210\210\202s#cc&:z*z2#=7\270&5\002\2 10\210\210\210\210\270\210\210\210\210\202:r67''\262 62\2133 r(\210\210\277\277\210\210\270\210\2702zzj" RT_ICON 0xe4de6 0x2e data RT_ICON 0xe4c3e 0x1a data RT_ICON 0xe4b 0x12 GLS_BINARY_LSB_FIRST RT_ICON 0xe3c6e 0xea data RT_ICON 0xe33c6 0xa data RT_ICON 0xe2dbe 0x60 data RT_ICON 0xe256 0x56 GLS_BINARY_LSB_FIRST RT_ICON 0xe0bae 0x1ca data RT_ICON 0xdff06 0xca data RT_ICON 0xdf9de 0x52 data RT_ICON 0xdf676 0x36 GLS_BINARY_LSB_FIRST RT_GROUP_ICON 0xdf5c 0xae MS Windows icon resource - 12 icons, 4x4, - colors RT_VERSION 0xdf300 0x2c data English United States Imports DLL MSVBVM60.DLL Import _CIcos, _adj_fptan, vbavarmove, vbastri4, vbafreevar, vbalenbstr, vbastrvarmove, vbafreevarlist, _adj_fdiv_m64, vbafpcdblr, vbafreeobjlist, _adj_fprem1, vbasetsystemerror, vbahresultcheckobj, _adj_fdiv_m32, vbaonerror, _adj_fdiv_mi, _adj_fdivr_mi, _CIsin, vbachkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, vbalateidcallld, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, vbaexcepthandler, _adj_fprem, _adj_fdivr_m64, vbafpexception, _CIlog, vbaerroroverflow, vbarstr, vbanew2, _adj_fdiv_m32i, _adj_fdivr_m32i, vbastrcopy, vbai4str, _adj_fdivr_m32, _adj_fdiv_r, vbai4var, vbavardup, vbar4sgn, _CIatan, vbastrmove, vbarinti4, _allmul, _CItan, _CIexp, vbafreeobj, vbafreestr Version Infos Description Translation InternalName Data 0x0409 0x04b0 Poster6 FileVersion 1.00 CompanyName LegalTrademarks ProductName techsmith corporation breakpoint software gnstallc, LLe ProductVersion 1.00 FileDescription toshiyuki masui Copyright Joe Security LLC 201 Page 12 of 17

13 Description Data OriginalFilename Poster6.exe Possible Origin Language of compilation system Country where language is spoken Map English United States Network Behavior No network behavior found Code Manipulations Statistics Behavior 9_outputBE69DAF.exe wscript.exe explorer.exe explorer.exe wscript.exe Click to jump to process System Behavior Analysis Process: 9_outputBE69DAF.exe PID: 3476 Parent PID: 32 Start time: 17:52:25 Start date: 0/02/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: C:\Users\user\Desktop\9_outputBE69DAF.exe 'C:\Users\user\Desktop\9_outputBE69DAF.exe' 0x bytes Copyright Joe Security LLC 201 Page 13 of 17

14 MD5 hash: Programmed in: Reputation: 3B6FBDB DC69E12D95BAC45F7C Visual Basic low File Activities File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Temp\subfolder C:\Users\user\AppData\Local\Temp\subfolder\filename.exe C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs read data or list directory and synchronize read attributes and synchroniz e and generic write read attributes and synchroniz e normal none none directory file and synchronous io non alert and open for backup ident and open reparse point success or wait SHCreateDirectoryExW synchronous io non alert and n on directory file synchronous io non alert and n on directory file success or wait CreateFileW success or wait A43 CreateFileW File Written File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\subfolder\filename.exe unknown d 5a ff ff b b e 1f ba 0e 00 b4 09 cd 21 b 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a f ad a0 db 0b cc ce 0b cc ce 0b cc ce d0 c0 0a cc ce 44 ee c7 0 cc ce 3d ea c3 0a cc ce b cc ce c ab 36 7c 5a e0 00 0f 01 0b c0 0d d d0 0d MZ...@ !..L.!This program cannot be run in DOS mode... $...O.....D...=...Rich......PE..L...6 Z......@.... success or wait AB WriteFile Copyright Joe Security LLC 201 Page 14 of 17

15 File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs unknown f 6e f 72 On Error Resume d e d 0a c 6c 20 3d f 62 6a e c 6c d 0a 6d 79 4b d b c 53 6f c 4d Next..Set WshShell = CreateObject("Wscr ipt.shell")..mykey = "HKCU\Sof tware\microsoft\windows\ Curren tversion\runonce\registr y Key Name"..WshShell.RegWrit e mykey,"c:\users\user\appdata\l ocal\ f 73 6f Temp\subfolder\filename.v 5c e 64 6f 77 bs","reg_sz"..wshs 73 5c e f 6e 5c e 4f 6e c b e 61 6d d 0a c 6c 2e d 79 4b c a 5c c d c 6c 5c c 4c 6f c 5c d 70 5c f 6c c c 65 6e 61 6d 65 2e c f 53 5a 22 0d 0a success or wait C6A WriteFile Analysis Process: wscript.exe PID: 3552 Parent PID: 3476 Start time: 17:52:39 Start date: 0/02/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs' 0x bytes 979D74799EA6CB769A6DF5204A C, C++ or other language high File Activities File Path Access Attributes Options Completion Count Registry Activities Key Created Key Path Completion Count HKEY_USERS\Software\Microsoft\Windows script Host success or wait RegCreateKeyExW HKEY_USERS\Software\Microsoft\Windows script Host\Settings success or wait RegCreateKeyExW Key Path Name Type Data Completion Count Copyright Joe Security LLC 201 Page 15 of 17

16 Analysis Process: explorer.exe PID: 3600 Parent PID: 3172 Start time: 17:52:40 Start date: 0/02/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs 0xd bytes 6DDCA324434FFA506CF7DC4E51DB7935 C, C++ or other language high File Activities File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Microsoft\Windows\Caches read data or list directory and synchronize normal directory file and object name collision 1 DCD72 ILCreateFromPathW synchronous io non alert and open for backup ident and open reparse point Analysis Process: explorer.exe PID: 362 Parent PID: 54 Start time: 17:52:40 Start date: 0/02/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b c06-abb-676a7b00b24b} -Embedding 0xd bytes 6DDCA324434FFA506CF7DC4E51DB7935 C, C++ or other language high Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Analysis Process: wscript.exe PID: 3656 Parent PID: 362 Start time: 17:52:41 Start date: 0/02/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs' 0x bytes Copyright Joe Security LLC 201 Page of 17

17 MD5 hash: Programmed in: Reputation: 979D74799EA6CB769A6DF5204A C, C++ or other language high File Activities File Path Access Attributes Options Completion Count Disassembly Code Analysis Copyright Joe Security LLC 201 Page 17 of 17