ID: Sample Name: 13_outputD50AA6F.exe Cookbook: default.jbs Time: 21:05:14 Date: 21/04/2018 Version:

Transcription

1 ID: Sample Name: 13_outputD50AA6F.exe Cookbook: default.jbs Time: 21:05:14 Date: 21/04/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview Boot Survival: Persistence and Installation Behavior: Data Obfuscation: System Summary: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static PE Info Entrypoint Preview Data Directories Sections Resources Imports Version Infos Possible Origin Copyright Joe Security LLC 201 Page 2 of 16

3 Network Behavior Code Manipulations Statistics Behavior System Behavior Analysis Process: 13_outputD50AA6F.exe PID: 3416 Parent PID: 3024 File Created File Written File Read Analysis Process: wscript.exe PID: 3476 Parent PID: 3416 Registry Activities Analysis Process: explorer.exe PID: 350 Parent PID: 2996 File Created Analysis Process: explorer.exe PID: 3536 Parent PID: 54 Registry Activities Analysis Process: wscript.exe PID: 3564 Parent PID: 3536 Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 16

4 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 21:05:14 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 2m 12s light 13_outputD50AA6F.exe default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal4.winexe@7/2@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Failed Failed Adjust boot time Correcting counters for adjusted boot time Adjusted system time to: 21/4/201 Found application associated with file extension:.exe Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: 13_outputD50AA6F.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 201 Page 4 of 16

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Copyright Joe Security LLC 201 Page 5 of 16

6 Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Signature Overview Boot Survival Persistence and Installation Behavior Data Obfuscation System Summary Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section Boot Survival: Creates autostart registry keys with suspicious values (likely registry only malware) Creates an autostart registry key Persistence and Installation Behavior: Drops PE files May use bcdedit to modify the Windows boot settings Data Obfuscation: PE file contains an invalid checksum Binary may include packed or encrypted code System Summary: Potential malicious VBS script found (suspicious strings) Sample file is different than original file name gathered from version info Sample reads its own file content PE file has an executable.text section which is very likely to contain packed code (zlib compression ratio < 0.3) Classification label Creates temporary files Executes visual basic scripts Launches a second explorer.exe instance PE file has an executable.text section and no other executable section Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Anti Debugging: Copyright Joe Security LLC 201 Page 6 of 16

7 Checks for debuggers (devices) Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Malware Analysis System Evasion: Found WSH timer for Javascript or VBS script (likely evasive script) Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Behavior Graph Hide Legend Legend: Behavior Graph Process ID: Signature Sample: 13_outputD50AA6F.exe Created File Startdate: 21/04/201 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 4 Is Windows Process started Number started of created started Registry Values 13_outputD50AA6F.exe 5 Number of created Files explorer.exe explorer.exe Visual Basic Delphi 2 Java 1 dropped dropped.net C# or VB.NET C:\Users\user\AppData\Local\...\filename.vbs, ASCII C:\Users\user\AppData\Local\...\filename.exe, PE32 C, C++ or other language Is malicious started started Potential malicious VBS script found (suspicious strings) wscript.exe wscript.exe Creates autostart registry keys with suspicious values (likely registry only malware) Simulations Behavior and APIs Time Type Description 21:06:10 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Registry Key Name C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs Copyright Joe Security LLC 201 Page 7 of 16

8 Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Copyright Joe Security LLC 201 Page of 16

9 Dropped Files No context Screenshots Startup System is w7 13_outputD50AA6F.exe (PID: 3416 cmdline: 'C:\Users\user\Desktop\13_outputD50AA6F.exe' MD5: DC35F511473CB32023F523AB7BBF3CC) wscript.exe (PID: 3476 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs' MD5: 979D74799EA6CB16769A6DF5204A) explorer.exe (PID: 350 cmdline: explorer.exe C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs MD5: 6DDCA324434FFA506CF7DC4E51DB7935) explorer.exe (PID: 3536 cmdline: C:\Windows\explorer.exe /factory,{75dff2b c06-abb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935) wscript.exe (PID: 3564 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs' MD5: 979D74799EA6CB16769A6DF5204A) cleanup Created / dropped Files C:\Users\user\AppData\Local\Temp\subfolder\filename.exe Process: C:\Users\user\Desktop\13_outputD50AA6F.exe Copyright Joe Security LLC 201 Page 9 of 16

10 C:\Users\user\AppData\Local\Temp\subfolder\filename.exe File Type: Size (bytes): Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: PE32 executable (GUI) Intel 036, for MS Windows CAF56BC C97E5034DCD 324FF7F4490E9BA4C4166BC70E0A5E06ED 9F3BE306DC2DDDAE50046A31D2CACF606D5A9475E D312EC4C674A5 1B42D46A6F1220C412911C24A41AC7633B6C4037BFEDEE BD50924B60C DA7FD22ABA BE22A6A4F9C345719BFF3AE025A4E9F3D low C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs Process: File Type: Size (bytes): 1024 C:\Users\user\Desktop\13_outputD50AA6F.exe ASCII text, with CRLF line terminators Entropy (bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: 65F C39513B6367C2DFAC6 7A65014A39D0265AD027A9D0027E2DF34E94FF D90F712B75EA6DF994B79CBD1CEE62201F67EC9DDD B76 DEF70F9ACBF3D4EEF2E1FC F59EADAAD11BA6F10A D54CB4342E1BA72047B6646D1F59 C377EEB2A7D77EF56BB757F9C04C4CF390C true low Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info File type: Entropy (bit): PE32 executable (GUI) Intel 036, for MS Windows TrID: Win32 Executable (generic) a ( /4) 99.% Win32 Executable Microsoft Visual Basic 6 (2127/2) 0.1% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: File size: MD5: SHA1: SHA256: SHA512: File Content Preview: 13_outputD50AA6F.exe dc35f511473cb32023f523ab7bbf3cc ee9a6cb6efbeafa5f39c0ca50e3bf7672e20 677ad32e5475e3bc49306ca7e22c9d511761ad055 bb1d572dbba5a5b7b dfdf67eee9f93a6abe67f0307b602ffa29cab9da6c62f e1dabd706fc e6f496def4e14d1d7634 c9d b1fa163aa600651cd090 MZ...@...!..L.!Th is program cannot be run in DOS mode...$...u ~ rich1...pe..l...z......p......@... Copyright Joe Security LLC 201 Page 10 of 16

11 File Icon Static PE Info Entrypoint: Entrypoint Section: Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: Time Stamp: TLS Callbacks: CLR (.Net) Version: OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: 0x text 0x windows gui LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED 0x5AD9F0A4 [Fri Apr 20 13:52: UTC] 4a9212eab420662d d7226 Entrypoint Preview Instruction push 0049DFDh call 00007F6022C2525h add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al xor byte ptr [eax], al add byte ptr [eax], al cmp byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xa0d94 0x2.text IMAGE_DIRECTORY_ENTRY_RESOURCE 0xa3000 0x511.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x22 0x20 IMAGE_DIRECTORY_ENTRY_IAT 0x1000 0xa4.text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics Copyright Joe Security LLC 201 Page 11 of 16

12 Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x1000 0xa00c0 0xa1000 False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ.data 0xa2000 0xa 0x1000 False data 0.0 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ.rsrc 0xa3000 0x511 0x6000 False data IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_ICON 0xa7ab0 0x66 dbase IV DBT of `.DBF, blocks size 4, block length 36, next free block index 40, 1st item "\003\273;;\263\263\263\2630" RT_ICON 0xa77c 0x2e data RT_ICON 0xa75e0 0x1e data RT_ICON 0xa673 0xea data RT_ICON 0xa5e90 0xa data RT_ICON 0xa41e 0x1ca data RT_ICON 0xa3540 0xca data RT_GROUP_ICON 0xa34d 0x6 MS Windows icon resource - 7 icons, 4x4, 16-colors RT_VERSION 0xa3210 0x2c data English United States Imports DLL MSVBVM60.DLL Import _CIcos, _adj_fptan, _adj_fdiv_m64, vbafreeobjlist, _adj_fprem1, vbasetsystemerror, vbahresultcheckobj, _adj_fdiv_m32, vbaonerror, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, vbachkstk, EVENT_SINK_AddRef, DllFunctionCall, _adj_fpatan, vbaredim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, vbaexcepthandler, _adj_fprem, _adj_fdivr_m64, vbafpexception, _CIlog, vbanew2, _adj_fdiv_m32i, _adj_fdivr_m32i, vbafreestrlist, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp, vbafreestr, vbafreeobj Version Infos Description Data Translation 0x0409 0x04b0 LegalCopyright QINarea Q^a' switzerland InternalName Ciolfi5 FileVersion 1.00 CompanyName GOle BEtworks BTd: Comments bie ProductName BTEllar information GYStems CTx ProductVersion 1.00 OriginalFilename Ciolfi5.exe Possible Origin Language of compilation system Country where language is spoken Map English United States Network Behavior No network behavior found Code Manipulations Copyright Joe Security LLC 201 Page 12 of 16

13 Statistics Behavior 13_outputD50AA6F.exe wscript.exe explorer.exe explorer.exe wscript.exe Click to jump to process System Behavior Analysis Process: 13_outputD50AA6F.exe PID: 3416 Parent PID: 3024 Start time: 21:05:46 Start date: 21/04/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Users\user\Desktop\13_outputD50AA6F.exe 'C:\Users\user\Desktop\13_outputD50AA6F.exe' 0x bytes DC35F511473CB32023F523AB7BBF3CC true Visual Basic low File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Temp\subfolder C:\Users\user\AppData\Local\Temp\subfolder\filename.exe C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs read data or list directory and synchronize read attributes and synchroniz e and generic write read attributes and synchroniz e normal none none directory file and synchronous io non alert and open for backup ident and open reparse point success or wait 1 5C1DBB SHCreateDirectoryExW synchronous io non alert and n on directory file synchronous io non alert and n on directory file success or wait 1 5C1F49 CreateFileW success or wait 1 5C2106 CreateFileW File Written Copyright Joe Security LLC 201 Page 13 of 16

14 File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\subfolder\filename.exe unknown d 5a ff ff b b e 1f ba 0e 00 b4 09 cd 21 b 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a f f9 db 31 fe fe fe 97 b2 e fe 97 7e dc 9e 30 fe d 9a 30 fe fe c a5 f0 d9 5a e0 00 0f 01 0b a a MZ...@ !..L.!This program cannot be run in DOS mode... $...u ~ rich pe..l...z......p......@.... success or wait 1 5C1F60 WriteFile C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs unknown f 6e f 72 On Error Resume success or wait 1 5C226 WriteFile d e d 0a c 6c 20 3d f 62 6a e c 6c d 0a 6d 79 4b d b c 53 6f c 4d Next..Set WshShell = CreateObject("Wscr ipt.shell")..mykey = "HKCU\Software\Microsof t\windows\currentversion\ RunOnce\Registry Key Name"..WshShel l.regwrite mykey,"c:\users\use r\appdata\local\temp\sub folder \filename.vbs","reg_sz" f 73 6f W 5c e 64 6f c e f 6e 5c e 4f 6e c b e 61 6d d 0a c 6c 2e d 79 4b c a 5c c c b e 5c c 4c 6f c 5c d 70 5c f 6c c c 65 6e 61 6d 65 2e c f 53 5a 22 0d 0a 57 File Read File Path Offset Length Completion Count C:\Users\user\Desktop\13_outputD50AA6F.exe unknown success or wait 1 5C1EFC ReadFile Analysis Process: wscript.exe PID: 3476 Parent PID: 3416 Copyright Joe Security LLC 201 Page 14 of 16

15 Start time: 21:06:09 Start date: 21/04/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\fi lename.vbs' 0x bytes 979D74799EA6CB16769A6DF5204A true C, C++ or other language high File Path Access Attributes Options Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Data Completion Count Analysis Process: explorer.exe PID: 350 Parent PID: 2996 Start time: 21:06:10 Start date: 21/04/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Local\Temp\subfolder\filename.vbs 0xc bytes 6DDCA324434FFA506CF7DC4E51DB7935 true C, C++ or other language high File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Microsoft\Windows\Caches read data or list directory and synchronize normal directory file and object name collision 1 12D72 ILCreateFromPathW synchronous io non alert and open for backup ident and open reparse point File Path Offset Length Completion Count Analysis Process: explorer.exe PID: 3536 Parent PID: 54 Copyright Joe Security LLC 201 Page of 16

16 Start time: 21:06:10 Start date: 21/04/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b c06-abb-676a7b00b24b} -Embedding 0xc bytes 6DDCA324434FFA506CF7DC4E51DB7935 true C, C++ or other language high File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Analysis Process: wscript.exe PID: 3564 Parent PID: 3536 Start time: 21:06:10 Start date: 21/04/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\subfolder\fi lename.vbs' 0x bytes 979D74799EA6CB16769A6DF5204A true C, C++ or other language high File Path Access Attributes Options Completion Count File Path Offset Length Completion Count Disassembly Code Analysis Copyright Joe Security LLC 201 Page 16 of 16