ID: Cookbook: urldownload.jbs Time: 20:09:25 Date: 13/06/2018 Version:

Transcription

1 ID: 3923 Cookbook: urldownload.jbs Time: 20:09:25 Date: 13/0/201 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior TCP Packets UDP Packets ICMP Packets DNS Queries DNS Answers Code Manipulations Statistics Behavior Table of Contents Copyright Joe Security LLC 201 Page 2 of

3 System Behavior Analysis Process: cmd.exe PID: 330 Parent PID: 2 General File Activities File Created Analysis Process: wget.exe PID: 3332 Parent PID: 330 General File Activities Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: 3923 Start time: 20:09:25 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 1m 24s false light urldownload.jbs UDQZCQi Analysis system description: Windows SP1 (with Office 20 SP2, IE, FF 54, Chrome 0, Acrobat Reader DC 1, Flash 2, Java ) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal4.win@3/1@5/0 HCA Information: Successful, ratio: 0% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Unable to download file Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of

5 Strategy Score Range Further Analysis Required? Threshold false Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work Copyright Joe Security LLC 201 Page 5 of

6 Signature Overview AV Detection Networking System Summary HIPS / PFW / Operating System Protection Evasion Hooking and other Techniques for Hiding and Protection Click to jump to signature section AV Detection: Multi AV Scanner detection for domain / URL Networking: Tries to resolve domain names, but no domain seems valid (expired dropper behavior) Performs DNS lookups Urls found in memory or binary data System Summary: Classification label Creates files inside the program directory Reads software policies Spawns processes Creates a directory in C:\Program Files HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 201 Page of

7 Behavior Graph ID: 3923 URL: Startdate: 13/0/201 Architecture: WINDOWS Score: 4 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Multi AV Scanner detection for domain / URL cmd.exe started Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 1 started wget.exe kaelfleming.com Simulations Behavior and APIs Time Type Description 20:09:4 API Interceptor 5x Sleep call for process: cmd.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link % virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link kaelfleming.com 15% virustotal Browse Copyright Joe Security LLC 201 Page of

8 URLs No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 201 Page of

9 Startup System is w cmd.exe (PID: 330 cmdline: C:\Windows\system32\cmd.exe /c wget -v -T 0 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent=' Mozilla/5.0 (Windows NT.1; WOW4; Trident/.0; AS; rv:.0) like Gecko' ' > cmdline.out 2>&1 MD5: ADB9C1403B52BC532FBA594342B9) wget.exe (PID: 3332 cmdline: wget -v -T 0 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT.1; WO W4; Trident/.0; AS; rv:.0) like Gecko' ' MD5: 3DADBE2ECE9C4B3E1E322E15B0) cleanup Created / dropped Files C:\Program Files\AutoIt3\cmdline.out Process: File Type: Size (bytes): 22 C:\Windows\System32\wget.exe ASCII text, with CRLF line terminators Entropy (bit): Encrypted: MD5: SHA1: SHA-25: SHA-5: Malicious: Reputation: false CB0B C30B BA3B59C42BBFEF41F40423C2BA09A1F 24A5DAADCCD A59E035CC031F1B5A3D3A4E440AEA2D5B043 E9A459C2E2F49C925AA4A2DEAC0035FC4FAE5419A9D41354FE993424BD0E1B40333B5D33EEFCA 3C90052D95D3C3FB0A5D020DC042 false low Copyright Joe Security LLC 201 Page 9 of

10 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation kaelfleming.com unknown unknown false 15%, virustotal, Browse low Contacted IPs No contacted IP infos Static File Info No static file info Network Behavior TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Jun 13, :: CEST Jun 13, ::04.92 CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Jun 13, :: CEST Jun 13, ::04.92 CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST Jun 13, :: CEST ICMP Packets Timestamp Source IP Dest IP Checksum Code Type Jun 13, :: CEST cff1 (Port unreachable) Jun 13, :: CEST cff1 (Port unreachable) Jun 13, :: CEST cff1 (Port unreachable) Destination Unreachable Destination Unreachable Destination Unreachable DNS Queries Copyright Joe Security LLC 201 Page of

11 Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jun 13, :: CEST x3a0 Standard query (0) Jun 13, ::04.92 CEST x3a0 Standard query (0) Jun 13, :: CEST x3a0 Standard query (0) Jun 13, :: CEST x3a0 Standard query (0) Jun 13, :: CEST x3a0 Standard query (0) kaelfleming.com A (IP address) IN (0x0001) kaelfleming.com A (IP address) IN (0x0001) kaelfleming.com A (IP address) IN (0x0001) kaelfleming.com A (IP address) IN (0x0001) kaelfleming.com A (IP address) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Jun 13, x3a0 Name error (3) kaelfleming.com none none A (IP address) IN (0x0001) 20:: CEST Jun 13, x3a0 Name error (3) kaelfleming.com none none A (IP address) IN (0x0001) 20:: CEST Jun 13, x3a0 Name error (3) kaelfleming.com none none A (IP address) IN (0x0001) 20:: CEST Jun 13, x3a0 Name error (3) kaelfleming.com none none A (IP address) IN (0x0001) 20:: CEST Jun 13, x3a0 Server failure (2) kaelfleming.com none none A (IP address) IN (0x0001) 20:: CEST Code Manipulations Statistics Behavior cmd.exe wget.exe Click to jump to process System Behavior Analysis Process: cmd.exe PID: 330 Parent PID: 2 General Copyright Joe Security LLC 201 Page of

12 Start time: 20:09:45 Start date: 13/0/201 Path: Wow4 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Windows\System32\cmd.exe false C:\Windows\system32\cmd.exe /c wget -v -T 0 -P 'C:\Users\user\Desktop\download' --nocheck-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT.1; WOW4; Trident/.0; AS; rv:.0) like Gecko' ' > cmdline.out 2>&1 0x4a bytes ADB9C1403B52BC532FBA594342B9 true C, C++ or other language low File Activities File Created File Path Access Attributes Options Completion Count C:\Program Files\AutoIt3\cmdline.out read attributes synchronize generic write normal synchronous io non alert non directory file Source Address Symbol success or wait 1 4A343A9 CreateFileW File Path Offset Length Completion Count Source Address Symbol Analysis Process: wget.exe PID: 3332 Parent PID: 330 General Start time: 20:09:45 Start date: 13/0/201 Path: Wow4 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: Reputation: C:\Windows\System32\wget.exe false wget -v -T 0 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT.1; WOW4; Trident/.0; AS; rv:.0) like Gecko' 'http: //kaelfleming.com/?250=qyqhcenxcmiiudqzcqi' 0x bytes 3DADBE2ECE9C4B3E1E322E15B0 true C, C++ or other language low File Activities File Path Offset Length Value Ascii Completion Count Source Address Symbol File Path Offset Length Completion Count Source Address Symbol Disassembly Code Analysis Copyright Joe Security LLC 201 Page of