ID: 49 Cookbook: urldownload.jbs Time: 19:: Date: 0/0/201 Version: 22.0.0
Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Code Manipulations Statistics System Behavior Analysis Process: wget.exe PID: Parent PID: 2 General Disassembly Code Analysis 2 4 4 4 9 Copyright Joe Security LLC 201 Page 2 of 9
Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 49 Start time: 19:: Joe Sandbox Product: CloudBasic Start date: 0.0.201 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 1m 2s false light urldownload.jbs http://acroipm2.adobe.com/1/rdr/enu/win/nooem/non e/consumer/message.zip Analysis system description: Windows SP1 (with Office 2010 SP2, IE 11, FF 4, Chrome 0, Acrobat Reader DC 1, Flash 2, Java.0.1440.1) Number of analysed new started processes analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout SUS sus21.evad.win@1/0@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Unable to download file Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Detection Strategy Score Range Reporting Detection Threshold 21 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page of 9
Strategy Score Range Further Analysis Required? Threshold 4 0- false Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample may be VM or Sandbox-aware, try analysis on a native machine Signature Overview Copyright Joe Security LLC 201 Page 4 of 9
System Summary Anti Debugging HIPS / PFW / Operating System Protection Evasion Malware Analysis System Evasion Click to jump to signature section System Summary: Classification label HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Anti Debugging: Program does not show much activity (idle) Malware Analysis System Evasion: Program does not show much activity (idle) Potential time zone aware malware Behavior Graph Copyright Joe Security LLC 201 Page of 9
Hide Legend ID: 49 Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process URL: http://acroipm2.adobe.com/1/rdr/enu/win/nooem/none/consu... Startdate: 0/0/201 Architecture: WINDOWS Score: 21 Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET started C, C++ or other language Is malicious wget.exe Potential time zone aware malware Simulations Behavior and APIs Time Type Description 19:4:4 API Interceptor 1x Sleep call for process: wget.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link http://acroipm2.adobe.com/1/rdr/enu/win/nooem/none/consumer/message.zip 0% virustotal Browse No Antivirus matches Unpacked PE Files No Antivirus matches Copyright Joe Security LLC 201 Page of 9
Domains No Antivirus matches Yara Overview Initial Sample PCAP (Network Traffic) Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs No context Domains No context ASN No context No context Startup System is w wget.exe (PID: cmdline: wget -T 0 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/.0 (Windows NT.1; WOW4; Trident/.0; AS; rv:11.0) like Gecko' 'http://acroipm2.adobe.com/1/rdr/enu/win/nooem/none/consumer/message.zip' MD: 4C094BFEFB9B0E9BAD1AF4) cleanup Created / dropped Files No created / dropped files found Copyright Joe Security LLC 201 Page of 9
Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info No static file info Network Behavior No network behavior found Code Manipulations Statistics System Behavior Analysis Process: wget.exe PID: Parent PID: 2 General Start time: 19:4:4 Start date: 0/0/201 Path: Wow4 process (2bit): C:\Windows\System2\wget.exe Commandline: wget -T 0 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition -- user-agent='mozilla/.0 (Windows NT.1; WOW4; Trident/.0; AS; rv:11.0) like Gecko' 'http://acroipm2.adobe.com/1/rdr/enu/win/nooem/none/consumer/message.zip' Imagebase: File size: MD hash: Has administrator privileges: Programmed in: Reputation: false 0x400000 2 bytes 4C094BFEFB9B0E9BAD1AF4 true C, C++ or other language low Disassembly Copyright Joe Security LLC 201 Page of 9
Code Analysis Copyright Joe Security LLC 201 Page 9 of 9