Analysis Report http://www.iziu.net/hfs/

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	101658
Start date:	07.01.2019
Start time:	22:14:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 3m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://www.iziu.net/hfs/
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	EGA enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.win@3/8@1/1
Cookbook Comments:	Adjust boot time
Warnings:	Show All Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	64	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Remote Management	Winlogon Helper DLL	Port Monitors	Obfuscated Files or Information1	Credential Dumping	System Service Discovery	Application Deployment Software	Data from Local System	Data Compressed	Standard Non-Application Layer Protocol2
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Binary Padding	Network Sniffing	Application Window Discovery	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol2

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.iziu.net/hfs/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://www.iziu.net/hfs/	virustotal: Detection: 15%	Perma Link
Source: www.iziu.net	virustotal: Detection: 7%	Perma Link
Source: http://www.iziu.net/hfs/	virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hfs[1].exe	virustotal: Detection: 49%			Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\hfs.exe.afx14b2.partial	virustotal: Detection: 49%			Perma Link

Networking:

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Show sources

Source: global traffic

TCP traffic: 192.168.2.5:49793 -> 103.27.110.43:80

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /hfs/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.iziu.netConnection: Keep-Alive

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: www.iziu.net

System Summary:

PE file contains executable resources (Code or Archives)

Show sources

Source: hfs[1].exe.3.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM, 0x8C-variant)
Source: hfs.exe.afx14b2.partial.3.dr	Static PE information: Resource name: RT_BITMAP type: DOS executable (COM, 0x8C-variant)

PE file contains strange resources

Show sources

Source: hfs[1].exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hfs.exe.afx14b2.partial.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Classification label

Show sources

Source: classification engine

Classification label: mal64.win@3/8@1/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF92231360EC7FA273.TMP

Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2912 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2912 CREDAT:17410 /prefetch:2	Jump to behavior

Found GUI installer (many successful clicks)

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Sample is packed with UPX

Show sources

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\hfs.exe.afx14b2.partial			Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hfs[1].exe			Jump to dropped file

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://www.iziu.net/hfs/	15%	virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hfs[1].exe	49%	virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\hfs.exe.afx14b2.partial	49%	virustotal		Browse

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.iziu.net	7%	virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.iziu.net/hfs/	15%	virustotal		Browse
http://www.iziu.net/hfs/	100%	Avira URL Cloud	malware

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://www.iziu.net/hfs/

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Thumbnails