Loading ...

Analysis Report http://www.iziu.net/hfs/

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:101658
Start date:07.01.2019
Start time:22:14:21
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://www.iziu.net/hfs/
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.win@3/8@1/1
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold640 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsObfuscated Files or Information1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://www.iziu.net/hfs/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://www.iziu.net/hfs/virustotal: Detection: 15%Perma Link
Source: www.iziu.netvirustotal: Detection: 7%Perma Link
Source: http://www.iziu.net/hfs/virustotal: Detection: 15%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hfs[1].exevirustotal: Detection: 49%Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\hfs.exe.afx14b2.partialvirustotal: Detection: 49%Perma Link

Networking:

barindex
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49793 -> 103.27.110.43:80
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /hfs/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.iziu.netConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.iziu.net

System Summary:

barindex
PE file contains executable resources (Code or Archives)Show sources
Source: hfs[1].exe.3.drStatic PE information: Resource name: RT_BITMAP type: DOS executable (COM, 0x8C-variant)
Source: hfs.exe.afx14b2.partial.3.drStatic PE information: Resource name: RT_BITMAP type: DOS executable (COM, 0x8C-variant)
PE file contains strange resourcesShow sources
Source: hfs[1].exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hfs.exe.afx14b2.partial.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Classification labelShow sources
Source: classification engineClassification label: mal64.win@3/8@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF92231360EC7FA273.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2912 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2912 CREDAT:17410 /prefetch:2Jump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Source: C:\Program Files\internet explorer\iexplore.exeAutomated click: Run
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\hfs.exe.afx14b2.partialJump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hfs[1].exeJump to dropped file

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 101658 URL: http://www.iziu.net/hfs/ Startdate: 07/01/2019 Architecture: WINDOWS Score: 64 20 Multi AV Scanner detection for domain / URL 2->20 22 Antivirus detection for URL or domain 2->22 24 Multi AV Scanner detection for dropped file 2->24 6 iexplore.exe 8 65 2->6         started        process3 process4 8 iexplore.exe 27 6->8         started        dnsIp5 16 www.iziu.net 8->16 18 davieyoung.host98.cnaaa13.com 103.27.110.43, 49793, 49794, 80 TOPWAY-AS-APTOPWAYGLOBALLIMITEDHK Hong Kong 8->18 12 C:\Users\user\...\hfs.exe.afx14b2.partial, PE32 8->12 dropped 14 C:\Users\user\AppData\Local\...\hfs[1].exe, PE32 8->14 dropped file6

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
http://www.iziu.net/hfs/15%virustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\hfs[1].exe49%virustotalBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\hfs.exe.afx14b2.partial49%virustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
www.iziu.net7%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.iziu.net/hfs/15%virustotalBrowse
http://www.iziu.net/hfs/100%Avira URL Cloudmalware

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.