Loading ...

Play interactive tourEdit tour

Analysis Report https://precator.com.mx/js/i2/FAC_89328.zip

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:173084
Start date:11.09.2019
Start time:20:28:14
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:https://precator.com.mx/js/i2/FAC_89328.zip
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean3.win@9/18@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 104.103.90.39, 152.199.19.161, 13.107.4.50, 93.184.221.240, 67.27.151.254, 8.248.109.254, 8.253.208.121, 8.247.211.254, 8.247.209.254, 67.24.27.254, 8.247.209.126, 67.24.35.254, 67.27.150.254, 8.248.3.254, 8.248.7.254, 67.27.154.126, 67.27.155.126, 8.253.208.112
  • Excluded domains from analysis (whitelisted): ie9comview.vo.msecnd.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, wu.azureedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, au.au-msedge.net, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, au.c-0001.c-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target wget.exe, PID 248 because there are no executed function
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold30 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Process Injection1Credential DumpingQuery Registry1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDLL Side-Loading1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x73edcac2,0x01d5691a</date><accdate>0x73edcac2,0x01d5691a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x73edcac2,0x01d5691a</date><accdate>0x73edcac2,0x01d5691a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x73fa7509,0x01d5691a</date><accdate>0x73fa7509,0x01d5691a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x73fa7509,0x01d5691a</date><accdate>0x73fcfd70,0x01d5691a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x73ff9965,0x01d5691a</date><accdate>0x73ff9965,0x01d5691a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x73ff9965,0x01d5691a</date><accdate>0x74022136,0x01d5691a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: precator.com.mx
Urls found in memory or binary dataShow sources
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crlUS1
Source: wget.exe, 00000002.00000003.1730471258.0000000002D74000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000003.1730471258.0000000002D74000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.1730471258.0000000002D74000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl~
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: msapplication.xml.6.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.6.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.6.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.6.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.6.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.6.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.6.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.6.drString found in binary or memory: http://www.youtube.com/
Source: wget.exe, 00000002.00000002.1731047035.0000000000B90000.00000004.00000020.sdmp, wget.exe, 00000002.00000002.1730969268.00000000009CC000.00000004.00000010.sdmp, cmdline.out.2.drString found in binary or memory: https://precator.com.mx/js/i2/FAC_89328.zip
Source: wget.exe, 00000002.00000003.1730451860.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705

System Summary:

barindex
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3440:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_01
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\7za.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean3.win@9/18@1/1
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF17C4D21AFAF42463.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://precator.com.mx/js/i2/FAC_89328.zip' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://precator.com.mx/js/i2/FAC_89328.zip'
Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 7za x -y -pinfected -o'C:\Users\user\Desktop\extract' 'C:\Users\user\Desktop\download\FAC_89328.zip'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\FAC_89328.zip.html
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3904 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://precator.com.mx/js/i2/FAC_89328.zip' Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3904 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00B9C324 push ebx; ret 2_2_00B9C34A
Source: C:\Windows\SysWOW64\wget.exeCode function: 2_2_00BA4361 push ebx; ret 2_2_00BA4362

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wget.exeBinary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.1731059912.0000000000B98000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://precator.com.mx/js/i2/FAC_89328.zip' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 173084 URL: https://precator.com.mx/js/... Startdate: 11/09/2019 Architecture: WINDOWS Score: 3 5 cmd.exe 2 2->5         started        7 iexplore.exe 6 84 2->7         started        9 7za.exe 1 2->9         started        process3 11 wget.exe 2 5->11         started        14 conhost.exe 5->14         started        16 iexplore.exe 21 7->16         started        18 conhost.exe 9->18         started        dnsIp4 20 precator.com.mx 67.225.220.158, 443, 49705 unknown United States 11->20

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
precator.com.mx0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%Avira URL Cloudsafe
http://www.wikipedia.com/0%Google Safe Browsingsafe
https://precator.com.mx/js/i2/FAC_89328.zip0%VirustotalBrowse
https://precator.com.mx/js/i2/FAC_89328.zip0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.