Loading ...

Play interactive tourEdit tour

Analysis Report http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208475
Start date:14.02.2020
Start time:16:15:51
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 56s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.win@4/1@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Unable to download file
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface1Winlogon Helper DLLProcess Injection11Masquerading1Credential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection11Network SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Signature Overview

Click to jump to signature section


System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean1.win@4/1@0/0
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_01
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98' Jump to behavior

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wget.exe, 00000003.00000002.1994830618.0000000002AC0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wget.exe, 00000003.00000002.1994830618.0000000002AC0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wget.exe, 00000003.00000002.1994830618.0000000002AC0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wget.exe, 00000003.00000002.1994830618.0000000002AC0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98' Jump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 208475 URL: http://DAF08D1844D2CE68126C... Startdate: 14/02/2020 Architecture: WINDOWS Score: 1 5 cmd.exe 2 2->5         started        process3 7 wget.exe 1 5->7         started        9 conhost.exe 5->9         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w10x64
  • cmd.exe (PID: 5880 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5932 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • cleanup

Created / dropped Files

C:\Users\user\Desktop\cmdline.out
Process:C:\Windows\SysWOW64\wget.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):383
Entropy (8bit):4.8102140346956155
Encrypted:false
MD5:E44156450B7CDE447536E8CFB735B275
SHA1:72874038913A37B8460B3F055D008E3B25700FF7
SHA-256:1C93859C1DDA4381CB3177846F8306690E86542F33F57376756F5DA0867876DC
SHA-512:5431F2AEDFE32E5D4D14467449AD25B99AFF180F411BE92866051A1AFA3AE328B0899BAB4653140284EF39B82254B21A84557669166C9F0AAD2214DBD8349122
Malicious:false
Reputation:low
Preview: --2020-02-14 16:17:06-- http://daf08d1844d2ce68126c015673b9d9540590cffb7c887e2948b89ee481a34b98/..Resolving daf08d1844d2ce68126c015673b9d9540590cffb7c887e2948b89ee481a34b98 (daf08d1844d2ce68126c015673b9d9540590cffb7c887e2948b89ee481a34b98)... failed: No such host is known. ...wget: unable to resolve host address 'daf08d1844d2ce68126c015673b9d9540590cffb7c887e2948b89ee481a34b98'..

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Start time:16:17:04
Start date:14/02/2020
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98' > cmdline.out 2>&1
Imagebase:0x13a0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low

General

Start time:16:17:04
Start date:14/02/2020
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff642e80000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low

General

Start time:16:17:05
Start date:14/02/2020
Path:C:\Windows\SysWOW64\wget.exe
Wow64 process (32bit):true
Commandline:wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://DAF08D1844D2CE68126C015673B9D9540590CFFB7C887E2948B89EE481A34B98'
Imagebase:0x400000
File size:3895184 bytes
MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:low

Disassembly

Code Analysis

Reset < >