Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:215088
Start date:12.03.2020
Start time:18:50:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.win@2/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Stop behavior analysis, all processes terminated

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Initial sample is implementing a service and should be registered / started as service



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection1Process Injection1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

Signature Overview

Click to jump to signature section


System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean1.win@2/0@0/0
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:468:120:WilError_01
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ''C:\Windows\system32\wuauclt.exe' /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed

Anti Debugging:

barindex
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 215088 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 12/03/2020 Architecture: WINDOWS Score: 1 5 cmd.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Startup

  • System is w10x64
  • cmd.exe (PID: 2912 cmdline: cmd /C ''C:\Windows\system32\wuauclt.exe' /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer' MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 2912 Parent PID: 3436

General

Start time:18:52:06
Start date:12/03/2020
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C ''C:\Windows\system32\wuauclt.exe' /UpdateDeploymentProvider wuaueng.dll /RunHandlerComServer'
Imagebase:0x1200000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Analysis Process: conhost.exe PID: 468 Parent PID: 2912

General

Start time:18:52:06
Start date:12/03/2020
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff604130000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Reset < >