Joe Sandbox Cloud Basic Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:72964
Start date:17.08.2018
Start time:15:23:45
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://gather.ihani.co.kr:9003/?uid=102&tid=1&pid=100&cpu=UNKNOWN&bz=Firefox&bv=61.0&os=Windows&pref=&tref=bookmark&dim=1366*768&cd=24&je=0&ref=bookmark&url=www.hani.co.kr/oops.html&menu=&title=%ed%95%9c%ea%b2%a8%eb%a0%88&&jv=13&tz=21&ul=en-us&ad_key=&skey=&tp=&qut=0&iul=&ks=&age=0&gender=unknown&marry=unknown&join=&member_key=&inc=0&loc=&
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:SUS
Classification:sus20.troj.win@3/14@2/1
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold200 - 100Report FP / FNsuspicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


Networking:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 9003
Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 9003
Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 9003
Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49172
Downloads filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\favicon[2].icoJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /?uid=102&tid=1&pid=100&cpu=UNKNOWN&bz=Firefox&bv=61.0&os=Windows&pref=&tref=bookmark&dim=1366*768&cd=24&je=0&ref=bookmark&url=www.hani.co.kr/oops.html&menu=&title=???&&jv=13&tz=21&ul=en-us&ad_key=&skey=&tp=&qut=0&iul=&ks=&age=0&gender=unknown&marry=unknown&join=&member_key=&inc=0&loc=& HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gather.ihani.co.kr:9003DNT: 1Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoHost: gather.ihani.co.kr:9003DNT: 1Connection: Keep-AliveCookie: Gsurl=www.hani.co.kr%2foops.html; Gsbref=bookmark; GsTSP_100=1534512266370082; GsTST_1=1534512266370082; GsTSC_3=102_1534512266370082^; GsTDMYC_3=102|TM_1^TV_1822822^DY_1^DV_18228^MH_1^MV_1807^YR_1^YV_118^PD_18228; GsTDMYP=100|TM_1^TV_1822822^DY_1^DV_18228^MH_1^MV_1807^YR_1^YV_118^PD_18228; GsTDMYT_1=TM_1^TV_1822822^DY_1^DV_18228^MH_1^MV_1807^YR_1^YV_118^PD_18228; GsTDMY_102=; Gsref=REF%5fbookmark%5eCORP%5f%5eSTYPE%5f%5eKCORP%5f%5eSKEY%5f%5eRFCHK%5fOTHER
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: gather.ihani.co.kr:9003Cookie: GsTDMYC_3=102|TM_1^TV_1822822^DY_1^DV_18228^MH_1^MV_1807^YR_1^YV_118^PD_18228; GsTDMYP=100|TM_1^TV_1822822^DY_1^DV_18228^MH_1^MV_1807^YR_1^YV_118^PD_18228; GsTDMYT_1=TM_1^TV_1822822^DY_1^DV_18228^MH_1^MV_1807^YR_1^YV_118^PD_18228; GsTDMY_102=; Gsref=REF%5fbookmark%5eCORP%5f%5eSTYPE%5f%5eKCORP%5f%5eSKEY%5f%5eRFCHK%5fOTHER
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: gather.ihani.co.kr
Urls found in memory or binary dataShow sources
Source: ~DF67138CA95D9D4BD9.TMP.1.dr, {DB134253-A220-11E8-B3E3-CCDA62336E41}.dat.1.drString found in binary or memory: http://gather.ihani.co.kr:9003/?uid=102&tid=1&pid=100&cpu=UNKNOWN&bz=Firefox&bv=61.0&os=Windows&pref

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: sus20.troj.win@3/14@2/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DB134251-A220-11E8-B3E3-CCDA62336E41}.datJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\SAMTAR~1\AppData\Local\Temp\~DFDB865D2ED663C324.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:4044 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:4044 CREDAT:275457 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 9003
Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 9003
Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 9003
Source: unknownNetwork traffic detected: HTTP traffic on port 9003 -> 49172

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 72964 URL: http://gather.ihani.co.kr:9003/?uid=102&tid=1&pid=100&cpu... Startdate: 17/08/2018 Architecture: WINDOWS Score: 20 13 Uses known network protocols on non-standard ports 2->13 6 iexplore.exe 7 38 2->6         started        process3 process4 8 iexplore.exe 2 22 6->8         started        dnsIp5 11 gather.ihani.co.kr 211.233.22.223, 49168, 49169, 49172 LGDACOMLGDACOMCorporationKR Korea Republic of 8->11

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
gather.ihani.co.kr0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://gather.ihani.co.kr:9003/?uid=102&tid=1&pid=100&cpu=UNKNOWN&bz=Firefox&bv=61.0&os=Windows&pref=&tref=bookmark&dim=1366*768&cd=24&je=0&ref=bookmark&url=www.hani.co.kr/oops.html&menu=&title=???&&jv=13&tz=21&ul=en-us&ad_key=&skey=&tp=&qut=0&iul=&ks=&age=0&gender=unknown&marry=unknown&join=&member_key=&inc=0&loc=&0%Avira URL Cloudsafe
http://gather.ihani.co.kr:9003/favicon.ico0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots