Sandbox Cloud Deep Malware Analysis Classification Ransomware Spreading Phishing Banker Trojan / Bot Adware Spyware Exploiter Evader clean suspicious malicious ID: 113441 Sample: b19411d.js Startdate: 29/03/2016 Architecture: WINDOWS Score: 100 wscript.exe started System process connects to network (likely due to code injection or exploit) Deletes shadow drive data (may be related to ransomware) Drops a file containing file decryption instructions (likely related to ransomware) Injects files into Windows application greenellebox.com 87.98.188.110 OvhSystems France 83.217.25.239 LtdIPTelecom Russian Federation 185.75.46.4 QuickSoftLLC Russian Federation a1odk[1], PE32 b7uG0vk9g4qsBc5Z.exe, PE32 dropped dropped b7uG0vk9g4qsBc5Z.exe started Processes exeeded maximum capacity for this level. 1 process has been hidden. started notepad.exe started vssadmin.exe started rundll32.exe started Behavior Graph World Map Execution Graph Execution Coverage Dynamic/Packed Code Coverage Execution Coverage Fully Cloud Based, No Installation Effort, Ready to Go Analysis on Windows, Android, macOS, iOS and Linux Deep Malware Analysis - from API Calls to Single Opcodes
2
Embed
Deep Malware Analysis - Joe Sandbox Sandbox Cloud Feature... · Sandbox Cloud Deep Malware Analysis Classification Ransomware Spreading Phishing Banker Adware Trojan / Bot Spyware
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Sandbox Cloud
Deep Malware Analysis
ClassificationRansomware
Spreading
Phishing
Banker
Trojan / BotAdware
Spyware
Exploiter
Evader
clean
suspicious
malicious
ID: 113441
Sample: b19411d.js
Startdate: 29/03/2016
Architecture: WINDOWS
Score: 100
wscript.exe
started
System processconnects to
network (likely due to codeinjection or exploit)
Deletes shadowdrive data
(may be related to ransomware)
Drops a filecontaining
file decryption instructions(likely related to ransomware)
Fully Cloud Based, No Installation Effort, Ready to Go
Analysis on Windows, Android, macOS, iOS and Linux
Deep Malware Analysis - from API Calls to Single Opcodes
Fully Cloud Based, no installation effort, ready to goDeep Malware Analysis, unprecedented depth and detail of analysisAnalysis on Windows, Android, macOS, iOS and LinuxAnalysis on virtual and physical (bare metal) machinesVBA Instrumentation for deep Macro analysisHybrid Code Analysis, discovers hidden payloads and evasive behaviorHybrid Decompilation, generates c-code from binary codeExecution Graph Analysis, visualizes the program code as a graphAutomation Cookbook, fully control the analysis of a malware sample and change the analysis environmentDirect interaction with malware via VNCJoe Sandbox HypervisorJoe Sandbox Mail Monitor
Highlights
Full integration via RESTful API to: upload, download, search, filter, alerts etc.Example scripts in Python availableYara editor: scans all downloads, uploads, memory dumps etc.Cookbook editorVirustotal, Metadefender, Phantom, Bro and SnortAutomated Incident Response: Fame, TheHive, Phantom, Demisto, Swimlane and Anomali
APIs and Integration
Joe Security LLC business parc Reinach Christoph Merian-Ring 11 4153 Reinach Switzerland
Behavior Graphs, visualizes the behavior of the malware in a graphHigh precision, low FP and FN for detectionReports in multiple formats: HTML, PDF, XML, JSON, MAEC and MISP1508+ behavior signatures, identifies and classifies key behaviorExtensive supplementary analysis data: memory dumps, dropped files, screenshots, unpacked PE files, Yara rules, strings, PCAP, shellcode, decompiled .Net and moreIDA integration to load memory dumpsAutomated user behavior simulation, automatically clicks on buttons and other UI elementsHTTPS inspection, analyzes encrypted network trafficMail Monitor, automatically analyzes e-mails with potentially malicious attachmentsReporting system, notifies users based on detection or other eventsUser management, create and manage users, share reportsFully private, no data and sample sharing
Key Features
Explore Joe Sandbox CloudContact Joe Security to schedule a technical presentation or to receive a free 14-day trial
for Joe Sandbox Cloud Pro.
Securitywww.joesecurity.orgin fo@joesecur i ty.orgjoe4security.blogspot.chtwitter.com/joe4securityLinkedIn: Joe Security