Classification Ransomware Spreading Phishing Banker Trojan / Bot Adware Spyware Exploiter Evader clean suspicious malicious ID: 113441 Sample: b19411d.js Startdate: 29/03/2016 Architecture: WINDOWS Score: 100 wscript.exe started System process connects to network (likely due to code injection or exploit) Deletes shadow drive data (may be related to ransomware) Drops a file containing file decryption instructions (likely related to ransomware) Injects files into Windows application greenellebox.com 87.98.188.110 OvhSystems France 83.217.25.239 LtdIPTelecom Russian Federation 185.75.46.4 QuickSoftLLC Russian Federation a1odk[1], PE32 b7uG0vk9g4qsBc5Z.exe, PE32 dropped dropped b7uG0vk9g4qsBc5Z.exe started Processes exeeded maximum capacity for this level. 1 process has been hidden. started notepad.exe started vssadmin.exe started rundll32.exe started Behavior Graph World Map Execution Graph Execution Coverage Dynamic/Packed Code Coverage Execution Coverage Deep Malware Analysis Sandbox Ultimate Software Package for On-Premise Installation Analysis on Windows, Android and macOS Deep Malware Analysis - from API Calls to Single Opcodes
2
Embed
Deep Malware Analysis - Joe Sandbox Sandbox Ultimate Feature... · Sample: b19411d.js Startdate: ... Deep Malware Analysis, ... Joe Sandbox Mail Monitor Malware similarity analysis
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ClassificationRansomware
Spreading
Phishing
Banker
Trojan / BotAdware
Spyware
Exploiter
Evader
clean
suspicious
malicious
ID: 113441
Sample: b19411d.js
Startdate: 29/03/2016
Architecture: WINDOWS
Score: 100
wscript.exe
started
System processconnects to
network (likely due to codeinjection or exploit)
Deletes shadowdrive data
(may be related to ransomware)
Drops a filecontaining
file decryption instructions(likely related to ransomware)
SandboxUltimateSoftware Package for On-Premise Installation
Analysis on Windows, Android and macOS
Deep Malware Analysis - from API Calls to Single Opcodes
Software package for on-premise installationDeep Malware Analysis, unprecedented depth and detail of analysisAnalysis on Windows, Android and macOSAnalysis on virtual and physical (bare metal) machinesVBA Instrumentation for deep Macro analysisHybrid Code Analysis, discovers hidden payloads and evasive behaviorExecution Graph Analysis, visualizes the program code as a graphBehavior Graphs, visualizes the behavior of the malware in a graphAutomation Cookbook, fully control the analysis of a malware sample and change the analysis environmentHybrid Decompilation, generates c-code from binary codeJoe Sandbox HypervisorJoe Sandbox Mail MonitorMalware similarity analysis and classification
High precision, low FP and FN for detectionReports in multiple formats: HTML, PDF, XML, JSON, MAEC and MISP1508+ behavior signatures, identifies and classifies key behaviorExtensive supplementary analysis data: memory dumps, dropped files, screenshots, unpacked PE files, Yara rules, strings, PCAP, shellcode, decompiled .Net and moreIDA Integration to load memory dumpsAutomated user behavior simulation, automatically clicks on buttons and other UI elementsHTTPS inspection, analyzes encrypted network trafficReporting system, notifies users based on detection or other eventsUser management, create and manage users100% standalone, no third party service lookup
Highlights
Key Features
Full integration via RESTful API to: upload, download, search, filter, alerts etc.Example scripts in Python availableSoftware development kit for OEM vendors100% configurable analysis machines, install your software and your toolsGolden image: analyze on default image of your companyYara editor: scans all downloads, uploads, memory dumps etc.Cookbook editorVirustotal, Metadefender, Phantom, Bro and SnortAutomated Incident Response: Fame, TheHive, Phantom, Demisto, Swimlane and Anomali
APIs and Integration
Joe Security LLC business parc Reinach Christoph Merian-Ring 11 4153 Reinach Switzerland
Explore Joe Sandbox UltimateContact Joe Security to schedule a technical presentation or to receive a free 14-day trial
for Joe Sandbox Ultimate.
www.joesecurity.orgin fo@joesecur i ty.orgjoe4security.blogspot.chtwitter.com/joe4securityLinkedIn: Joe Security