ID: Cookbook: browseurl.jbs Time: 13:46:19 Date: 09/05/2018 Version:

Transcription

1 ID: 5702 Cookbook: browseurl.jbs Time: 13:46:19 Date: 09/05/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets ICMP Packets HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3756 Parent PID: Copyright Joe Security LLC 201 Page 2 of 21

3 General File Activities Registry Activities Analysis iexplore.exe PID: 316 Parent PID: 3756 General File Activities Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 21

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: 5702 Start time: 13:46:19 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 10m 59s light browseurl.jbs SCW01.fmx&otherparams=par_bedrijfskode=1 0+par_factuur_id= par_ind_vervanger=N Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean0.win@3/24@0/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Show All Exclude process from analysis (whitelisted): WmiPrvSE.exe, dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 316 because there are no executed function Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 201 Page 4 of 21

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 201 Page 5 of 21

6 Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview Networking System Summary Click to jump to signature section Networking: Social media urls found in memory data Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Behavior Graph Copyright Joe Security LLC 201 Page 6 of 21

7 Behavior Graph ID: 5702 URL: Startdate: 09/05/201 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend Architecture: Score: 0 WINDOWS Is Windows Process Number of created Registry Values Number of created Files started Visual Basic Delphi iexplore.exe Java.Net C# or VB.NET C, C++ or other language Is malicious started iexplore.exe , 49171, 4912, 0 unknown unknown Simulations Behavior and APIs Time Type Description 13:46:26 API Interceptor 422x Sleep call for process: iexplore.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 201 Page 7 of 21

8 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 201 Page of 21

9 Startup System is w7 iexplore.exe (PID: 3756 cmdline: '' -Embedding CA1F703CD66567E132D2946FB55750) iexplore.exe (PID: 316 cmdline: '' SCODEF:3756 CREDAT: /prefetch:2 CA1F703CD66567E132D2946FB55750) cleanup Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 9 ASCII text, with CRLF line terminators Entropy (bit): D0A24CAEEFF DFBF4442C4 00ACD4623D1F507C297C02F3AB47F F B1D6B4AD054A9250A3DE4EAD252FDFE3FDC62DA D13910FA69C 99CFCC70CB2742A2C B6B3FC4F95F27E401910EDF23D32C3BECA7A0EA60AD041B47E77AC9E 0A5C23C7DA4CDB70FD19E E2F430B2 Copyright Joe Security LLC 201 Page 9 of 21

10 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF19013FD3ADF0A149.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): D110EC414B2C51C00C25CF5B016B1A BFEDD7BACFDE77A3935C6E4E93CCC695CC6E3FE 31A5F26ACDF17C2C5F7BE9C40D6933EF4A9E960574AA3F1650ABF0E523624C 51A33BC9E4C7AFBF9A154BBDBD4A907ED22CAA C21B3EFCDC4E3D670E319954B5A3F304ADC74171 F023F54253F3AC53B039B33BCB24B5112CE7 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF4BC0EC3D TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): BC2B02161B5CF4F79EBD CAB3E A1C2291D F73BED7773 B1FE7EF4A250F1FE13C0A75E01E0A6BEBB4321CA7167E9B7BF5759CCF02F6F AC939EABBD27259E1629C2F0AD0C1C C1DBD912A06615A4C16E4C19C DF107B3F25F49C3CAC DC5D9430A7C E7C67E33F1656A427F C:\Users\SAMTAR~1\AppData\Local\Temp\~DFC0CF3607B96F4DE.TMP data Size (bytes): Entropy (bit): FF6BE09EF0EEE36B4E013B503D2723D 7E26C9E014EE91BB06E66F22D53DF4AB5EC4307 AAB729D4719D73F5D724F60CF464719BF1FCC7A431556FEAB13E0B0F00F A45129B32C4ACD0E61D1F1F5233D9C9505C0FF520B41030DB026F4A96EC2F593E ABAB 7C37D3B2F65DBAA5396DD59BDDB6E769C5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57CEDB95DF3F0AD4EE2DC2BCFD4157 Size (bytes): 1301 Entropy (bit): Microsoft Cabinet archive data, 6509 bytes, 1 file B95F90C3BEA1D0E7ECA664BFA01A720 A2ED44DF03C6971C0A7C335ECEFD996D6BC0652 D2B D1904D73473CE65D4C4F7D64E453041A9B30CF96C73AA0C 4DB9F495F3B3E39D965FEDD1F0C715E3C3B0D FB3F51D2B454943E7AC34B1F71C435299B799FCAF3F 13DAA3BB67C33B221D27C721CCF0F4D67C033 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (bit): F0210FCA CC216A307999E2 D10B6C6F353C30D9B55BFCAADD40E7D493397C 397AD7DB2D20AFD65BA634252E B09E1C9526BD654291D1221F9 Copyright Joe Security LLC 201 Page 10 of 21

11 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E0 4 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB22209CBEC0A52ECD39D CF B9949E994C7D29CC513BB690DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CB34DD3343FE727DF90D352E0DF data Size (bytes): 4405 Entropy (bit): F49D05A12DAF7DC1437DCCDB1A74 CC31C730E0CB60FF D71ADF1FDB7F B6CAF30D26C9B F0E345C3C5F343AE0D437DE4FEECB0E9E5D9DA27C16 956F073E50CC D01450C632CDCA0CE7B449221FF1DA4C2775D1F1933A5C43FE97994CC7C67EBB 70E177ADA752BFDE76AD061C7B047FB54C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57CEDB95DF3F0AD4EE2DC2BCFD4157 data Size (bytes): 64 Entropy (bit): DE50EE65C6AA D5 040D FE5D7BF606EBD1A5B4DC0 1FAD F41AA59B01A60D2CA9EDB32C761C9660A9AA2A410AE27D 2BC24A5AB79402F2969CDE671B1015ABA1633BAF6F5C095EDCA2C2BFFC915A7D2F5696D7CD6416DD C6E95B04BE6D2D D7114CF9565AA7A1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E04 data Size (bytes): 434 Entropy (bit): FE90D949DFE662DCA3245ADD605D D34A9C0E7B6069E39712B5290BD1364E57F353 F F17456ED44EC361CC110FB BEB193094BF5C CF4B9206D5EE3D0625E64C7DFBA1A0C07CA3C79626B6009EB2C7CC10BD7C2CF07E9B0716E7A7A7F0C D55CA137F DE60664E9 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CB34DD3343FE727DF90D352E0DF data Size (bytes): 452 Entropy (bit): E4B92CC DA001BBF0 5E90F2A66E0BBD05CEBBF042DC69D0CE37 1EA65C41F91C1EDB10D374DF03F7BEDABA7E17CAFDAB CB473CFE01 13F965F9AEE22FEDA44D510464EEE1F244FB1BCC32614F BB26BFC267EF075EDD2BACA444CF71 D522FA4ED656274B966EAAA AD44F3 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416BB2E3A}.ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Copyright Joe Security LLC 201 Page 11 of 21

12 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416BB2E3A}.ico Entropy (bit): FB559A E77D64202F6541 EA134D33C2C7F4F4BAA3934AEB1DBFAD3DF31 6DA01DC7647BC21D003B5FE04049E24A B7E0CEBAE76EDF5BB914 0E09356CD123BEA20B7D9A3AAF5CB05249DE7F26FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96AECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): 1176 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 09B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators CBB1F7720D14D5DAC430D4DDD16E69E E3F1D5237B3BF2A5253EAA95E467237AAAB9A44 ED9E5627FA92143EA02BA62693C2C4E139F0C5A3D D9BE2555FD 6CD90AF5F5E0E40655F32C2FE462424D0976B C46E7FCA1C491E15E71226C45EAD964F654DFB0A044E 6A2F6E2C9DC4AAC47B1F3413F6F9D2C0ED C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9A E-11E-B3E3-CCDA62336E41}.dat Size (bytes): 4660 Microsoft Word Document Entropy (bit): A0F6C DDCD3A 9DEC1B5FEAE1393DCEE01C2BA5C5B0E4D91E0AC 32069A2571FBC799ED C969D770523CB657DDD5AC541CB5A350D9E6 1BA523BC52A5329C449D1EC14BF4245C9A26C62D039D9E915E4FD41C670B299ADF521DDEE929219FBD27CC 9A09AA4A3C3E5B76C7CC416FC707A5467CC62 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A E-11E-B3E3-CCDA62336E41}.dat Size (bytes): 2712 Microsoft Word Document Entropy (bit): EFBF2409E4796BF567F2CE6A EDDFCCCE52034D4DC55143BD1B3EC9F4EF36E C21CEDF54554FB EC5511B1FC5A2F409DBF4CE123E2CC192A BC2A2ECD10993C406396E911530F2C2C11D9673EDE2CF6F37DE995D9C3BF7A099FDB05176CBB3EE67A7D FFFB0A75FF CF1EC412BD0AD4D2A5BE Copyright Joe Security LLC 201 Page 12 of 21

13 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A E-11E-B3E3-CCDA62336E41}.dat Size (bytes): Microsoft Word Document Entropy (bit): E7AF7A99C2E2AFB55CB91FAE13697B39 FB3697F5EBF949061A2AE4EEC2EC FE9CAEA2B55A3F1A144CE76E660DD17E59395E9BA4AFE1FACD5E0DC130D94 225C1D3D2937AAAB9C27B12F0C405619BA7F36D04F0AC3B56A0B461CE19355B40FE676E9EE0C91D34A3FE5A4 DD9BF5A77244B25CDCD62F5D5350E3F6EAF562 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver794B.tmp Size (bytes): 1545 Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators 095C726DE7D90E6526DC0D7F3F6 A1CAE12FB7E6C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A07DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F2310B33D5C740BC9F290C79646C422AFFC27DDB476C931D6E4A966EED97 0E219B6CEBBF6F9A12B6C629B616CDE1615C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\NewErrorPageTemplate[1] Size (bytes): 1310 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators CDF1E591D9CBFB47A7F97A2BCDB70B9 F12010DFAACDECAD77B70A3E71C707CF D95C6FB16136C795BB63E53FE0B11F9E406494BB575B3B0D60C5F651BD 977DCC2C64ACAF0E5970CEF1A7A72C9F9DC6BB2DA54F057E053CE939E4AB01B163EB7A505E093ABC44 ECAD9D060FDC3E67E2AC67FEE4D070A4CC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\favicon[2].ico Size (bytes): 237 Entropy (bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D64202F6541 EA134D33C2C7F4F4BAA3934AEB1DBFAD3DF31 6DA01DC7647BC21D003B5FE04049E24A B7E0CEBAE76EDF5BB914 0E09356CD123BEA20B7D9A3AAF5CB05249DE7F26FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96AECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\suggestions[1].en-US data Size (bytes): 1176 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 9B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE Copyright Joe Security LLC 201 Page 13 of 21

14 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\suggestions[1].en-US C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\dnserror[1] Size (bytes): 157 Entropy (bit): HTML document, UTF- Unicode (with BOM) text, with CRLF line terminators 73C70B34B5FF15D3A94B9D E9EAA065BD655A1B176E13615FD7E6EF96230A9 3EBD3432A436B4EBA1F3D5F1252E7BD13744A B469C13FCF4 927DCD4ACFDEB0F970CB4EE3F05916B37E1E4E04733ED3356F77CA044D2145E1ABDD4F7CE1C6CA23C1E B1797CC56C4C7E73F60E0FC0D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\httpErrorPagesScripts[1] Size (bytes): 714 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators 3F57B71CB3EF114DD0B B7B CE6A63F996DF3A1CCCB1720E21204B25E023C 46E019FA34465F4ED096A9665D127B AD2E9BE01EDB1DDBC94D3AD CBF4EF52332AE7EA605F910AD6FA4BC FA4F0943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5 BA16B5A64A23AF0C11EEFBF69625BF9F90CFA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\errorPageStrings[1] Size (bytes): 3470 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators 6B26ECFA5E37D4B5EC61FCDD3F04FA B69CD71F6FE35A9CE0D7EA17B5F1B2BAD9EAFA 7F7D1069CAA52C1CEB36E1D9FE6A9C17ECBEFF1F66FC5EBFEB541723A 1676D43B977C07A3F6A5473F12FD16E564703A1CB9771D0F19B EE7940C33A010F0DC521E57332EC4 C4DD693C6A2323C97750E C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ULEAKRVD\iecompatviewlist[1].xml Size (bytes): Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators CE5A2EA36F7070BAA6799FB7C39E0D 70AE543F05CABCD2FBED9C95BF0312A C0654B0B4367B3A02D00BCECD1DB365D6A3D7B747F0B059EB4D016E0D F54676DEA245CB47D3337BA7C0136B9D773FDA9BEF52C5C156CC4F4F212DE46796F0F F2FA1 6436E31E9E369BA0A6513EC6DFFD Contacted Domains/Contacted IPs Contacted Domains Copyright Joe Security LLC 201 Page 14 of 21

15 No contacted domains info Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious unknown unknown unknown Static File Info No static file info Network Behavior Network Port Distribution Total Packets: 92 0 (HTTP) 53 (DNS) Copyright Joe Security LLC 201 Page 15 of 21

16 TCP Packets Timestamp Port Dest Port IP Dest IP May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST Copyright Joe Security LLC 201 Page 16 of 21

17 Timestamp Port Dest Port IP Dest IP May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST UDP Packets Timestamp Port Dest Port IP Dest IP May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST Copyright Joe Security LLC 201 Page 17 of 21

18 Timestamp Port Dest Port IP Dest IP May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST May 9, :47: CEST ICMP Packets Copyright Joe Security LLC 201 Page 1 of 21

19 Timestamp IP Dest IP Checksum Code Type May 9, :47: CEST d009 (Port unreachable) May 9, :47: CEST cfff (Port unreachable) May 9, :47: CEST d009 (Port unreachable) May 9, :47: CEST d00a (Port unreachable) May 9, :47: CEST d00a (Port unreachable) May 9, :47: CEST d00a (Port unreachable) May 9, :47: CEST cffa (Port unreachable) Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable HTTP Request Dependency Graph HTTP Packets Session ID IP Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data May 9, :47: CEST 0 OUT GET /SFINP/frmservlet?config=&form=FFISCW01.fmx&otherparams=par_bedrijfskode=10%20par_factuur_id= %20par_ind_vervanger=N HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: DNT: 1 Connection: Keep-Alive Session ID IP Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data May 9, :47: CEST 141 OUT GET /SFINP/frmservlet?config=&form=FFISCW01.fmx&otherparams=par_bedrijfskode=10%20par_factuur_id= %20par_ind_vervanger=N/favicon.ico HTTP/1.1 User-Agent: AutoIt Host: Code Manipulations Statistics Behavior iexplore.exe iexplore.exe Copyright Joe Security LLC 201 Page 19 of 21

20 Click to jump to process System Behavior Analysis iexplore.exe PID: 3756 Parent PID: 54 General Start time: 13:46:26 Start date: 09/05/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' -Embedding 0x11f bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Completion Count Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Copyright Joe Security LLC 201 Page 20 of 21

21 Analysis iexplore.exe PID: 316 Parent PID: 3756 General Start time: 13:46:26 Start date: 09/05/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' SCODEF:3756 CREDAT: /prefetch:2 0x11f bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Disassembly Code Analysis Copyright Joe Security LLC 201 Page 21 of 21