ID: Cookbook: browseurl.jbs Time: 15:48:15 Date: 29/03/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 15:48:15 Date: 29/03/2018 Version:"

Walter Chambers
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 15:4:15 Date: 29/03/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Networking: Spreading: System Summary: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets ICMP Packets DNS Queries Code Manipulations Statistics Copyright Joe Security LLC 201 Page 2 of 23

3 Behavior System Behavior Analysis iexplore.exe PID: 274 Parent PID: 544 General File Activities Registry Activities Analysis ie4uinit.exe PID: 2792 Parent PID: 274 General File Activities File Created Registry Activities Key Value Created Analysis iexplore.exe PID: 24 Parent PID: 274 General File Activities Registry Activities Analysis ssvagent.exe PID: 2232 Parent PID: 24 General Registry Activities Analysis iexplore.exe PID: 4036 Parent PID: 274 General Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 23

Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 52376 Start time: 15:4:15 Joe Sandbox Product: CloudBasic Start date: 29.03.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 15:4:15 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 0s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal4.win@9/22@5/3 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Show All Exclude process from analysis (whitelisted): dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 24 because there are no executed function Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 201 Page 4 of 23

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Copyright Joe Security LLC 201 Page 5 of 23

6 Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview AV Detection Networking Spreading System Summary Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section AV Detection: Multi AV Scanner detection for domain / URL Networking: Social media urls found in memory data Downloads files Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Spreading: Enumerates the file system System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Writes ini files Found graphical window changes (likely an installer) Uses new MSVCR Dlls Malware Analysis System Evasion: Copyright Joe Security LLC 201 Page 6 of 23

Enumerates the file system Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the

7 Enumerates the file system Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the volume information (name, serial number etc) of a device Behavior Graph Behavior Graph ID: URL: Startdate: 29/03/201 Architecture: WINDOWS Score: 4 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend Multi AV Scanner detection for domain / URL iexplore.exe started 6 5 Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious..., 4935, 53, GOOGLE-GoogleIncUS unknown 2 other IPs or domains started started started United States unknown iexplore.exe ie4uinit.exe iexplore.exe started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 15:4:31 API Interceptor 1x Sleep call for process: ie4uinit.exe modified 15:4:31 API Interceptor 4413x Sleep call for process: iexplore.exe modified 15:4:35 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Copyright Joe Security LLC 201 Page 7 of 23

8 Detection Scanner Label Link 16% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link montealegre.es 10% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Copyright Joe Security LLC 201 Page of 23

$Screenshots Startup System is w7 iexplore.exe (PID: 274 cmdline: '' -Embedding CA1F703CD66567E132D2946FB55750) ie4uinit.exe (PID: 2792 cmdline: 'C:\Windows\System32\ie4uinit.$

9 Screenshots Startup System is w7 iexplore.exe (PID: 274 cmdline: '' -Embedding CA1F703CD66567E132D2946FB55750) ie4uinit.exe (PID: 2792 cmdline: 'C:\Windows\System32\ie4uinit.exe' -ShowQLIcon 14CF06D CDA3954C49A36) iexplore.exe (PID: 24 cmdline: '' SCODEF:274 CREDAT: /prefetch:2 CA1F703CD66567E132D2946FB55750) ssvagent.exe (PID: 2232 cmdline: 'C:\PROGRA~1\Java\JRE1~1.0_1\bin\ssvagent.exe' -new 0953A026479FD1E655B75B63B903B7) iexplore.exe (PID: 4036 cmdline: unknown CA1F703CD66567E132D2946FB55750) cleanup Created / dropped Files C:\Users\ANNEBO~1\AppData\Local\Temp\JavaDeployReg.log ASCII text, with CRLF line terminators Size (bytes): 9 Entropy (bit): FAFA92022F6445BBF77FFF7DA35ABF 365F7FB2DBBBAA4BEE1669E3506FD616EA6C DCF41CF121FEE76745C9CD CA2B103193DDECE40FD421 Copyright Joe Security LLC 201 Page 9 of 23

10 C:\Users\ANNEBO~1\AppData\Local\Temp\JavaDeployReg.log A4E03F5E72559FC2B4ED9E0E14A26702B131752CDF50299A900CA3D1F146CDF42966EF C6B64DAC4C 5A16FC2539D37B109A22C61336F F4 C:\Users\ANNEBO~1\AppData\Local\Temp\wwwFA23.tmp Size (bytes): 324 ASCII text, with CRLF line terminators Entropy (bit): DDF93B9C5AE2C79C09BFA736307D 71BA59BB429DFA73A5DD73502E009A630CF1E F5E35EA56DBF3FDB1A6EDCC4B26B170FE9512FDDDAE56353B5DD03D6FB136 5EA667BE4746FAF1AF72149D2C1B3BE72C7379ABE95E42140C266B531D6E2FAF4ECD9FC31B03F2AA57240A AC63E2EAFBD B CD62 C:\Users\ANNEBO~1\AppData\Local\Temp\wwwFA42.tmp Size (bytes): 411 ASCII text, with CRLF line terminators Entropy (bit): DEF5C50B63649CA2A11A6DD21CA FF65A43FC6514B94D15E123DCC7543DFEB3509 A0E D32B06CDF904BB49EA9C4A19C22B730F F07279D9234D17CD2F90F1D6D07A64F22002B39B51956F2DAFD3D6EF46C261B7F756B510CC996A95A7C E92FAD0ADABF996B1291E49CD247D32AE0 C:\Users\ANNEBO~1\AppData\Local\Temp\wwwFA93.tmp Size (bytes): 452 Entropy (bit): ASCII text, with CRLF line terminators 431CE3C72B963E531AC57ED03AD75 4E59DD95CB200BD777F26DE2C07D943BD B92D61A40EC12A97B69BFD EEEFBB07CD5C91BD5F4C3A1FAF6A64F1 7F0A79E04A7C B54E3E3377E041B221E7A9127ADA5ECEFE2367AB72FFE3F5A71DA115C2300CC5 02BFCB6B3A D5DD732D05DEEC11B C:\Users\ANNEBO~1\AppData\Local\Temp\~DF33990CB54B29EBF4.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): DEE601E69593D55E7DD14FBB5BE995 A096ACE15C3B490337D9D922B1C1F5FB6EEDB7 DDC0DBE55674D422D3D02FEF56E7F4F50DA34D6EAAA4EAA1CA6AE3C99F 771EA67FAEE BBD9C1F F4BEC3D6B145D7F1D0F C323AC34ABF745756AA2A 2BF11ED5DCD6DDC41EB36F1BB39E2611E9 C:\Users\ANNEBO~1\AppData\Local\Temp\~DF654D20141E39D5.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): Copyright Joe Security LLC 201 Page 10 of 23

11 C:\Users\ANNEBO~1\AppData\Local\Temp\~DF654D20141E39D5.TMP AF C1EC55CEE1EF69CAA 7F7E11E5F55A9177E06E31297DAD23ABE3C61E 93D0DD5A13ABE5DAE01D0B3D7A39FA301DFBC0C A2A15C471FC DC17E0E245FF0BE4A67D163FE319C AB5B759D3AF7C51E2D5304C55A095D95A4CE0A517596CB EAB9490F90D3A0A50240F5EAB439A39217F C:\Users\ANNEBO~1\AppData\Local\Temp\~DF96C637A7E90311.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): 3729 Entropy (bit): EDF1E00F2FEC729CD461EF0D57CADA A4A159A6F25400B7172D65D552C53AA726A53F6 A F53C5A7A17953B20F7F409A5603B9FE7F CC1D6D196 B3B0959CE3EEC3C126AD0B F53BE669B9D E561E37933F5BF033DDDD C69527CF B60DB3BD7197EBC DB44247C1CE0C C:\Users\user\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms data Size (bytes): 3322 Entropy (bit): DB677EC2CFC50C26C7D06EBA3ACEE63F D3D1ACF6447A61AF35C3B229C4CE27B357CA534 59DA5A4DDE140165C2EFA1CE B6270A2A62F12D79431F40ADB7BA32 E7D53FB0FFFA53730F FFE9D74CBDA6C76BDA175E67903C0DFA9BE4356AD1A9049A5013CD9C 5927B90E4A1F0505AF1A04D B9D54BF C:\Users\user\AppData\Local\Microsoft\Feeds\{55ACFD B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms Size (bytes): Entropy (bit): Composite Document File V2 Document, No summary info 9D0CCBE74AC26FC9BAACC E5F EB01696A9624BF566905E4175ACFED2FFE96594 A69CC26E2C6E790DAEA07A659146D A9CEDAA77DA0215A ADDA302E01E0B6E1E1742A3E7F90C7053A3A B9C02ACD2A95600FE42179EE6FAD4447B17 92BCFFAAEA03F03A12A25367A7966F16DB1 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): 1176 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 09B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE Copyright Joe Security LLC 201 Page 11 of 23

12 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DD630D E-A469-AE5BC7F122F5}.dat Size (bytes): 4660 Microsoft Word Document Entropy (bit): BF741DBD1CCF514572E1BDD46B4EB2 0CD07E26F557796E37091D05A14B920134D09B D3A0DDEB640B B720EA6BF4E5F4D7593A5E7460A25AC1230DDFD5 7312B0C00617A757BB7DFA7E5F560440CAD3D5ACECE9DAFB0DB009D6F6955E07016F96A4C07D999DE4FB FEA3526AB3FB699F0634AEBCFC96E3E C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DD630D E-A469-AE5BC7F122F5}.dat Size (bytes): Microsoft Word Document Entropy (bit): A10E752A05B99F0FF450C69B456 3BCF49A12456E72A2D096CC3501F530CCA66C52 11A5FA7EAD35CEDB09F074CD64BA4A2A7F57C575601F36EA457D461BB D1F9D3B2DAE21A6C049BF173E6CBC69D7667BD3F5DCCD29560C6FE7A2CC56A2B9AE4557F5A627F672 9F5E650D33B2D DB6E39ECA44A C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E E-A469-AE5BC7F122F5}.dat Size (bytes): Microsoft Word Document Entropy (bit): A472F6C79C1B49DE1AA0CD75C FF452C2E045F7AFD7A7A2ED7E63AA3611AF1A2 70B69C6A E9D54B2CDB51FE60D63F150013A9ADEB052FBF131 A0C62D00BC4A467115F2DC4DEE09D1CC61A5B0EA6AFC20F4B56305C62030B16CF634721F2125E12C9093 B71C01320F2FA7BC49DBCAAFDB46CA55A4 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin \msapplication.xml Size (bytes): 70 XML document text Entropy (bit): CBECF2CE1F FA491CB51FDC B67ADA3A7EBB1E330592C6CE CD21 4D6E729A49541B1E4265FDB7FA FD797D75C40CF132C5D44416B A07ED75AB40671F532FF4FDF6B3B9CD34D6E7A6E5A3AE37A51A79609AA6C5B2961D325F6737BA002A9BB439F13 2E23F7EEA477C2064B76BDB205FF7A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3I429C6Y\errorPageStrings[1] Size (bytes): 3470 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators 6B26ECFA5E37D4B5EC61FCDD3F04FA B69CD71F6FE35A9CE0D7EA17B5F1B2BAD9EAFA 7F7D1069CAA52C1CEB36E1D9FE6A9C17ECBEFF1F66FC5EBFEB541723A 1676D43B977C07A3F6A5473F12FD16E564703A1CB9771D0F19B EE7940C33A010F0DC521E57332EC4 C4DD693C6A2323C97750E C3F4 Copyright Joe Security LLC 201 Page 12 of 23

13 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3I429C6Y\errorPageStrings[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9FBI2I3W\dnserror[1] Size (bytes): 157 Entropy (bit): HTML document, UTF- Unicode (with BOM) text, with CRLF line terminators 73C70B34B5FF15D3A94B9D E9EAA065BD655A1B176E13615FD7E6EF96230A9 3EBD3432A436B4EBA1F3D5F1252E7BD13744A B469C13FCF4 927DCD4ACFDEB0F970CB4EE3F05916B37E1E4E04733ED3356F77CA044D2145E1ABDD4F7CE1C6CA23C1E B1797CC56C4C7E73F60E0FC0D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9FBI2I3W\suggestions[1].en-US data Size (bytes): 1176 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 9B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BD4VIIT2\httpErrorPagesScripts[1] Size (bytes): 714 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators 3F57B71CB3EF114DD0B B7B CE6A63F996DF3A1CCCB1720E21204B25E023C 46E019FA34465F4ED096A9665D127B AD2E9BE01EDB1DDBC94D3AD CBF4EF52332AE7EA605F910AD6FA4BC FA4F0943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5B A16B5A64A23AF0C11EEFBF69625BF9F90CFA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZOUXUMGP\NewErrorPageTemplate[1] Size (bytes): 1310 Entropy (bit): UTF- Unicode (with BOM) text, with CRLF line terminators CDF1E591D9CBFB47A7F97A2BCDB70B9 F12010DFAACDECAD77B70A3E71C707CF D95C6FB16136C795BB63E53FE0B11F9E406494BB575B3B0D60C5F651BD 977DCC2C64ACAF0E5970CEF1A7A72C9F9DC6BB2DA54F057E053CE939E4AB01B163EB7A505E093ABC44 ECAD9D060FDC3E67E2AC67FEE4D070A4CC C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Size (bytes): 1407 C:\Windows\System32\ie4uinit.exe Entropy (bit): MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=mon Aug 7 12:4:4 2017, mtime=mon Aug 7 12:4:4 2017, atime=wed May 31 03:32: , length=15312, window=hide Copyright Joe Security LLC 201 Page 13 of 23

14 C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk 13FF72CFB376543F11214F9A342A32 A11AE0F C5CA EA5B75C 5F25E69417CB446FAA40D01FCA9AE6C66F599197DADDF2A45CA009E C50FF21215C7462BC79DDA7EDB2D6D5DE71C04BED179A7AAE1276C3E3595A32F3FBA919F3A6B359E A6F94F62D2DA095CD14200AC5CA2D61D72 C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini Size (bytes): 75 C:\Windows\System32\ie4uinit.exe ASCII text, with CRLF line terminators Entropy (bit): C1977B70FA9244BFFE933254AC51D D2A06ADADB074F9460DD7F16B4C6343AC0AD3 DC9CE3CEF1E4D274CA5F61B9B9C419BA0095B3E547FDFBF72AFFB6AB0F 0432F57DB605CC413BC330BAA2EB12955CB760E736D25B2FC6B269F9B427EE7D79406EC F6A16B446C A A42FCDD497700ADB C:\Users\user\Favorites\Links\Suggested Sites.url Size (bytes): 776 ASCII text, with CRLF line terminators Entropy (bit): EB0973FB64D572509EAFF00C7D21 9C7036EF E2C07D3DE63356FE EEF1E17B2DBFA545BD219EEB217C3FCEF64294F20DC1B24C430D6F6 BC9A0A A217A52A15FBBBEE79EF40ECF59EECE06A7FDCA5E7BDEAAE939FCEA715EEB73DC205C 33C702D04A4D230936A40D055C64340EE1B6976B Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation montealegre.es unknown unknown 10%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 201 Page 14 of 23

15 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious... United States GOOGLE-GoogleIncUS unknown unknown unknown unknown unknown unknown Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Copyright Joe Security LLC 201 Page 15 of 23

16 Timestamp Port Dest Port IP Dest IP Mar 29, :4: CEST Mar 29, :4: CEST Mar 29, :4: CEST Mar 29, :4: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Copyright Joe Security LLC 201 Page 16 of 23

17 Timestamp Port Dest Port IP Dest IP Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST UDP Packets Timestamp Port Dest Port IP Dest IP Mar 29, :4: CEST Mar 29, :4: CEST Mar 29, :4: CEST Mar 29, :4: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Copyright Joe Security LLC 201 Page 17 of 23

18 Timestamp Port Dest Port IP Dest IP Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :49: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Copyright Joe Security LLC 201 Page 1 of 23

19 Timestamp Port Dest Port IP Dest IP Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :50: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST Mar 29, :51: CEST ICMP Packets Timestamp IP Dest IP Checksum Code Type Mar 29, :50: CEST a (Port unreachable) Mar 29, :50: CEST d00a (Port unreachable) Mar 29, :51: CEST f (Port unreachable) Mar 29, :51: CEST d00b (Port unreachable) Mar 29, :51: CEST d00b (Port unreachable) Mar 29, :51: CEST d00b (Port unreachable) Mar 29, :51: CEST d00b (Port unreachable) Mar 29, :51: CEST d00b (Port unreachable) Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable Destination Unreachable DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Mar 29, :49: CEST x7c6 Standard query (0) Mar 29, :49: CEST x7c6 Standard query (0) montealegre.es A (IP address) IN (0x0001) montealegre.es A (IP address) IN (0x0001) Copyright Joe Security LLC 201 Page 19 of 23

20 Timestamp IP Dest IP Trans ID OP Code Name Type Class Mar 29, :49: CEST x7c6 Standard query (0) Mar 29, :49: CEST x7c6 Standard query (0) Mar 29, :49: CEST x7c6 Standard query (0) montealegre.es A (IP address) IN (0x0001) montealegre.es A (IP address) IN (0x0001) montealegre.es A (IP address) IN (0x0001) Code Manipulations Statistics Behavior iexplore.exe ie4uinit.exe iexplore.exe ssvagent.exe iexplore.exe Click to jump to process System Behavior Analysis iexplore.exe PID: 274 Parent PID: 544 General Start time: 15:4:31 Start date: 29/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' -Embedding 0x13d bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Completion Count Copyright Joe Security LLC 201 Page 20 of 23

21 File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis ie4uinit.exe PID: 2792 Parent PID: 274 General Start time: 15:4:31 Start date: 29/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\System32\ie4uinit.exe 'C:\Windows\System32\ie4uinit.exe' -ShowQLIcon 0xcb bytes 14CF06D CDA3954C49A36 true C, C++ or other language File Activities File Created File Path Access Attributes Options Completion Count C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch read data or list directory and synchronize read data or list directory and synchronize normal normal directory file and object name collision 1 CBAAAD CreateDirectoryW synchronous io non alert and open for backup ident and open reparse point directory file and object name collision 1 CBA474 SHCreateDirectory synchronous io non alert and open for backup ident and open reparse point File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Value Created Key Path Name Type Data Completion Count HKEY_USERS\Software\Microsoft\Internet Explorer\Setup HaveCreatedQuickLaunc hitems dword 1 success or wait 1 CBB705 RegSetValueExW Copyright Joe Security LLC 201 Page 21 of 23

22 Analysis iexplore.exe PID: 24 Parent PID: 274 General Start time: 15:4:34 Start date: 29/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' SCODEF:274 CREDAT: /prefetch:2 0x13d bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Old Data New Data Completion Count Analysis ssvagent.exe PID: 2232 Parent PID: 24 General Start time: 15:4:35 Start date: 29/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Java\jre1..0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE1~1.0_1\bin\ssvagent.exe' -new 0xeb bytes 0953A026479FD1E655B75B63B903B7 true C, C++ or other language Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis iexplore.exe PID: 4036 Parent PID: 274 General Copyright Joe Security LLC 201 Page 22 of 23

23 Start time: 15:49:26 Start date: 29/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: unknown 0x13d bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language Disassembly Code Analysis Copyright Joe Security LLC 201 Page 23 of 23

ID: Cookbook: browseurl.jbs Time: 12:58:02 Date: 02/04/2018 Version:

ID: Cookbook: browseurl.jbs Time: 12:58:02 Date: 02/04/2018 Version: ID: 5253 Cookbook: browseurl.jbs Time: 12:5:02 Date: 02/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis