ID: Sample Name: 17Order List.pdf.exe Cookbook: default.jbs Time: 13:48:26 Date: 19/10/2017 Version:

Transcription

1 ID: Sample Name: 17Order List.pdf.exe Cookbook: default.jbs Time: 13:48:26 Date: 1/10/2017 Version:

2 Table of Contents Analysis Report Overview Information Detection Confidence Classification Signature Overview AV Detection: Networking: Boot Survival: Persistence and Installation Behavior: Data Obfuscation: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static PE Info Entrypoint Preview Data Directories Sections Resources Imports Network Behavior Table of Contents Copyright Joe Security LLC 2017 Page 2 of

3 Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers Code Manipulations Statistics Behavior System Behavior Analysis Process: 17Order List.pdf.exe PID: 3088 Parent PID: 2864 File Activities Analysis Process: asz$server.exe PID: 3148 Parent PID: 3088 File Activities File Created File Written Analysis Process: rundll.exe PID: 3164 Parent PID: 3148 Analysis Process: win32.exe PID: 3184 Parent PID: 3088 File Activities Analysis Process: cmd.exe PID: 3248 Parent PID: 3184 Analysis Process: reg.exe PID: 3280 Parent PID: 3248 Registry Activities Key Value Created Analysis Process: RegAsm.exe PID: 3288 Parent PID: 3184 Analysis Process: cvtres.exe PID: 3324 Parent PID: 3184 File Activities File Written Analysis Process: rundll.exe PID: 3336 Parent PID: 3324 Analysis Process: explorer.exe PID: 3352 Parent PID: 2824 File Activities File Created Analysis Process: explorer.exe PID: 3380 Parent PID: 548 File Activities Analysis Process: win32.exe PID: 3412 Parent PID: 3380 Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 25

4 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 13:48:26 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 4m 56s light 17Order List.pdf.exe default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 16 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal84.evad.troj.winexe@21/5@3/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio:.2% (good quality ratio 80%) Quality average: 68.7% Quality standard deviation: 38.5% Cookbook Comments: Warnings: Found application associated with file extension:.exe Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: 17Order List.pdf.exe, win32.exe, RegAsm.exe, win32.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Copyright Joe Security LLC 2017 Page 4 of 25

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Evader Spreading malicious malicious malicious suspicious suspicious suspicious Exploiter Phishing clean clean clean Spyware Banker Adware Trojan / Bot Signature Overview AV Detection Copyright Joe Security LLC 2017 Page 5 of 25

6 Networking Boot Survival Persistence and Installation Behavior Data Obfuscation Spreading System Summary HIPS / PFW / Operating System Protection Evasion Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for domain / URL Antivirus detection for dropped file Networking: Contains functionality to download additional files from the internet Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Detected TCP or UDP traffic on non-standard ports Uses dynamic DNS services Boot Survival: Creates an autostart registry key Persistence and Installation Behavior: Drops PE files Data Obfuscation: Binary may include packed or encrypted code Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) Spreading: Contains functionality to enumerate / list files inside a directory Enumerates the file system System Summary: Uses Microsoft Silverlight PE file contains a COM descriptor data directory PE file has a big code size Submission file is bigger than most known malware samples PE file has a big raw section Contains modern PE file flags such as dynamic base (ASLR) or NX Copyright Joe Security LLC 2017 Page 6 of 25

7 Binary contains paths to debug symbols Classification label Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to check free disk space Contains functionality to enum processes or threads Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Found command line output Launches a second explorer.exe instance PE file has an executable.text section and no other executable section Parts of this applications are using Borland Delphi (Probably coded in Delphi) Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server PE file has an executable.text section which is very likely to contain packed code (zlib compression ratio < 0.3) PE file contains strange resources Reads the hosts file Sample file is different than original file name gathered from version info Sample reads its own file content Uses reg.exe to modify the Windows registry Initial sample is a PE file and has a suspicious name HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Contains functionality to inject threads in other processes Modifies the context of a thread in another process (thread injection) Anti Debugging: Contains functionality to register its own exception handler Creates guard pages, often used to prevent reverse engineering and debugging Checks for debuggers (devices) Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Contains functionality which may be used to detect a debugger (GetProcessHeap) Enables debug privileges Malware Analysis System Evasion: Contains functionality to enumerate / list files inside a directory May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Program exit points Queries a list of all running processes Contains long sleeps (>= 3 min) Enumerates the file system May sleep (evasive loops) to hinder dynamic analysis Sample execution stops while process was sleeping (likely an evasion) Hooking and other Techniques for Hiding and Protection: Copyright Joe Security LLC 2017 Page 7 of 25

8 Disables application error messsages (SetErrorMode) Uses an obfuscated file name to hide its real file extension (double extension) Language, Device and Operating System Detection: Contains functionality to query windows version Queries the cryptographic machine GUID Contains functionality locales information (e.g. system language) Queries the volume information (name, serial number etc) of a device Behavior Graph Behavior Graph ID: Legend: Sample: 17Order List.pdf.ex... Process Startdate: 1/10/2017 Architecture: WINDOWS Score: 84 Signature started started started Created File 17Order List.pdf.ex... explorer.exe explorer.exe DNS/IP Info Is Dropped dropped dropped Is Windows Process asz$server.exe, PE32 win32.exe, PE32 started started started Number of created Registry Values asz$server.exe win32.exe win32.exe Number of created Files 1 2 Visual Basic Delphi blackhills.ddns.net , similar packets combined: blackhills.ddns.net dropped Java MELBICOM-EU-ASNL Lithuania.Net C# or VB.NET C, C++ or other language rundll.exe, PE32 started started started Is malicious Antivirus detection for dropped file Detected TCP or UDP traffic on non-standard ports Modifies the context of a thread in another process (thread injection) Modifies the context of a thread in another process (thread injection) rundll.exe cmd.exe cvtres.exe blackhills.ddns.net started started Contains functionality to inject threads in other processes Sample execution stops while process was sleeping (likely an evasion) Antivirus detection for dropped file reg.exe rundll.exe 1 Contains functionality to inject threads in other processes Sample execution stops while process was sleeping (likely an evasion) Antivirus detection for dropped file Simulations Behavior and APIs Time Type Description 13:48:32 API Interceptor 2x Sleep call for process: win32.exe modified from: 60000ms to: 500ms 13:48:34 API Interceptor 1x Sleep call for process: RegAsm.exe modified from: 60000ms to: 500ms 13:48:38 API Interceptor 2x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms 13:48:38 Autostart Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Load C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.lnk Copyright Joe Security LLC 2017 Page 8 of 25

9 Antivirus Detection Initial Sample No Antivirus matches Dropped Files Detection Cloud Link C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe 66% virustotal Browse C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe 3% metadefender Browse C:\Users\user\AppData\Local\Temp\asz$server.exe 7% virustotal Browse Domains Detection Cloud Link blackhills.ddns.net 5% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs Match Associated Sample Name / URL SHA 256 Detection Link Context Order.exe 42e4c0e02aa104b1ad5ab044 malicious cc43d883f6da0251bee5a6a5e 1cffcafaf 13FYI.exe 154b62caee4544fe8d63544 malicious a880c4ad40261b1b 7b2660f3e3 Browse Browse Domains Copyright Joe Security LLC 2017 Page of 25

10 Match Associated Sample Name / URL SHA 256 Detection Link Context blackhills.ddns.net Order.exe 42e4c0e02aa104b1ad5ab044 malicious Browse cc43d883f6da0251bee5a6a5e 1cffcafaf 13FYI.exe 154b62caee4544fe8d63544 malicious Browse a880c4ad40261b1b 7b2660f3e3 ASN Match Associated Sample Name / URL SHA 256 Detection Link Context MELBICOM-EU-ASNL 13FYI.exe 154b62caee4544fe8d63544 malicious Browse a880c4ad40261b1b 7b2660f3e3 Dropped Files Match C:\Users\user\AppData\Local\Temp\asz$server.ex e C:\Users\HERBBL~1\AppData\Local\Temp\rundll.e xe Associated Sample Name / URL SHA 256 Detection Link Context Order.exe 13FYI.exe Order.exe 13FYI.exe 42e4c0e02aa104b1ad5ab044 malicious cc43d883f6da0251bee5a6a5e 1cffcafaf 154b62caee4544fe8d63544 malicious a880c4ad40261b1b 7b2660f3e3 42e4c0e02aa104b1ad5ab044 malicious cc43d883f6da0251bee5a6a5e 1cffcafaf 154b62caee4544fe8d63544 malicious a880c4ad40261b1b 7b2660f3e3 Browse Browse Browse Browse Screenshot Copyright Joe Security LLC 2017 Page 10 of 25

11 Startup System is w7 cleanup 17Order List.pdf.exe (PID: 3088 cmdline: 'C:\Users\user\Desktop\17Order List.pdf.exe' MD5: 858EA2E06E157BB77624B315F4FFAB) asz$server.exe (PID: 3148 cmdline: 'C:\Users\user\AppData\Local\Temp\asz$server.exe' MD5: 3CEB55B012EA51B8FF0B7E8B8B267) rundll.exe (PID: 3164 cmdline: C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe MD5: F1A5C11B4DDE67B2FC F) win32.exe (PID: 3184 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.exe' -n MD5: 858EA2E06E157BB77624B315F4FFAB) cmd.exe (PID: 3248 cmdline: 'C:\Windows\System32\cmd.exe' /c reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce' /v 'Load' /d 'C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.lnk' /f MD5: AD7BC14083B52BC532FBA548342B8) reg.exe (PID: 3280 cmdline: reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce' /v 'Load' /d 'C:\Users\user\AppData\Roamin g\microsoft\windows\dwidesk\win32.lnk' /f MD5: D6AABBB0D75F215C2F48C1EB560) RegAsm.exe (PID: 3288 cmdline: C:\Windows\Microsoft.NET\Framework\v \RegAsm.exe MD5: F C408207C16F5CBD18A21) cvtres.exe (PID: 3324 cmdline: C:\Windows\Microsoft.NET\Framework\v \cvtres.exe MD5: C085AE74F0882F208D75DE27770DFA) rundll.exe (PID: 3336 cmdline: C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe MD5: F1A5C11B4DDE67B2FC F) explorer.exe (PID: 3352 cmdline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.lnk MD5: 6DDCA324434FFA506CF7DC4E51DB735) explorer.exe (PID: 3380 cmdline: C:\Windows\explorer.exe /factory,{75dff2b c06-a8bb-676a7b00b24b} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB735) win32.exe (PID: 3412 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.exe' MD5: 858EA2E06E157BB77624B315F4FFAB) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe File Type: MD5: SHA1: SHA-256: PE32 executable (GUI) Intel 80386, for MS Windows F1A5C11B4DDE67B2FC F 0674DB7C7B0AEED58281DE8D31EFE1A43B81DF6 D142C0342A540A8B78FE64C2A0E60DA4CDA5F45D3D54D0502ABC41E2FEF Copyright Joe Security LLC 2017 Page 11 of 25

12 C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe SHA-512: Malicious: Antivirus: FB1EFEC311A5C8F CA5F56BFF2B18CD8CB48C85CEAF1D1AB01D04BCB8F6C122F121D15BC5EBB6ADA506CE572AB BB1A0C102AC D65B5FDF true Antivirus: virustotal, Detection: 66%, Browse Antivirus: metadefender, Detection: 3%, Browse C:\Users\user\AppData\Local\Temp\asz$server.exe File Type: MD5: SHA1: SHA-256: SHA-512: Malicious: Antivirus: PE32 executable (GUI) Intel 80386, for MS Windows 3CEB55B012EA51B8FF0B7E8B8B267 7E442747FCB5C87EF3C87CE1C5C257E FDA24105F432E7EF6FA C6DA71D0FA486C2E7EE4056F11E31D2CB0 3374E0250F10C8846FA5CE5CF666E22308CBE5D4627E04BD68C2DB0602D7142F647A B41DBB28CA45ED76A1522F F85261CF4DA200D E2E true Antivirus: virustotal, Detection: 7%, Browse C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\SbeosJO.txt File Type: MD5: SHA1: SHA-256: SHA-512: Malicious: ASCII text, with very long lines, with no line terminators DC8D615DAF28C3873C326F2C E6E6B67FEA1A02E6E7BDE0A037400C878AEE06 6E058C3CF567B11B3D85A6DFB0BD7AC365D0F58DE7487E3735EAC848FEDFC C7CB7ED682EC0703F31D6BDC5F66A4F51BC328ABCA40602F3A61EA5ACAB81047F78DB581D1A3D1CB0412B3547D06 23EAC D5A1C1F6BE15 C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.exe File Type: MD5: SHA1: SHA-256: SHA-512: Malicious: PE32 executable (GUI) Intel Mono/.Net assembly, for MS Windows 858EA2E06E157BB77624B315F4FFAB 3861A D5A177BC67E0C65B58BA4382F D43876BDF3EF6BC32A661D53D48F2FE122C5D4F1E840A6DB7D24EAB28EA0E ECBEAB4EFEC443EF6BD0225CC776111CB7066CCB0A651284ED2B24F8A0853A136B8E26EAAD0AAB8B0E7ABE3F47327 E36CE7CFBC15F270630EA60B242A14 true C:\Users\user\AppData\Roaming\win32.lnk File Type: MD5: SHA1: SHA-256: SHA-512: Malicious: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=thu Oct 1 11:48: , mtime=thu Oct 1 11:48: , atime=thu Oct 1 11:48: , length=128408, window= 10ACA3725AE0E788A8D8257D76F22A 7D820E4F101BA5A74A742EE6FF8E1F74DAB3CD81 AA35855D8F5CA30B768A8A57E088B2244C0D51505C3D463785D5B BA03DDB7814BE8D2C22CC743C C63DFCFAD315FA1F4EF8CA327128ACCFB1201C8CD2BDEA683EB0C52DE5FB FF5A078D775A25243F3DE8E18EDF8 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection blackhills.ddns.net true true 5%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 2017 Page 12 of 25

13 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious Lithuania MELBICOM-EU-ASNL true Static File Info File type: PE32 executable (GUI) Intel Mono/.Net assemb ly, for MS Windows TrID: Win32 Executable (generic) a ( /4).23% Generic CIL Executable (.NET, Mono, etc.) (7326/58) 0.73% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: File size: MD5: SHA1: SHA256: SHA512: File Content Preview: 17Order List.pdf.exe 858ea2e06e157bb77624b315f4ffab 3861a d5a177bc67e0c65b58ba4382f d43876bdf3ef6bc32a661d53d48f2fe122c5d4f1e840a6db 7d24eab28ea0e ecbeab4efec443ef6bd0225cc776111cb7066ccb0a ed2b24f8a0853a136b8e26eaad0aab8b0e7abe3f4 7327e36ce7cfbc15f270630ea60b242a14 MZ...@...!..L.!Th is program cannot be run in DOS mode...$...pe..l....y..."...t...na......`...@ @... File Icon Static PE Info Entrypoint: 0x53414e Copyright Joe Security LLC 2017 Page 13 of 25

14 Entrypoint Section:.text Digitally signed: 0x Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x5E80303 [Thu Oct 1 01:42: UTC] TLS Callbacks: CLR (.Net) Version: v OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6dceec516c1f5a744 Entrypoint Preview Instruction jmp dword ptr [ h] Copyright Joe Security LLC 2017 Page 14 of 25

15 Instruction Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x1340f8 0x53.text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x x706.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x13e000 0xc.reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 Copyright Joe Security LLC 2017 Page 15 of 25

16 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8.text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48.text IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x2000 0x x False data IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ.rsrc 0x x706 0x7200 False data IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_READ.reloc 0x13e000 0xc 0x200 False dbase IV DBT of P1.DBF, blocks size 12, next free block index IMAGE_SCN_CNT_INITIALIZED _DATA, IMAGE_SCN_MEM_DISCARDA BLE, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_ICON 0x13618c 0x3228 dbase IV DBT of \200.DBF, blocks size 64, block length 12288, next free block index 40, 1st item "\233\236\207\211\213\377\377\377\304\304\306\232\23 3\236\340\340\341\243\244\245\276\276\277\303\304\30 5\266\270\271\233\234\236\353\353\353\225\225\230\26 5\265\267\232\233\235\204\205\210\300\301\302\204\20 5\210\214\215\221\253\254\257\234\235\237\252" RT_ICON 0x133b4 0x25a8 dbase IV DBT of `.DBF, blocks size 48, block length 216, next free block index 40, 1st item "\217\220\222\377\356\356\356\377\261\260\263\377\33 0\330\331\377\363\363\364\377\301\300\302\377\275\27 5\276\377\236\237\241\377\233\234\236\377\254\255\26 0\377\230\231\233\377\253\254\256\377\247\250\252\37 7\211\212\216\377\250\251\253\377\243\244\246" RT_ICON 0x13b5c 0x10a8 data RT_ICON 0x13ca04 0x468 GLS_BINARY_LSB_FIRST RT_GROUP_ICON 0x13ce6c 0x3e MS Windows icon resource - 4 icons, 64x64, 256-colors RT_MANIFEST 0x13ceac 0x1ea XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators Imports DLL mscoree.dll Import _CorExeMain Network Behavior Network Port Distribution Total Packets: undefined 53 (DNS) Copyright Joe Security LLC 2017 Page 16 of 25

17 TCP Packets Timestamp Port Dest Port IP Dest IP Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :50: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Copyright Joe Security LLC 2017 Page 17 of 25

18 Timestamp Port Dest Port IP Dest IP Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Copyright Joe Security LLC 2017 Page 18 of 25

19 Timestamp Port Dest Port IP Dest IP Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST Oct 1, :51: CEST UDP Packets Timestamp Port Dest Port IP Dest IP Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :4: CEST Oct 1, :50: CEST Oct 1, :50: CEST DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Oct 1, :4: CEST x6c72 Standard query (0) blackhills.ddns.net A (IP address) IN (0x0001) Oct 1, :4: CEST x536 Standard query (0) blackhills.ddns.net A (IP address) IN (0x0001) Oct 1, :50: CEST x3d5d Standard query (0) blackhills.ddns.net A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Oct 1, x6c72 No error (0) blackhills 13:4: ddns.net CEST Oct 1, x536 No error (0) blackhills 13:4: ddns.net CEST Oct 1, x3d5d No error (0) blackhills 13:50: ddns.net CEST A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) Copyright Joe Security LLC 2017 Page 1 of 25

20 Code Manipulations Statistics Behavior 17Order List.pdf.exe asz$server.exe rundll.exe win32.exe cmd.exe reg.exe RegAsm.exe cvtres.exe rundll.exe explorer.exe explorer.exe win32.exe Click to jump to process System Behavior Analysis Process: 17Order List.pdf.exe PID: 3088 Parent PID: 2864 Start time: 13:48:16 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Users\user\Desktop\17Order List.pdf.exe 'C:\Users\user\Desktop\17Order List.pdf.exe' 0x bytes 858EA2E06E157BB77624B315F4FFAB.Net C# or VB.NET File Activities File Path Access Attributes Options Completion Count File Path Completion Count File Path Offset Length Value Ascii Completion Count Analysis Process: asz$server.exe PID: 3148 Parent PID: 3088 Start time: 13:48:23 Start date: 1/10/2017 Copyright Joe Security LLC 2017 Page 20 of 25

21 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: Antivirus matches: C:\Users\user\AppData\Local\Temp\asz$server.exe 'C:\Users\user\AppData\Local\Temp\asz$server.exe' 0x bytes 3CEB55B012EA51B8FF0B7E8B8B267 Borland Delphi Detection: 7%, virustotal, Browse File Activities File Created File Path Access Attributes Options Completion Count C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe read attributes normal and synchronize and generic read and generic write synchronous io non alert and n on directory file success or wait 1 40A3EE CreateFileW File Written File Path Offset Length Value Ascii Completion Count C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe unknown d 5a ff ff b d e 1f ba 0e 00 b4 0 cd 21 b8 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a d8 5a c3 24 b6 0 c3 24 b6 0 c3 24 b6 0 d8 b 28 0 c1 24 b6 0 d8 b 1c 0 c4 24 b6 0 ca 5c 25 0 c6 24 b6 0 c3 24 b7 0 df 24 b6 0 d8 b 1 0 c6 24 b6 0 d8 b 2b 0 c2 24 b c3 24 b c d5 bd e e b 01 0a e e MZ...@ !..L.!This program cannot be run in DOS mode... $...E.Z.$...$...$...(..$...$...\%..$...$...$....$...+..$..Rich.$......PE..L...U success or wait 1 40A275 WriteFile Analysis Process: rundll.exe PID: 3164 Parent PID: 3148 Start time: 13:48:23 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe 0x Copyright Joe Security LLC 2017 Page 21 of 25

22 File size: MD5 hash: Programmed in: Antivirus matches: 7680 bytes F1A5C11B4DDE67B2FC F C, C++ or other language Detection: 66%, virustotal, Browse Detection: 3%, metadefender, Browse Analysis Process: win32.exe PID: 3184 Parent PID: 3088 Start time: 13:48:25 Start date: 1/10/2017 Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.exe Wow64 process (32bit): Commandline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.exe' -n 0x6e File size: bytes MD5 hash: 858EA2E06E157BB77624B315F4FFAB Programmed in:.net C# or VB.NET File Activities File Path Access Attributes Options Completion Count Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count Analysis Process: cmd.exe PID: 3248 Parent PID: 3184 Start time: 13:48:33 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c reg add 'HKEY_CURRENT_USER\Software\Microsoft\W indows\currentversion\runonce' /v 'Load' /d 'C:\Users\user\AppData\Roaming\Microsoft\Windo ws\dwidesk\win32.lnk' /f 0x755c bytes AD7BC14083B52BC532FBA548342B8 C, C++ or other language Analysis Process: reg.exe PID: 3280 Parent PID: 3248 Start time: 13:48:33 Start date: 1/10/2017 Path: Wow64 process (32bit): C:\Windows\System32\reg.exe Commandline: reg add 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce' /v 'Load' /d 'C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.lnk' /f File size: 0x75a bytes Copyright Joe Security LLC 2017 Page 22 of 25

23 MD5 hash: Programmed in: D6AABBB0D75F215C2F48C1EB560 C, C++ or other language Registry Activities Key Value Created Key Path Name Type Data Completion Count HKEY_USERS\Software\Microsoft\ Windows\CurrentVersion\RunOnce Load unicode C:\Users\user\AppData\Roaming\ Microsoft\Windows\DwiDesk\win32.lnk success or wait 1 1B3726 RegSetValueExW Analysis Process: RegAsm.exe PID: 3288 Parent PID: 3184 Start time: 13:48:34 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\Microsoft.NET\Framework\v \RegAsm.exe C:\Windows\Microsoft.NET\Framework\v \RegAsm.exe 0x6e bytes F C408207C16F5CBD18A21.Net C# or VB.NET Analysis Process: cvtres.exe PID: 3324 Parent PID: 3184 Start time: 13:48:34 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\Microsoft.NET\Framework\v \cvtres.exe C:\Windows\Microsoft.NET\Framework\v \cvtres.exe 0x bytes C085AE74F0882F208D75DE27770DFA Borland Delphi File Activities File Written File Path Offset Length Value Ascii Completion Count Copyright Joe Security LLC 2017 Page 23 of 25

24 File Path Offset Length Value Ascii Completion Count unknown unknown d 5a MZ...@ ff ff b !..L.!This program cannot be run in DOS mode $...E.Z.$...$...$...(..$ $...\%..$...$...$ $...+..$..Rich.$ d PE..L...U... 0e 1f ba 0e 00 b4 0 cd b8 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a d8 5a c3 24 b6 0 c3 24 b6 0 c3 24 b6 0 d8 b 28 0 c1 24 b6 0 d8 b 1c 0 c4 24 b6 0 ca 5c 25 0 c6 24 b6 0 c3 24 b7 0 df 24 b6 0 d8 b 1 0 c6 24 b6 0 d8 b 2b 0 c2 24 b c3 24 b c d5 bd e e b 01 0a e e invalid handle 1 40A275 WriteFile Analysis Process: rundll.exe PID: 3336 Parent PID: 3324 Start time: 13:48:35 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe C:\Users\HERBBL~1\AppData\Local\Temp\rundll.exe 0x bytes F1A5C11B4DDE67B2FC F C, C++ or other language Analysis Process: explorer.exe PID: 3352 Parent PID: 2824 Start time: 13:48:38 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.lnk 0x774a bytes 6DDCA324434FFA506CF7DC4E51DB735 C, C++ or other language File Activities File Created Copyright Joe Security LLC 2017 Page 24 of 25

25 File Path Access Attributes Options Completion Count C:\Users\user\AppData\Local\Microsoft\Windows\Caches read data or list directory and synchronize normal directory file and object name collision 1 12D728 ILCreateFromPathW synchronous io non alert and open for backup ident and open reparse point Analysis Process: explorer.exe PID: 3380 Parent PID: 548 Start time: 13:48:38 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b c06-a8bb-676a7b00b24b} -Embedding 0x bytes 6DDCA324434FFA506CF7DC4E51DB735 C, C++ or other language File Activities File Path Access Attributes Options Completion Count Analysis Process: win32.exe PID: 3412 Parent PID: 3380 Start time: 13:48:38 Start date: 1/10/2017 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\DwiDesk\win32.exe' 0x74b bytes 858EA2E06E157BB77624B315F4FFAB.Net C# or VB.NET Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 25 of 25