ID: Cookbook: browseurl.jbs Time: 15:35:36 Date: 03/11/2017 Version:

Transcription

1 ID: Cookbook: browseurl.jbs Time: 15:35:36 Date: 03/11/2017 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: Data Obfuscation: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Table of Contents Copyright Joe Security LLC 2017 Page 2 of

3 Behavior System Behavior Analysis Process: iexplore.exe PID: 3048 Parent PID: 548 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 3100 Parent PID: 3048 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3164 Parent PID: 3100 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 29

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 15:35:36 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 18s light browseurl.jbs securityalert.rda71z.top/ccleaner/de810914b65f3782ca2a13b20 3eb73ed/index.html? p1= adown=9401&cmp=46021&cid=vjn8ntu4ndh8mtez MzM0MXw4MjEyNTB8MTUwOTcxODM1NHxjZjU4NW JkNS0yYTI2LTQ4NjktYjE0Yy02MWFlOGRhM2JlMWV8 MjA1LjE3My4xNi41fDJ8dGVzdFY9TkVXX09QVF90Xz E0fGRjNTQ1YjIzZDMwNmJjOTA0MWIyZGM2YTVhYjI 3YjFh&ptrack=55848 Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean3.win@5/21@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 50% HDC Information: Successful, ratio: 100% (good quality ratio 85.2%) Quality average: 64.5% Quality standard deviation: 36.1% Cookbook Comments: Warnings: Browsing: security-alert.rda71 z.top/ccleaner/de810914b65f378 2ca2a13b203eb73ed/index.html?p 1= adown=9401&cmp=46 021&cid=VjN8NTU4NDh8MTEzMz M0MXw4MjEyNTB8MTUwOTcxODM1NHxj ZjU4NWJkNS0yYTI2LTQ4NjktYjE0Yy 02MWFlOGRhM2JlMWV8MjA1LjE3My4x Ni41fDJ8dGVzdFY9TkVXX09QVF90Xz E0fGRjNTQ1YjIzZDMwNmJjOTA0MWIy ZGM2YTVhYjI3YjFh&ptrack=55848 URL browsing timeout Show All Exclude process from analysis (whitelisted): dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 3100 because it is empty Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Copyright Joe Security LLC 2017 Page 4 of 29

5 Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2017 Page 5 of 29

6 Ransomware Evader Spreading malicious malicious malicious suspicious suspicious suspicious Exploiter Phishing clean clean clean Spyware Banker Adware Trojan / Bot Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview Networking Obfuscation Data Summary System / PFW / Operating System Protection Evasion HIPS Debugging Anti and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Copyright Joe Security LLC 2017 Page 6 of 29

7 Click to jump to signature section Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Social media urls found in memory data Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) System Summary: Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Searches the installation path of Mozilla Firefox HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Contains functionality to register its own exception handler Contains functionality to check if a debugger is running (IsDebuggerPresent) Contains functionality to dynamically determine API calls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Behavior Graph Copyright Joe Security LLC 2017 Page 7 of 29

8 Behavior Graph ID: Sample: Startdate: 03/11/2017 Architecture: WINDOWS Score: 3 started iexplore.exe started iexplore.exe Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 20 security-alert.rda71z.top , 80 DIGITALOCEAN-ASN-DigitalOceanIncUS Netherlands security-alert.rda71z.top started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 15:36:15 API Interceptor 454x Sleep call for process: iexplore.exe modified from: 60000ms to: 500ms Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 2017 Page 8 of 29

9 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 2017 Page 9 of 29

10 Startup System is w7 cleanup iexplore.exe (PID: 3048 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3100 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3048 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3164 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\~DF0FDB782AD6ABDD46.TMP FoxPro FPT, blocks size 258, next free block index A2B9798CB7A80D7EB55FC793A4EF98027F1A1F3 B8C71BE058582E5757D8A57C0C2F454F01DD8D75A0FEA622E7694A48D37FAC12 BCE5C45ECF06C3905DF4A5A530ED50ECF94003A4D38DE2C33B313CBDED0C1D0C13D4DFD2DC7817BFEFEBE5B9E574986A1 2FEC62B60E8281A5C51192D11A99553 C:\Users\HERBBL~1\AppData\Local\Temp\~DFC8A0A31ACD7627CF.TMP FoxPro FPT, blocks size 258, next free block index A6D5034BDA4AB4A7537E3391B2765B636B641EAB Copyright Joe Security LLC 2017 Page 10 of 29

11 C:\Users\HERBBL~1\AppData\Local\Temp\~DFC8A0A31ACD7627CF.TMP 54507EE226BA35473BF1035A3E7760CB66572D043EE7B537F6C9E7332FBBB17F A95ACA8A6E4C A CD6DEBA89C7984E14D17A823F8FC5E250BBBFEB7EC482DCB2DBDFE E 4F61EAEBF9DB3EBAD14C3574AEBE7 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data 9FF906CBEB2C5BFD8CC9C18DFF827536E438C A2993EDF894DAA4D7206B8DAADDD1A4BF61EF5E5E65CEB0B0212BA8D81 6AD756739D92B8490E20D4916BA6FB9C E07DDDFD948873EAFF788AC5635A7D D1EEE6CE1077CD1AC CE3F92F01D700F8775CDB5EEDB9E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data 98AC0027F4E4776BDB831A C29AC09D95E 7BBFF72FC864C434E D14F67FA5F27BB932DC5EB40B A6E9BF 1BEB1E F8B3D96D5773C832C675E44A C2DC9D8E8FB49FD5A5560B8521D748CB90461E1BD6E915A049DC3 DA1A31D8C320A90E76961BFFBD63 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data E7EC9BA9AACEFC61744D7A75A2CFB3D37A95F D4AAFA ADEDED564914CE816D999FEA811B645D5F0C A B23DD E92C4E81FB3F E6DF6F5AEFB7B8E18069D2A42987D66C4A7E AD31A45EE 259F920F1850FB3E29AA C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF2891 6F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A609B2590C8E C0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 8FEBA21004EBAFA9451D8F72C98F34CC7D F9070DAB3EAD6F637B33158BCCFF11E77E14CE768592FF23F2D1D6FFE70A1F3 5AA44BDAB25D4F06D22C47F8338CB766F557D7BEDC758E15497F1A4B95AB97D3D5F8E64BD7C30BB221BB98D17F E 82E288C31ABA89BA1CD ED9 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{57F41491-C0A4-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document 1B5B49ECE1D4BD E5C6394B108DA83 2F6EA3ABFD0FCB65E4A001F6EE83EDA56FDACD8F9FA AE0B9C4F 105BAE3C16778EC912BD83EB6EEF89B0853AAF7A207A6D456831C16D372DBCEE8928C6F F9E24B086C11134E1C1E4A C0AA9D62D0DF51279F8CE4A0AEB3 Copyright Joe Security LLC 2017 Page 11 of 29

12 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{57F41491-C0A4-11E7-B7AC-B2C276BF9C88}.dat C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{57F41493-C0A4-11E7-B7AC-B2C276BF9C88}.dat Microsoft Word Document 1EFF C646BA7DDF30B32C2E132C E22E2A475F0075E7D8A0B02AD06D70FAE5558CF8AE45C4EBE30AA96EB6817A6E 9545ED1CE8B57606EB1AAE458E81FEC1FEC071E3A161A94282F68752C9BD8BBE0C2C9CD73F036440C64C00C290362FB5F34 AFE2411D4F07E58D7E5E1A2258FFB C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9D23.tmp XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 66B9CE117BACE5088B09B4AB506C CD 2B25A9DD5C47DA010258E1BC93D512B8E484359AF1003FE1B85390E93519C60A E01570FA713BAB17D4941A1D46605D5C0FB89635C E286F608A256F40D260B662CDAF2ED064D52CC57400DAD9BDB4 FE1677D18559FBBF7B64068D2C75 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\favicon[1].ico PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced 96607BA DF3A A5E83BA8683D 507C647828E8B817E23D90C7BE73B3105C32B D0647B35046A32BE BF5DBC8CBAD84CA240A2DDAD2DE73BFC434193A4F A E8C92D99AA6B0C5698C702FD155663DF2891 6F74561CAE1F8C73C0D9DD1A9FF7 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\style[1].css ASCII text, with very long lines 4B33BB7291E4E7C81657E6C8F3767B9627BF0FB2 0CE534B45A0E69B52B16C35FA86DEE40465CBF F219DA208A9E78CD02C 59A90F7D358DED839C6C653D1D14A1D37F68D9C0E18F25E5DCCD92D6EE137E87E2CE5CF5AD2B6E50BFE0AFF0091C77E11D 849A79582BF800AA97F016CDD19372 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\suggestions[1].en-US data 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A609B2590C8E C0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\ff[1].png PNG image data, 119 x 123, 8-bit/color RGBA, non-interlaced 0D6415A AE3E4A6977C A6BB6A1F 605F51D8CE191F9FC03AD706F698C734E16575CD3A3F71D1BC9E921791DF E4C29F6A846F7E72DB48CCA3A582E0DD459468FE0A2A922B9B7CAD411E3EDC1CBA85C4C4D53CF9EDF63756B F C951C2A63E D036D395 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin data E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69 49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\arrow_upblue[1].png PNG image data, 64 x 99, 8-bit/color RGBA, non-interlaced Copyright Joe Security LLC 2017 Page 12 of 29

13 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\arrow_upblue[1].png F5DA91BF A9C4EBA778131CC9 3A9BA75E336071E097ED14A CD39FBD8A B51EA99D8E3B0BD812 EDC077AAF4067FA F31E4637BF1C1F0AE046EBE98FDCB1FF34BF116D5E2121F93BDF4576C49799DE29A FE0D04250FEA469AB3A48792F5D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\iecompatviewlist[1].xml XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 8FEBA21004EBAFA9451D8F72C98F34CC7D F9070DAB3EAD6F637B33158BCCFF11E77E14CE768592FF23F2D1D6FFE70A1F3 5AA44BDAB25D4F06D22C47F8338CB766F557D7BEDC758E15497F1A4B95AB97D3D5F8E64BD7C30BB221BB98D17F E8 2E288C31ABA89BA1CD ED9 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\index[1].htm HTML document, UTF-8 Unicode text, with very long lines BF B8EEA0A88C2D3669AB6F388E4C93 45B1E9D78A9876E902339B40F465A7660ACEF4E27736F3AD7DCF3FF8C2C91507 EC8DFEB0742B73AAE3B90BA0F41CBBBA74B22520F228C21B69835A721D531BFECE87A42D41F97894E949436C7B863E0F0204 E2C1F0BB484159CB57B6A1EA9DC8 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\alerttop2[1].png PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced 0FC0B6BEA12EFBCA8D7D8E7AA2D53256AE4B BBEDCA C4059C0107CDEBF0A8514A EDF2610AD4AEFCD 57E73E8163BBD385A08CD2E0F62448FA47DBBE12412F13DB4B3E2F8C2E61E544307E01A7F242B1EBDD938004BFC B C4B59FF0D32F0E0768E22 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\modal[1].jpg JPEG image data, EXIF standard CE7577E4609B00101FB11C8DB605E F26EB5DD20C87D215D62B798DA265CB8E9C57C5D024E86BF6E03441C4BECAD FC BB1A6E8A8EC5CCC60C6CF502BDA422E673EE4943C FEB0C822B81EF0A90FA384FF9E C C4A836B7382B6787E5D91DB9BCA Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection security-alert.rda71z.top true Contacted IPs Copyright Joe Security LLC 2017 Page 13 of 29

14 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious Netherlands DIGITALOCEAN-ASN- DigitalOceanIncUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP Nov 3, :36: CET Copyright Joe Security LLC 2017 Page 14 of 29

15 Timestamp Port Dest Port IP Dest IP Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Copyright Joe Security LLC 2017 Page 15 of 29

16 Timestamp Port Dest Port IP Dest IP Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Copyright Joe Security LLC 2017 Page 16 of 29

17 Timestamp Port Dest Port IP Dest IP Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :37: CET Nov 3, :37: CET Nov 3, :37: CET Nov 3, :37: CET UDP Packets Timestamp Port Dest Port IP Dest IP Nov 3, :36: CET Copyright Joe Security LLC 2017 Page 17 of 29

18 Timestamp Port Dest Port IP Dest IP Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :36: CET Nov 3, :37: CET Nov 3, :37: CET Nov 3, :37: CET Nov 3, :37: CET DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Nov 3, :36: CET xa970 Standard query (0) security-a lert.rda71z.top A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Nov 3, xa970 No error (0) security-a 15:36: lert.rda71z.top CET A (IP address) IN (0x0001) HTTP Request Dependency Graph security-alert.rda71z.top HTTP Packets Timestamp Port Dest Port IP Dest IP Header Total Bytes Transfered (KB) Copyright Joe Security LLC 2017 Page 18 of 29

19 Timestamp Port Dest Port IP Dest IP Header Nov 3, :36: CET GET /ccleaner/de810914b65f3782ca2a13b203eb73ed/ind ex.html?p1= own=9401&cmp=46021&cid=vjn8ntu4ndh8mtezm zm0mxw4mjeyntb8mtuwotcxodm1nhxjzju4nwjkn S0yYTI2LTQ4NjktYjE0Yy02MWFlOGRhM2JlMWV8M ja1lje3my4xni41fdj8dgvzdfy9tkvxx09qvf90x ze0fgrjntq1yjizzdmwnmjjota0mwiyzgm2ytvhy ji3yjfh&ptrack=55848 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: security-alert.rda71z.top DNT: 1 Connection: Keep-Alive Total Bytes Transfered (KB) 2 Copyright Joe Security LLC 2017 Page 19 of 29

20 Timestamp Port Dest Port IP Dest IP Header Total Bytes Transfered (KB) Nov 3, :36: CET HTTP/ OK Server: nginx/ Date: Fri, 03 Nov :36:21 GMT Content-Type: text/html Content-Length: 7614 Last-Modified: Wed, 28 Jun :56:48 GMT Connection: keep-alive Keep-Alive: timeout=10 ETag: " dbe" Accept-Ranges: bytes Data Raw: 3c f d 6c 3e 0a 3c d 6c 20 6c 61 6e 67 3d e 2d e 0a c e 0a c 6d d d f 6e e 74 2d f 6e e 74 3d f d 6c 3b d d e 0a c 6d e 61 6d 65 3d f f 6e e 74 3d d d e 0a 0a c c 65 3e 46 6c c d f c 2f c 65 3e 0a 0a c 6c 69 6e 6b c 3d f 6e d d 67 2f c c d f 6e 2e 70 6e d d f 70 6e e 0a c 6c 69 6e 6b d f c 65 2e c 3d c e 0a 0a c e 0a e f 6e f b 0a e d 20 6e f 72 2e e 74 3b 0a f b 0a f d 20 6e e 69 6e f f d 20 2d b 0a f d 65 6e 74 2e c 65 6d 65 6e f e c 65 2e c d c 6f 63 6b 22 3b 0a f d 65 6e 74 2e c 65 6d 65 6e f c e c 65 2e c d c 6f 63 6b 22 3b 0a d c f d 20 6e e 69 6e f d d 20 2d b 0a f d 65 6e 74 2e c 65 6d 65 6e e c 65 2e c d c 6f 63 6b 22 3b 0a f d 65 6e 74 2e c 65 6d 65 6e f c e c 65 2e c d c 6f 63 6b 22 3b 0a d c f d 20 6e e 69 6e f e 4e d 20 2d b 0a f d 65 6e 74 2e c 65 6d 65 6e e c 65 2e c d c 6f 63 6b 22 3b 0a f d 65 6e 74 2e c 65 6d 65 6e f c e c 65 2e c d c 6f 63 6b 22 3b 0a d c f d 20 6e e 69 6e f f 6d d 20 2d b 0a f d 65 6e 74 2e c 65 6d 65 6e f 6d e c 65 2e c d c 6f 63 6b 22 3b 0a f d 65 6e 74 2e c 65 6d 65 6e f c e c 65 2e Data Ascii: <!DOCTYPE html><html lang="en-us"> <head> <meta http-equiv="content-type" content="text/html; 3 charset=utf-8"> <meta name="viewport" content=" width=device-width"> <title>flash Player might be outdate d</title> <link rel="icon" href="img/aflashplayer3-icon.png" type="image/png"> <link href="css/style.css" rel="stylesheet"> <script> function showstep() { var nagt = navigat or.useragent; var veroffset; if ((veroffset = nagt.indexof("opr"))!= -1) { document.getelementbyid("op era").style.display = "block"; document.getelementbyi d("overlay").style.display = "block"; } else if ((veroffset = nag t.indexof("msie"))!= -1) { document.getelementbyid(" ie").style.display = "block"; document.getelementbyid ("overlay").style.display = "block"; } else if ((veroffset = nagt.indexof(".net"))!= -1) { document.getelementbyid("i e").style.display = "block"; document.getelementbyid( "overlay").style.display = "block"; } else if ((veroffset = nagt. indexof("chrome"))!= -1) { document.getelementbyid(" Copyright Joe Security LLC 2017 chrome").style.display = "block"; document.getelement Page 20 of 29

21 chrome").style.display = "block"; ById("overlay").style. document.getelement Nov 3, :36: CET Timestamp Port 80 Dest Port IP Dest IP GET /ccleaner/de810914b65f3782ca2a13b203eb73ed/css /style.css Header HTTP/1.1 Accept: text/css, */* Referer: 65f3782ca2a13b203eb73ed/index.html?p1= 4.admedit.me/associates/?adown=9401&cmp=46021&cid= VjN8NTU4NDh8MTEzMzM0MXw4MjEyNTB8MTUwOTcx ODM1NHxjZjU4NWJkNS0yYTI2LTQ4NjktYjE0Yy02 MWFlOGRhM2JlMWV8MjA1LjE3My4xNi41fDJ8dGVz dfy9tkvxx09qvf90xze0fgrjntq1yjizzdmwnmjj OTA0MWIyZGM2YTVhYjI3YjFh&ptrack=55848 Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: security-alert.rda71z.top DNT: 1 Connection: Keep-Alive Nov 3, :36: CET GET /ccleaner/de810914b65f3782ca2a13b203eb73ed/img /alerttop2.png HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 Referer: 65f3782ca2a13b203eb73ed/index.html?p1= 4.admedit.me/associates/?adown=9401&cmp=46021&cid= VjN8NTU4NDh8MTEzMzM0MXw4MjEyNTB8MTUwOTcx ODM1NHxjZjU4NWJkNS0yYTI2LTQ4NjktYjE0Yy02 MWFlOGRhM2JlMWV8MjA1LjE3My4xNi41fDJ8dGVz dfy9tkvxx09qvf90xze0fgrjntq1yjizzdmwnmjj OTA0MWIyZGM2YTVhYjI3YjFh&ptrack=55848 Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: security-alert.rda71z.top DNT: 1 Connection: Keep-Alive Nov 3, :36: CET GET /ccleaner/de810914b65f3782ca2a13b203eb73ed/img /modal.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 Referer: 65f3782ca2a13b203eb73ed/index.html?p1= 4.admedit.me/associates/?adown=9401&cmp=46021&cid= VjN8NTU4NDh8MTEzMzM0MXw4MjEyNTB8MTUwOTcx ODM1NHxjZjU4NWJkNS0yYTI2LTQ4NjktYjE0Yy02 MWFlOGRhM2JlMWV8MjA1LjE3My4xNi41fDJ8dGVz dfy9tkvxx09qvf90xze0fgrjntq1yjizzdmwnmjj OTA0MWIyZGM2YTVhYjI3YjFh&ptrack=55848 Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: security-alert.rda71z.top DNT: 1 Connection: Keep-Alive Total Bytes 10 Transfered (KB) Copyright Joe Security LLC 2017 Page 21 of 29

22 Timestamp Port Dest Port IP Dest IP Header Nov 3, :36: CET HTTP/ OK Server: nginx/ Date: Fri, 03 Nov :36:21 GMT Content-Type: text/css Content-Length: 6963 Last-Modified: Wed, 28 Jun :56:50 GMT Connection: keep-alive Keep-Alive: timeout=10 ETag: " b33" Expires: Thu, 31 Dec :55:55 GMT Cache-Control: max-age= Access-Control-Allow-Origin: * Accept-Ranges: bytes Data Raw: f 6e 74 2d b 66 6f 6e 74 2d d 69 6c 79 3a 27 4f e e b 66 6f 6e 74 2d c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d a b a 6c 6f c f e e c 6c 6f c 28 4f e e c c a 2f 2f 66 6f 6e e e 63 6f 6d 2f 73 2f 6f e e 73 2f f 4b f a d 78 4a 74 6e 4b f 49 5f e e 77 6f f 72 6d f b 75 6e f d e a 55 2b d c 55 2b c 55 2b d c 55 2b d d f 6e 74 2d b 66 6f 6e 74 2d d 69 6c 79 3a 27 4f e e b 66 6f 6e 74 2d c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d a b a 6c 6f c f e e c 6c 6f c 28 4f e e c c a 2f 2f 66 6f 6e e e 63 6f 6 d 2f 73 2f 6f e e 73 2f f 52 6a 67 4f d a 69 2d a 74 6e 4b f 49 5f e e 77 6f f 72 6d f b 75 6e f d e a 55 2b d c 55 2b d c 55 2b d c 55 2b d f 6e 74 2d b 66 6f 6e 74 2d d 69 6c 79 3a 27 4f e e b 66 6f 6e 74 2d c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d a b a 6c 6f c f e e c 6c 6f c 28 4f e e c c a 2f 2f 66 6f 6e e e 63 6f 6d 2f 73 2f 6f e e 73 2f f 4c a b d b 52 4a 74 6e 4b f 49 5f e e 77 6f f 72 6d f b 75 6e f d e a 55 2b d d f 6e 74 2d b 66 6f 6e 74 2d d 69 6c 79 3a 27 4f e e b 66 6f 6e 74 2d c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d a b a 6c 6f c f e e c 6c 6f c 28 4f e e c c a 2f 2f 66 6f 6e e e 63 6f 6d 2f 73 2f 6f e e 73 2f f 78 6f 7a f 6e 37 6a f a 74 6e 4b f 49 5f e e 77 6f f 72 6d f b 75 6e f d e a 55 2b d d f 6e 74 2d b 66 6f 6e 74 2d d 69 6c 79 3a 27 4f e e b 66 6f 6e 74 2d c 65 Data Sans';font-style:no rmal;font-weight:400;src:local('open Sans'),local(OpenSans), url( 3goAWT7BTt32Z01mxJtnKITppOI_IvcXXDNrsc.woff2) form at("woff2");unicode-range:u f,u+20b4,u+2de0-2dff,u+a640-a69f}@font-face{font-family:'open Sans';font-s tyle:normal;font-weight:400;src:local('open Sans'),local(Ope nsans),url( mqivp7vzi-q5urjtnkitppoi_ivcxxdnrsc.woff2) format( "woff2");unicode-range:u f,u ,u+04b0-04b1,u+2116}@font-face{font-family:'open Sans';font-styl e:normal;font-weight:400;src:local('open Sans'),local(OpenSa ns),url( dfhrevqa1krjtnkitppoi_ivcxxdnrsc.woff2) format("wo ff2");unicode-range:u+1f00-1fff}@font-face{font-family:'open Sans';font-style:normal;font-weight:400;src:local('Open San s'),local(opensans),url( /v13/xozscpt2726on7jbcb_pahjtnkitppoi_ivcxxdnrsc.woff2) format("woff2");unicode-range:u ff}@font-face{fontfamily:'open Sans';font-style 14 Total Bytes Transfered (KB) Copyright Joe Security LLC 2017 Page 22 of 29

23 Timestamp Port Dest Port IP Dest IP Header Nov 3, :36: CET HTTP/ OK Server: nginx/ Date: Fri, 03 Nov :36:22 GMT Content-Type: image/png Content-Length: 3781 Last-Modified: Wed, 28 Jun :56:51 GMT Connection: keep-alive Keep-Alive: timeout=10 ETag: " ec5" Accept-Ranges: bytes Data Raw: e 47 0d 0a 1a 0a d b b d d4 f b b a 9c a 4f f 74 6f f f c da 9d e9 16 3d f7 de f4 42 4b b 6f b a a a1 d c b c8 a e 8e 80 8c c 0c 8a 0a d8 07 e4 21 a2 8e 83 a3 88 8a ca fb e1 7b a3 6b d6 bc f7 e6 cd fe b5 d7 3e e7 ac f3 9d b3 cf 07 c0 08 0c c a9 42 1e 11 e0 83 c7 c4 c6 e1 e4 2e a b fd f8 7e 3c 3c 2b 22 c0 07 be d3 0b c0 4d 9b c0 30 1c 87 ff 0f ea c c b a 8e 42 a d a cb e d f e6 d d f8 99 7b b a b 00 ac cf 56 8a b c d8 2d b0 b7 00 c0 ce 10 0b b c b c f2 57 3c f1 2b ae 10 e7 2a b2 3c b b 08 2d e 1e 28 ce b a 40 2e c f e0 f3 cc a e0 83 f3 fd 78 ce 0e ae ce ce 36 8e b6 0e 5f 2d ea bf 06 ff e3 fe e5 cf ab e1 74 7e d1 fe 2c 2f b3 1a 80 3b d fe a2 25 ee e 0b a0 75 f7 8b 66 b2 0f 40 b5 00 a0 e9 da 57 f3 70 f8 7e 3c 3c 45 a1 90 b9 d9 d9 e5 e4 e4 d8 4a c4 42 5b 61 ca 57 7d fe 67 c2 5f c0 57 fd 6c f9 7e 3c fc f7 f5 e0 be e d f8 e0 c2 cc f4 4c a5 1c cf dc e6 8f 47 fc b7 0b ff fc 1d d3 22 c b9 58 2a 14 e e 44 9a 8c f3 32 a c5 25 d2 ff 64 e2 df 2c fb 03 3e df b0 6a 3e 01 7b 91 2d a8 5d f6 4b c0 e2 f f2 bb 6f c1 d e1 cf 77 ff ef 3f fd 47 a e e 54 ca b3 3f c a0 81 2a b0 41 1b f4 c1 18 2c c0 06 1c c1 05 dc c1 0b fc c4 c a c ac cd b0 1d 2a 60 2f d4 40 1d 34 c e 2e c2 55 b8 0e 3d 70 0f fa e c1 28 bc c da a e f8 21 c b c b a d f2 3d c 46 ba 91 3b c fc 86 bc b2 51 3d d4 0c b5 43 b9 a8 37 1a a2 0b d a 8f 16 a0 9b d0 72 b4 1a 3d 8c 36 a1 e7 d0 ab 68 0f da 8f 3e 43 c7 30 c0 e c4 6c 30 2e c6 c3 42 b1 38 2c cb b1 22 ac 0c ab c6 1a b0 56 ac 03 bb 89 f5 63 cf b c e c 58 4e d8 48 a8 20 1c da c a8 4b b4 26 ba 11 f9 c c 23 d6 12 8f 13 2f 10 7b c b b1 a4 54 d2 12 d2 46 d2 6e e9 2c a9 9b a c9 da 64 6b b c 20 2b c8 85 e4 9d e4 c3 e4 33 e4 1b e4 21 f2 5b 0a 9d a4 f8 53 e ca 6a 4a 19 e5 10 e5 34 e a3 9a 52 dd a8 a f 5a 42 ad a1 b6 52 af a a 39 cd b a5 ad a2 95 d3 1a f7 69 af e8 74 ba 11 dd 95 1e 4e 97 d0 57 d2 cb e9 47 e8 97 e8 03 f4 77 0c 0d c b af 98 4c a6 19 d3 8b 19 c eb 98 e7 99 0f 99 6f a b6 2a 7c ca 0a 95 4a b 2a 2f 54 a9 aa a6 aa de aa 0b 55 f3 55 cb 54 8f a9 5e 53 7d ae e3 a9 09 d4 96 ab 55 aa 9d 50 eb 53 1b Data Ascii: PNGIHDRUpHYsOiCCPPhotoshop ICC profile xsgts=bkkor edh;vex0fk9-0iwfh0q){`##xfw< EJB[aW}g_Wl~<$2]GLbG"IbX*QqD2"B)%d,>5j>{-]cK'Xto(hw? Q"K5H1RT UH=r9\F;2G1Q=C7Fdt1r=6h>C03l0.B8,c"VcwE6wB aahxlxnh $47Q'"K&b21XH,#/{C7$C2'ITFnR#,4H#dk9, +3! X** J&*/TUUT^S}FU3SUPS 22 Total Bytes Transfered (KB) Copyright Joe Security LLC 2017 Page 23 of 29