ID: Sample Name: MobaXterm_installer_10.5.msi Cookbook: defaultwindowsmsicookbook.jbs Time: 18:29:36 Date: 25/05/2018 Version: 22.0.

Transcription

1 ID: Sample Name: MobaXterm_installer_10.5.msi Cookbook: defaultwindowsmsicookbook.jbs Time: 18:29:36 Date: 25/05/2018 Version:

2 Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview Networking: Boot Survival: Persistence and Installation Behavior: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Lowering of HIPS / PFW / Operating System Security Settings: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static OLE Info OLE File "MobaXterm_installer_10.5.msi" Indicators Summary Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 Streams \x5digitalsignature,, Stream Size: 5771 \x5summaryinformation,, Stream Size: 516 \x16786\x17522\x15806\x16754\x16484\x16951\x17461\x17214\x17574, MS Windows icon resource - 5 icons, 64x64, 256-colors, Stream Size: \x17163\x16689\x18229\x16446\x18156\x14988, PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, PC bitmap, Windows 3.x format, 493 x 58 x 24, Stream Size: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, PC bitmap, Windows 3.x format, 493 x 312 x 24, Stream Size: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, MS Windows icon resource - 1 icon, Stream Size: 318 \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, MS Windows icon resource - 1 icon, Stream Size: 318 \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, MS Windows icon resource - 1 icon, Stream Size: 766 \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, MS Windows icon resource - 2 icons, 32x32, 16-colors, Stream Size: 1078 \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: \x17558\x16677\x17889\x17768\x18352\x16678\x18469, Microsoft Cabinet archive, bytes, 1 file, Stream Size: \x18496\x15167\x17394\x17464\x17841,, Stream Size: 1440 \x18496\x15518\x16925\x17915,, Stream Size: 204 \x18496\x16191\x17783\x17516\x15210\x17892\x18468, ASCII text, with very long lines, with CRLF line terminators, Stream Size: \x18496\x16191\x17783\x17516\x15978\x17586\x18479,, Stream Size: 4504 \x18496\x16255\x16740\x16943\x18486,, Stream Size: 70 \x18496\x16383\x17380\x16876\x17892\x17580\x18481,, Stream Size: 4368 \x18496\x16667\x17191\x15090\x17912\x17591\x18481,, Stream Size: 36 \x18496\x16778\x17207\x17522\x16925\x17915,, Stream Size: 420 \x18496\x16786\x17522,, Stream Size: 4 \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934,, Stream Size: 48 \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472,, Stream Size: 42 \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472,, Stream Size: 48 \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486,, Stream Size: 16 \x18496\x16911\x17892\x17784\x18472,, Stream Size: 16 \x18496\x16918\x17191\x18468, MIPSEB Ucode, Stream Size: 14 \x18496\x16923\x17194\x17910\x18229,, Stream Size: 180 \x18496\x16923\x17584\x16953\x17167\x16943,, Stream Size: 60 \x18496\x16925\x17915\x17884\x17404\x18472,, Stream Size: 36 \x18496\x17100\x16808\x15086\x18162,, Stream Size: 8 \x18496\x17116\x17778\x16823\x17912,, Stream Size: 64 \x18496\x17163\x16689\x18229,, Stream Size: 32 \x18496\x17165\x16949\x17894\x17778\x18492,, Stream Size: 60 \x18496\x17165\x17380\x17074,, Stream Size: 484 \x18496\x17167\x16943,, Stream Size: 40 \x18496\x17184\x15547\x17905\x17768\x16945\x16183\x17579\x17909\x17958\x18487,, Stream Size: 12 \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934,, Stream Size: 162 \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472,, Stream Size: 90 \x18496\x17548\x17648\x17522\x17512\x18487,, Stream Size: 48 \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522,, Stream Size: 408 Copyright Joe Security LLC 2018 Page 3 of

4 \x18496\x17548\x17905\x17589\x15279\x16953\x17905,, Stream Size: 1380 \x18496\x17548\x17905\x17589\x18479,, Stream Size: 5408 \x18496\x17630\x17770\x16868\x18472,, Stream Size: 16 \x18496\x17742\x17589\x18485,, Stream Size: 652 \x18496\x17753\x17650\x17768\x18231, PDP-11 kernel overlay, Stream Size: 64 \x18496\x17814\x15340\x17388\x15464\x17828\x18475,, Stream Size: 20 \x18496\x17932\x17910\x17458\x16778\x17207\x17522,, Stream Size: 72 \x18496\x17998\x17512\x15799\x17636\x17203\x17073,, Stream Size: 40 Network Behavior Code Manipulations Statistics Behavior System Behavior Analysis Process: msiexec.exe PID: 4028 Parent PID: 3352 File Activities Analysis Process: msiexec.exe PID: 4084 Parent PID: 424 File Activities Registry Activities Analysis Process: msiexec.exe PID: 2196 Parent PID: 4084 Analysis Process: msiexec.exe PID: 2884 Parent PID: 4084 Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 4 of 29

5 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 18:29:36 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 5m 14s light MobaXterm_installer_10.5.msi defaultwindowsmsicookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 7 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean4.winmsi@6/13@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension:.msi Show All Exclude process from analysis (whitelisted): svchost.exe, VSSVC.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtFsControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: msiexec.exe, msiexec.exe Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 5 of 29

6 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2018 Page 6 of 29

7 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Sample may be VM or Sandbox-aware, try analysis on a native machine Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Signature Overview Networking Survival Boot and Installation Behavior Persistence Spreading Copyright Joe Security LLC 2018 Page 7 of 29

8 System Summary Anti Debugging HIPS / PFW / Operating System Protection Evasion Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Lowering of HIPS / PFW / Operating System Security Settings Language, Device and Operating System Detection Click to jump to signature section Networking: Found strings which match to known social media urls Urls found in memory or binary Boot Survival: Creates or modifies windows services Modifies existing windows services Stores files to the Windows start menu directory Persistence and Installation Behavior: Drops PE files Drops PE files to the windows directory (C:\Windows) May use bcdedit to modify the Windows boot settings Spreading: Checks for available system drives (often done to infect USB drives) System Summary: Creates files inside the system directory Deletes Windows files Enables security privileges Classification label Creates files inside the program directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Creates a directory in C:\Program Files Submission file is bigger than most known malware samples Binary contains paths to debug symbols HIPS / PFW / Operating System Protection Evasion: Copyright Joe Security LLC 2018 Page 8 of 29

9 May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Malware Analysis System Evasion: Checks the free space of harddrives Found a high number of Window / User specific system calls (may be a loop to detect user behavior) Found dropped PE file which has not been started or loaded May sleep (evasive loops) to hinder dynamic analysis May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Queries a list of all running processes Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Lowering of HIPS / PFW / Operating System Security Settings: AV process strings found (often used to terminate AV products) Language, Device and Operating System Detection: Queries the volume information (name, serial number etc) of a device Queries the cryptographic machine GUID Behavior Graph Copyright Joe Security LLC 2018 Page 9 of 29

10 Hide Legend Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped ID: Is Windows Process Sample: MobaXterm_installer_10.5.msi Number of created Registry Values Startdate: 25/05/2018 Architecture: WINDOWS Score: 4 started msiexec.exe Number of created Files Visual Basic Delphi Java started.net C# or VB.NET msiexec.exe C, C++ or other language Is malicious 7 dropped dropped dropped C:\Windows\Installer\MSI865F.tmp, PE32 C:\Program Files\Mobatek\...\MobaXterm.exe, PE32 started started C:\Users\SAMTAR~1\AppData\...\MSIFF06.tmp, PE32 msiexec.exe msiexec.exe Simulations Behavior and APIs Time Type Description 18:30:31 API Interceptor 1918x Sleep call for process: msiexec.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link MobaXterm_installer_10.5.msi 0% virustotal Browse Dropped Files Source Detection Scanner Label Link C:\Program Files\Mobatek\MobaXterm\MobaXterm.exe 0% virustotal Browse C:\Program Files\Mobatek\MobaXterm\MobaXterm.exe 0% metadefender Browse C:\Users\SAMTAR~1\AppData\Local\Temp\MSIFF06.tmp 0% virustotal Browse C:\Users\SAMTAR~1\AppData\Local\Temp\MSIFF06.tmp 0% metadefender Browse C:\Windows\Installer\MSI865F.tmp 0% virustotal Browse C:\Windows\Installer\MSI865F.tmp 0% metadefender Browse Unpacked PE Files No Antivirus matches Copyright Joe Security LLC 2018 Page 10 of 29

11 Domains No Antivirus matches URLs No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 11 of 29

12 Startup System is w7 msiexec.exe (PID: 4028 cmdline: '' /i 'C:\Users\user\Desktop\MobaXterm_installer_10.5.msi' MD5: 4315D6ECAE85024A0567DF2CB253B7B0) msiexec.exe (PID: 4084 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4315D6ECAE85024A0567DF2CB253B7B0) msiexec.exe (PID: 2196 cmdline: C:\Windows\system32\MsiExec.exe -Embedding 53DE89D743A86E1BDF4E5186D98E10B6 C MD5: 4315D6ECAE85024A0567DF2CB253B7B0) msiexec.exe (PID: 2884 cmdline: C:\Windows\system32\MsiExec.exe -Embedding 03A55922A029B285F538A1C07A6CE9A4 MD5: 4315D6ECAE85024A0567DF2CB253B7B0) cleanup Created / dropped Files C:\Config.Msi\6c78cd.rbs Process: Size (bytes): 1138 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 6470BFD004F890DDBFB525107BE9D65B F7F81111FCD452F9BD0C8AA14E481A3C29179B03 0F66305E88DB57E3A9AD49924DDF7809ED33ABBEF2B6BECFFE9F188E9FAFB625 D25112DC2011DF5F46A4300D6B680EBFE9E83472FF6A6FA9F421492ABF9916CB465E6CE6F0C9A7D89E A272DED6BE0BF78041F9D14D11E1F3D2AE62B2 Copyright Joe Security LLC 2018 Page 12 of 29

13 C:\Config.Msi\6c78cd.rbs low C:\Program Files\Mobatek\MobaXterm\MobaXterm.exe Process: Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Antivirus: PE32 executable (GUI) Intel 80386, for MS Windows 579B2B2AAF30F4CC91CAE02DAF30D938 76B14B29BD1EBA42F30B2BEF411C4119AC2D86A8 BF569A6AB1686B88540E36B17BB1342A27A225F5385F94E5E61F97FFA5BF3C29 294CA13D52E4D9A415BBE3F7D09BD289504F04931AC8E5C3FED8C5404C11C627E4DD21EB2ECF168871F37817F6 C53734C DF4F12D4C89D3286E true low Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse C:\System Volume Information\SPP\OnlineMetaCache\{4088da66-9ed9-499f-9f4f-c90a d}_OnDiskSnapshotProp Process: Size (bytes): 2664 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 5B48BDE625C9D2157F5A6B10618A398E 116A1303D7DA8C9DDBFDABC1BC0A673092F9F072 70DF3F540805D1ABF1CDA49167CC09D946188F5AB400F8A FEB966D2F 5A79324ED3A6687B3A384E3BBD83F D9A3AA6C54E18C519F904C34DDB390CBF00CFA349D2AF5428F9C9 720B27A2DB0BCB4FC57093DF2A EE8 low C:\System Volume Information\SPP\OnlineMetaCache\{755647e9-a009-43dc-9dae-02340b7874fe}_OnDiskSnapshotProp Process: Size (bytes): 2664 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 1AE62D20E7EDBCB20E703E9294DE B644798D47F866F8827EE DF535CFFAA C0713E3F8F16D61D54E4AC32C2E6399EEB8005BFFD1F0685F9284FD8F0B6C873 55CDEA1C528DCCD2D12775C91819D2C99C AF5EFF27A6E86CEBD1993B8B9203C285AD114CA46AB720E A412A F5D012D8EE92E3B09E9DDAF2D8 low C:\System Volume Information\SPP\OnlineMetaCache\{ ea5c-43b0-b172-ed6a845466af}_OnDiskSnapshotProp Process: Size (bytes): 2664 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 1002DD307D349B34DEF377C9F F8DE977C3395A84AD103539EB7DE91EADC69B60E 4194CEF563572D9D20233EBB590A67AE9B643BD7F3F1C8FF10F4A55F4957B5EC EB3FFBCACF4DF9879BD7DC366FA395710E44C77D2FA061496F95C9A9A8A2C44B397F2855A2DD24DCC6 BE1A87271DE11B43D EDDAAE694F1A94 low C:\System Volume Information\SPP\meta-2 Process: SysEx File - Twister Size (bytes): Entropy (8bit): Encrypted: Copyright Joe Security LLC 2018 Page 13 of 29

14 C:\System Volume Information\SPP\meta-2 MD5: SHA1: SHA-256: SHA-512: Malicious: F77D4A22CADF278DD613BCE9E99F65E AEFDFDDDA4688D56EBFBD9E5A1AE8BCA F3AFC8988FCB0A4464D7E22E50F62664EB09839EBAB0201BFB EC67 36E5CB3DAF13E4A1D71443D41303C1FEE FC3A09BDBF822C AC D2DD427668C19D37A F92A40CEE0A8A097CC4D029F EE3E3 low C:\System Volume Information\SPP\snapshot-2 Process: Size (bytes): 7992 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: C4A6B8D6BE17DEAA4DD6DAEBEFFCFB72 25E64DD28DC30E2B FA2E7E09B49D1C 4F74823A2365C6E41C1EA7174D4308A6B4690BB178041F7DC8809FC07725ABD4 41F411F0C2C8E90E696B6BA52903FE0DEDC8ECDB2FA2C0D843C5AC33630EA21CD95A540F592951B27FCF02F1F7 CB34F0C082ACEF0F26BD23FD5CC0EEF1A74DEC low C:\Users\SAMTAR~1\AppData\Local\Temp\MSIFF06.tmp Process: Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Antivirus: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 5EA7455A71A9B481D0D9402C4E4E19D7 4630E3D9788C445812AE7F3A5436B809C6CDA09E 428C16FAD8A8190A6090FA940C2EF2D5C13168F721D958750A874FF8C13C5A85 124B8CC4590EB31FBD336031FF4DC86987CA320A768CF8D6350F1D D4099E8F4BAF5B25BB9587AFB903A4 911EFA950C15DCDAE3AEDFDD56B7AC true low Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse C:\Users\SAMTAR~1\AppData\Local\Temp\MSIae160.LOG Process: Size (bytes): 2 Entropy (8bit): 1.0 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Little-endian UTF-16 Unicode text, with no line terminators F3B25701FE362EC84616A93A45CE9998 D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F 0EFAF F9755A9BFDF1C54CA0D84 moderate, very likely benign file C:\Windows\Installer\6c78cb.msi Process: 2 Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 12D2BF21EADDEDDE024F8DBB997E14B8 ECDB4B3B2F6C6B97A45774BAC094249BC50B83DF 35E43843E67544DE084175B018045BC56852D8C7711C074CB7E53B E9 274E94F878E2757BC2E609AA25CDFE8B0AABE7D C0985EE93A8D62679C BB7E1A9E403D DCD538DE47B641BD71ABC282B3CACE6 low Copyright Joe Security LLC 2018 Page 14 of 29

15 C:\Windows\Installer\MSI864A.tmp Process: Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 01B760D7B364D3272FC DF9 FE9431EC0D7FDB84D27982EB28D1B0D465EA5E03 1ED2826A1CF58C0D819FA833E665384A9AF95EB254C FDA4BCD611AE0 CB43186DE DB44310A219F071ADA67CD52BA1DB4D403D0FD05D4E080FE7E4E8E408EF2173D990D38FC20 D424395CC6B11D4EC5E19CADDF05E4697E9B1F low C:\Windows\Installer\MSI865F.tmp Process: Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Antivirus: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 14C01C848D A64B6784B D3D81FCD EF09B EA8 FA9B83479F1B DC A8C72DF3E31870DAE C467C470C13B D3BC1BA9676A04E1E015BEC D622E7E3858D5AD7950D09C155F3666A90B7D 3C7B40F324D D6E81711B7F38CF1D57 true low Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse \samr Process: Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Hitachi SH big-endian COFF object, not stripped 4156C7B33C93AE3E0E733FCB9E7F7749 F614FDFC D6990A4A4AEDBCF7BC47C0 07AAC9BDA3BC262E41FC4568C2F0EA CD A323C8D31C2B5 EC8F05539E648324C69B57D358C6D3C4E BCCBA9689BD150D162023AF9882EAEBDB48D844C6F1A C6C74C8E5E824CAA38FE5BA44D32A68F166E36 low Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info File type: 2 Entropy (8bit): Copyright Joe Security LLC 2018 Page 15 of 29

16 TrID: Microsoft Windows Installer (638509/1) 93.34% ClickyMouse macro set (36024/1) 5.27% Generic OLE2 / Multistream Compound File (8008/1) 1.17% Java Script embedded in Visual Basic Script (1500/0) 0.22% File name: File size: MD5: SHA1: SHA256: SHA512: MobaXterm_installer_10.5.msi 12d2bf21eaddedde024f8dbb997e14b8 ecdb4b3b2f6c6b97a45774bac094249bc50b83df 35e43843e67544de084175b018045bc56852d8c7711c07 4cb7e53b e9 274e94f878e2757bc2e609aa25cdfe8b0aabe7d c0985ee93a8d62679c bb7e1a9e403d dcd538de47b641bd71abc282b3cace6 File Content Preview:...> File Icon Static OLE Info Document Type: OLE Number of OLE Files: 1 OLE File "MobaXterm_installer_10.5.msi" Indicators Has Summary Info: True Application Name: Windows Installer XML ( ) Encrypted Document: Contains Word Document Stream: Contains Workbook/Book Stream: Contains PowerPoint Document Stream: Contains Visio Document Stream: Contains ObjectPool Stream: Flash Objects Count: 0 Contains VBA Macros: True Summary Code Page: 1252 Title: Installation Database Subject: MobaXterm Author: Mobatek Keywords: Installer Comments: This installer base contains the logic and required to install MobaXterm. Template: Intel;1033 Revion Number: {D4A2BF1A-8A48-4AC0-AF05-C2C4B1F4C996} Create Time: :36:52 Last Saved Time: :36:52 Number of Pages: 100 Number of Words: 2 Creating Application: Windows Installer XML ( ) Security: 2 Streams \x5digitalsignature,, Stream Size: 5771 \x5digitalsignature Copyright Joe Security LLC 2018 Page 16 of 29

17 Stream Size: 5771 Entropy: True Data ASCII: *. H x 0.. t g Y 0 W $ F ! [.. [ " l O... ] E ( ) ]? (. t - g *. H } U... G B U.... G r e a t e r M a n c h e s t e r U.... S a l f o r d Data Raw: a f7 0d a b b 0e a a 2b a a 2b e f1 10 0c c b 0e a b 01 b0 5b \x5summaryinformation,, Stream Size: 516 Stream Size: 516 \x5summaryinformation Entropy: Data ASCII: O h ' x H x I n s t a l l a t i o n D a t a b a s e M o b a X t e r m M o b a t e k I n s t Data Raw: True fe ff e0 85 9f f2 f9 4f ab b 27 b3 d d e a b c d c \x16786\x17522\x15806\x16754\x16484\x16951\x17461\x17214\x17574, MS Windows icon resource - 5 icons, 64x64, 256-colors, Stream Size: 34 Stream Size: Entropy: \x16786\x17522\x15806\x16754\x16484\x16951\x17461\x17214\x17574 MS Windows icon resource - 5 icons, 64x64, 256-colors ( B.. V %.. ~ B & h x h... V... B Data Raw: a e a ce \x17163\x16689\x18229\x16446\x18156\x14988, PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: Stream Size: Entropy: \x17163\x16689\x18229\x16446\x18156\x14988 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows True Data ASCII: M L.! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e.... $ e V & V ".... V V! V '..... V "..... R i c h P E.. L..... ; J.... Data Raw: 4d 5a ff ff b f e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x18485, PC bitmap, Windows 3.x format, 493 x 58 x 24, Stream Size: PC bitmap, Windows 3.x format, 493 x 58 x 24 \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15103\x17508\x16945\x Copyright Joe Security LLC 2018 Page 17 of 29

18 Stream Size: Entropy: Data ASCII: B M. O ( : P O.. S... S Data Raw: 42 4d 86 4f ed a f b b fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa True \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x18474, PC bitmap, Windows 3.x format, 493 x 312 x 24, Stream Size: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15231\x16684\x17583\x PC bitmap, Windows 3.x format, 493 x 312 x 24 Stream Size: Entropy: Data ASCII: B M ( c... c Data Raw: 42 4d f6 0b ed c0 0b b b fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa True \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088, MS Windows icon resource - 1 icon, Stream Size: 318 Stream Size: 318 Entropy: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x15871\x18088 MS Windows icon resource - 1 icon Data ASCII: ( ( Data Raw: c0 c0 c ff ff ff ff 00 ff ff 00 ff 00 ff ff ff ff ff \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483, MS Windows icon resource - 1 icon, Stream Size: 318 Stream Size: 318 Entropy: \x17163\x16689\x18229\x16446\x18156\x15518\x15103\x17648\x16319\x18483 MS Windows icon resource - 1 icon Data ASCII: ( ( Data Raw: c0 c0 c ff ff ff ff 00 ff ff 00 ff 00 ff ff ff ff ff \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x18480, MS Windows icon resource - 1 icon, Stream Size: 766 \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15295\x16827\x16687\x Copyright Joe Security LLC 2018 Page 18 of 29

19 Stream Size: 766 Entropy: MS Windows icon resource - 1 icon True Data ASCII: $ D D D D D D D D D D 1. 2 D D D D D D D D D D D D D.. 2 D D D D D D D D D D D C. 2 D D D D D D 3 4 D D D D D C. 2 D D D D 3 0 D D D D D.. 3 $ D D D D D 3 4 D D D D D 1. 3 $ Data Raw: e c0 c0 c ff ff \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482, MS Windows icon resource - 2 icons, 32x32, 16-colors, Stream Size: 1078 Stream Size: 1078 Entropy: \x17163\x16689\x18229\x16446\x18156\x15518\x15551\x17574\x15551\x17009\x18482 MS Windows icon resource - 2 icons, 32x32, 16-colors Data ASCII: & ( p w p p p p p w w... w w Data Raw: e e c0 c0 c ff ff ff ff 00 ff 00 \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468, PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: Stream Size: Entropy: \x17163\x16689\x18229\x16446\x18156\x15518\x17184\x16827\x18468 PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Data ASCII: M L.! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e.... $ j... j... j j j j... j... j j j j j. R i c h. j P E.. L..... ; J ! Data Raw: 4d 5a ff ff b e e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a True \x17558\x16677\x17889\x17768\x18352\x16678\x18469, Microsoft Cabinet archive, bytes, 1 file, Stream Size: Stream Size: Entropy: \x17558\x16677\x17889\x17768\x18352\x16678\x18469 Microsoft Cabinet archive, bytes, 1 file Data ASCII: M S C F..... $......, J K.. M o b a X t e r m. e x e... d.. I.. C K.. } \\. U.? # 3 $ * * %. h. j n < <..... F.. g. Z..... ' Z. n. n.. w u.... n A P. D h. {.... ^. v \\. :. \\. :..,.. j A. D....., (. Y O %..... q o. r g. j. ' w #.. Data Raw: 4d c7 24 b c a c 4b 9a ac d 6f d 2e ab ce 1f b cd bd 7d 5c d4 55 da 3f fe f c a 2a 25 e5 68 1a 6a 20 6e db c8 93 f8 3c 3c 8a f ea e2 67 d4 True \x18496\x15167\x17394\x17464\x17841,, Stream Size: 1440 Copyright Joe Security LLC 2018 Page 19 of 29

20 Stream Size: 1440 Entropy: \x18496\x15167\x17394\x17464\x17841 Data ASCII: ". ". ". (. (. ( /. /. / ?.?.?. G. G. G. G. G. G. G. G. G. G. G. G. I. I. I. I. I. I. I. I. I. I. [. [. [. [. b. b. b. b. b. b. k. k. o. o. o. o. o Data Raw: e 00 2e 00 2e 00 2f 00 2f 00 2f f 00 3f 00 3f b 00 5b 00 5b 00 5b \x18496\x15518\x16925\x17915,, Stream Size: 204 Stream Size: 204 Entropy: \x18496\x15518\x16925\x17915 Data ASCII: ". $. &. (. *., :. <. B. D. F. H. J. L. N. P. R. T. V. W. Y. [. ]. _ !. #. %. '. ) / ;. =.?. A. C. E. G. I. K. M. O. Q. S. U... X. Z. \\. ^. `. Data Raw: ff a 04 0c 04 0e a 04 1c 04 1e a 04 2c 04 2e a 04 3c 04 3e a 04 4c 04 4e b 04 5d 04 5f b 04 0d 04 0f \x18496\x16191\x17783\x17516\x15210\x17892\x18468, ASCII text, with very long lines, with CRLF line terminators, Stream Size: Stream Size: Entropy: Data ASCII: \x18496\x16191\x17783\x17516\x15210\x17892\x18468 ASCII text, with very long lines, with CRLF line terminators True N a m e T a b l e T y p e C o l u m n V a l u e _ V a l i d a t i o n N P r o p e r t y I d _ S u m m a r y I n f o r m a t i o n D e s c r i p t i o n S e t C a t e g o r y K e y C o l u m n M a x V a l u e N u l l a b l e K e y T a b l e M i n V a l u e I d e n t i f i e r N a m e o f t a b l e N a m e o f c o l u m n Y ; N W h e t h e r t h e c o l u m n i s n u l l a b l e Y M i n i m u m v a l u e a l l o w e d M a x i m u m v a l u e a l l o w e d F o r f o r e i g n k e y Data Raw: 4e 61 6d c f 6c 75 6d 6e c f c f 6e 4e f f d 6d e 66 6f 72 6d f 6e f 6e f b f 6c 75 6d 6e 4d c e 75 6c 6c c 65 4b c 65 4d 69 6e c \x18496\x16191\x17783\x17516\x15978\x17586\x18479,, Stream Size: 4504 Stream Size: 4504 Entropy: \x18496\x16191\x17783\x17516\x15978\x17586\x18479 Data ASCII: m = Q $ n T j B o ' ( ; > Data Raw: a b 00 0b d 00 0a b a 00 3d 00 0d e e ca f e 00 \x18496\x16255\x16740\x16943\x18486,, Stream Size: 70 \x18496\x16255\x16740\x16943\x18486 Copyright Joe Security LLC 2018 Page 20 of 29

21 Stream Size: 70 Entropy: Data ASCII:.. ". (... / ?. G. I. [. b. k. o Data Raw: e 00 2f f b b 00 6f 00 8e a5 00 a9 00 b7 00 ba 00 bb 00 bc 00 c2 00 ce 00 d9 00 e2 00 ec 00 f b 01 1e 01 2b 01 \x18496\x16383\x17380\x16876\x17892\x17580\x18481,, Stream Size: 4368 Stream Size: 4368 Entropy: \x18496\x16383\x17380\x16876\x17892\x17580\x18481 Data ASCII: ". ". ". (. (. ( /. /. / ?.?.?. G. G. G. G. G. G. G. G. G. G. G. G. I. I. I. I. I. I. I. I. I. I. [. [. [. [. b. b. b. b. b. b. k. k. o. o. o. o. o Data Raw: a 00 0a e 00 2e 00 2e 00 2f 00 2f 00 2f f 00 3f 00 3f b 00 5b 00 5b 00 \x18496\x16667\x17191\x15090\x17912\x17591\x18481,, Stream Size: 36 Stream Size: 36 Entropy: \x18496\x16667\x17191\x15090\x17912\x17591\x18481 Data ASCII: '. ' Data Raw: c9 03 cd cc 03 ce \x18496\x16778\x17207\x17522\x16925\x17915,, Stream Size: 420 Stream Size: 420 Entropy: \x18496\x16778\x17207\x17522\x16925\x17915 Data ASCII: :. <. =. >. A. D. G. I. L. O. R. U. X. [. ^. `. c. f. h. k. m. p. r. u. w. z ;. ;. ;.?. B. E. H. J. M. P. S. V. Y. \\. _. a. d. g. i. l. n. q. s. v. x. {. } _ Data Raw: a 01 3c 01 3d 01 3e c 01 4f b 01 5e b 01 6d a 01 7c 01 7f a 01 8d a 01 9c 01 9f 01 a1 01 a2 01 a5 01 a7 01 a9 01 ab 01 ad 01 af 01 b1 01 b3 01 b6 01 b8 01 ba 01 bc 01 be 01 c0 01 c1 01 c3 01 c6 01 c8 01 ca 01 \x18496\x16786\x17522,, Stream Size: 4 \x18496\x16786\x17522 Stream Size: 4 Entropy: 2.0 Data ASCII:.... Data Raw: b \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934,, Stream Size: 48 Copyright Joe Security LLC 2018 Page 21 of 29

22 Stream Size: 48 Entropy: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934 Data ASCII: :. <. = x... < Data Raw: a 01 3c 01 3d 01 da 01 db a0 8f 3c 8f e8 83 dc 85 c8 99 \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472,, Stream Size: 42 Stream Size: 42 Entropy: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472 Data ASCII: :. <. = Data Raw: 3a 01 3c 01 3d 01 dc 01 dd 01 de 01 df e8 83 fd 7f fe 7f ff 7f \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472,, Stream Size: 48 Stream Size: 48 Entropy: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472 Data ASCII: 2. <. =. >. D. G x Data Raw: c 01 3d 01 3e da 01 db e c dc 85 c8 99 \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486,, Stream Size: 16 \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486 Stream Size: 16 Entropy: 2.5 Data ASCII: Data Raw: ad 03 ad 03 ad 03 ad 03 eb 01 ee 01 f0 01 f2 01 \x18496\x16911\x17892\x17784\x18472,, Stream Size: 16 \x18496\x16911\x17892\x17784\x18472 Stream Size: 16 Entropy: Data ASCII: Data Raw: ad ae \x18496\x16918\x17191\x18468, MIPSEB Ucode, Stream Size: 14 \x18496\x16918\x17191\x18468 MIPSEB Ucode Stream Size: 14 Entropy: Data ASCII: Data Raw: b \x18496\x16923\x17194\x17910\x18229,, Stream Size: 180 Copyright Joe Security LLC 2018 Page 22 of 29

23 Stream Size: 180 Entropy: \x18496\x16923\x17194\x17910\x18229 Data ASCII: Data Raw: f5 01 cf 03 d2 03 d7 03 da 03 dd 03 e0 03 e2 03 e5 03 e8 03 eb 03 ee 03 f0 03 f3 03 f d4 03 d0 03 d0 03 d8 03 db 03 de 03 de 03 e3 03 e6 03 e9 03 ec 03 ef 03 f1 03 f4 03 f6 03 d5 03 c7 03 d e d6 03 d d9 03 \x18496\x16923\x17584\x16953\x17167\x16943,, Stream Size: 60 Stream Size: 60 Entropy: \x18496\x16923\x17584\x16953\x17167\x16943 Data ASCII: Data Raw: f4 01 ff f7 03 f9 03 f2 01 f2 01 f2 01 f2 01 f0 01 f f8 03 fa 03 f4 01 ff ed 01 f \x18496\x16925\x17915\x17884\x17404\x18472,, Stream Size: 36 Stream Size: 36 Entropy: \x18496\x16925\x17915\x17884\x17404\x18472 Data ASCII: Data Raw: c c \x18496\x17100\x16808\x15086\x18162,, Stream Size: 8 \x18496\x17100\x16808\x15086\x18162 Stream Size: 8 Entropy: 1.75 Data ASCII: Data Raw: e8 01 ea 01 e9 01 e9 01 \x18496\x17116\x17778\x16823\x17912,, Stream Size: 64 Stream Size: 64 Entropy: \x18496\x17116\x17778\x16823\x17912 Data ASCII: Data Raw: fb 03 fd f4 01 fc 03 fe 03 eb 01 f2 01 ad 03 e ff b3 03 b ed 01 ed \x18496\x17163\x16689\x18229,, Stream Size: 32 \x18496\x17163\x16689\x18229 Stream Size: 32 Entropy: 2.25 Copyright Joe Security LLC 2018 Page 23 of 29

24 Data ASCII: Data Raw: e0 01 e1 01 e2 01 e3 01 e4 01 e5 01 e6 01 e \x18496\x17165\x16949\x17894\x17778\x18492,, Stream Size: 60 Stream Size: 60 Entropy: \x18496\x17165\x16949\x17894\x17778\x18492 Data ASCII: Data Raw: ed 01 f4 01 fa 02 fc 02 fd 02 ff fa fc 02 fd f4 01 f4 01 f4 01 fd 02 fd 02 fb fa 02 fe fe \x18496\x17165\x17380\x17074,, Stream Size: 484 Stream Size: 484 Entropy: \x18496\x17165\x17380\x17074 Data ASCII: ' U. [. `. d. h. p. r r. r. r. r. r... r. r. r... r. r... r. r... r. r. r. r. r. r i U..... U..... U Data Raw: dc 01 dd 01 de 01 f6 01 0c c b c d 02 af \x18496\x17167\x16943,, Stream Size: 40 Stream Size: 40 \x18496\x17167\x16943 Entropy: Data ASCII: Data Raw: eb 01 ee 01 eb 01 ee 01 af 03 b c3 c8 e8 80 b b a \x18496\x17184\x15547\x17905\x17768\x16945\x16183\x17579\x17909\x17958\x18487,, Stream Size: 12 \x18496\x17184\x15547\x17905\x17768\x16945\x16183\x17579\x17909\x17958\x18487 Stream Size: 12 Entropy: Data ASCII: c. d... Data Raw: f9 03 f2 01 f \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934,, Stream Size: 162 Stream Size: 162 Entropy: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x Data ASCII: :. <. =. >. D. G. `. h. z x p ( Copyright Joe Security LLC 2018 Page 24 of 29

25 Data Raw: a 01 3c 01 3d 01 3e a c 01 9f 01 af 01 c3 01 da 01 db 01 f2 02 f6 02 f7 02 f8 02 b b6 03 b5 03 b5 03 b a0 8f e c e \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472,, Stream Size: 90 Stream Size: 90 Entropy: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472 Data ASCII: :. <. =. X. h U. p Data Raw: 3a 01 3c 01 3d dc 01 dd 01 de 01 df af 02 b b7 03 bf 02 b e fd 7f fe 7f ff 7f bc 82 \x18496\x17548\x17648\x17522\x17512\x18487,, Stream Size: 48 Stream Size: 48 Entropy: \x18496\x17548\x17648\x17522\x17512\x18487 Data ASCII: Data Raw: eb 01 ee 01 f0 01 f2 01 ec 01 ef 01 f1 01 f3 01 ed 01 ed 01 ed 01 f eb 01 ee f5 01 \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522,, Stream Size: 408 Stream Size: 408 Entropy: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x U. U. r. r j. m. A. C. E. G. I. K. M. O. V. X ' '. #. V. V. V. X. X. X Data Raw: de 01 de d 02 9d 02 9d 02 9d 02 9d 02 9d 02 9d 02 9d 02 9d 02 6a 02 6d b 02 4d 02 4f \x18496\x17548\x17905\x17589\x15279\x16953\x17905,, Stream Size: 1380 Stream Size: 1380 Entropy: \x18496\x17548\x17905\x17589\x15279\x16953\x17905 Data ASCII: '. '. ' <. U. U. U. U. U. U. U. U. U. U. U. U. U. [. `. `. `. d. h. p. p. r. r. r. r. r !.!.! Data Raw: dc 01 dd 01 de 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 f6 01 0c c 02 3c b c 02 7c 02 7c 02 7c 02 7c 02 7c 02 7c 02 7c \x18496\x17548\x17905\x17589\x18479,, Stream Size: 5408 \x18496\x17548\x17905\x17589\x18479 Copyright Joe Security LLC 2018 Page 25 of 29