ID: Cookbook: browseurl.jbs Time: 18:10:52 Date: 18/05/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 18:10:52 Date: 18/05/2018 Version:"

Evangeline Moody
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 18:10:52 Date: 18/05/2018 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets ICMP Packets DNS Queries DNS Answers HTTP Request Dependency Graph Copyright Joe Security LLC 2018 Page 2 of 24

3 HTTP Packets Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3412 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3468 Parent PID: 3412 General File Activities Registry Activities Analysis ssvagent.exe PID: 3536 Parent PID: 3468 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 24

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 18:10:52 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 2m 58s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean1.win@5/22@5/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Browsing link: Show All Exclude process from analysis (whitelisted): dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 3468 because there are no executed function Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 4 of 24

Strategy Score Range Reporting Detection Threshold 1

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2018 Page 5 of 24

Ransomware Miner Spreading malicious malicious malicious Evader

Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request

a GUI, but Joe Sandbox has not found any clickable buttons, likely more

System / PFW / Operating System Protection Evasion HIPS Hooking and

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample HTTP request are all non existing, likely the sample is no longer working Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Signature Overview Networking Summary System / PFW / Operating System Protection Evasion HIPS Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 24

7 Click to jump to signature section Networking: Social media urls found in memory data Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 24

Behavior Graph ID: 60306 URL: http://cdn.googletoolservices.com/jquery-ui.

8 Behavior Graph ID: URL: Startdate: 18/05/2018 Architecture: WINDOWS Score: 1 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values iexplore.exe started iexplore.exe Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 2 20 cdn.googletoolservices.com , 4166, 4167, 4171 DAINTERNATIONALGROUPGB Bulgaria started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 18:11:51 API Interceptor 3377x Sleep call for process: iexplore.exe modified 18:11:53 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link 3% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link cdn.googletoolservices.com 3% virustotal Browse Copyright Joe Security LLC 2018 Page 8 of 24

9 URLs Detection Scanner Label Link 3% virustotal Browse 3% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page of 24

10 Startup System is w7 cleanup iexplore.exe (PID: 3412 cmdline: '' -Embedding CA1F703CD665867E8132D246FB55750) iexplore.exe (PID: 3468 cmdline: '' SCODEF:3412 CREDAT: /prefetch:2 CA1F703CD665867E8132D246FB55750) ssvagent.exe (PID: 3536 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 053A026487FD1E655B75B63B083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\~DF266EB22A1ADDAF1.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): E1F6B88F333D2D32743FF27B1D4D0 285E18871B65252C00D0C1EDAA372E20BEEACA4 B6AC33A8E FEF6AEA8C5BB471AACD8AB056507BD3EEF08D5FA3F DDCE533F5806E4B0E3DBAFCD6A70D7A1843FE23B270211BD71DC4F08D8012D16AB57F0FB7C6EBC53E C1C8CB4721BE24E7D6733D804FD240 Copyright Joe Security LLC 2018 Page 10 of 24

11 C:\Users\HERBBL~1\AppData\Local\Temp\~DF4F62ACF57253C6C.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): C72DFDA77BF7CE0AA22CD1E381CE015 E3FDE2E360222DD2F85D0FB0ED3753B37F2B 627DF5E4875E23B4BDCCF28D71B62DB27D8AAAB306BAB03F54DDA707B50A D2A56A2ED7A44A01AC32FBDCEFA7F714D0874FEFF63DBD0C8DD82F64FE5615D4226B1F88127FFCE76C 6ED4A15E80C0AF3F047A5D4BE5D C:\Users\HERBBL~1\AppData\Local\Temp\~DFF5F02654EEDBCB0.TMP data Size (bytes): Entropy (8bit): C621AC3B5678F754534CD07FEC56D2 E865F7A800D22014A1C75D4B78D00EA57580DB0A BD0C2EDFB CEEECC5FF8262FFC5CD8B3166FC43AFE12C8035AD0E21 273DA4E6BC2F8F76BBAB7668FCDCF42A3518C35ACCAA E4D AB8AFEA20DE3EC7AF0E384 AF64083F6BA5A1BB46FC3156B56E1AA13FE5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB5DF3F0AD4EE2DC2B8CFD4157 Size (bytes): 650 Entropy (8bit): Microsoft Cabinet archive data, 650 bytes, 1 file 33B3E2A516EF730A8FA2284F0FBD5 03D455583DDA5215D45AF76AF623B202F586F 446E8F2056FEA3AC1365A80ADA C36F72FFE42FD1B781C24CBA 75763AA13B43EB624B0F84E E06FB7F4AF4F35D020ED0ADDD8D1B42FE7EC2C6340AC8E08B 182F8346D813087C321C878F670C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA874A10C4BD62CC21D13E43B18_BEB37ABADF B472417E0 4 data Size (bytes): 471 Entropy (8bit): F0210FCA CC216A3078E2 D10B86C6F353C30D8B55BFCAADD40E7D4337C 37AD878DB2D20AFD65BA634252E B08E1C526BD D1221F C5CA0CE0D36CB0716ECC6E37F6C261EF4E2C6C6B03D7EF703252D544DE7AAFB22208C8BEC0A52ECD3D CF B488E4C7D2C8C513BB60DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF880D352E0D8F data Size (bytes): 4405 Entropy (8bit): F4D05A12DAF7DC1437D8CCDB188A74 CC31C730E0CB60FF D781AD8F1F8DB788F B6CAF30D26CB25710F0E345C3C5F343AE0D4378DE4FEECB0EE5DDA27C16 Copyright Joe Security LLC 2018 Page 11 of 24

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF880D352E0D8F 56F073E850CC D01450C632CDCA0CE7B44221FF81DA4C278785D1F133A85C43FE74CC7C67EBB 70E177ADA752BFDE76A88D061C7B047FB548C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB5DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 342 Entropy (8bit): FA43B65005DD12E28F22D236 84C1D8FA255B6BE3FAD6CB27ACC573B32F BD60E225221BD1EDCE0B58A3FE23D00324B2100CACE14B0E327ED3074E1 3C1E1D06D288C6325C5BC60DC2C8CC51006EFE830C86681FE3FE11EC3CA48C0F7C7A52FBC5746FF 5CC6726ED4A2FF83AAD183A5C41CF3A405B31 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA874A10C4BD62CC21D13E43B18_BEB37ABADF B472417E04 data Size (bytes): 434 Entropy (8bit): B00B3C771ABE5DF7F3CD6F3D565BC DBD803E12667DE8A473F86C836138F2784F3A7A 8B873DB6F267F6884B2FE83C404B303B8D1BA83C60DE5F123D872128D1AD0 8EB46C4C8AE6D0E170CE35CD55F17BF30CE075FEB37107BC102E4840DA2D67E35B40EB5AA21C362C10E A8FDCBC103C61167B4EC1C1D7F86E1B1553A4 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF880D352E0D8F data Size (bytes): 226 Entropy (8bit): D27387A270B5C68DD57CBCFE2D2EB F E7C8C88253F FCA82A00D872474BAFB31BC4E7CA EBF084575E1B376332FB1 07BDD3DFF7246E4823F74E4EC8CF05C48DBAC2ECE836182A276E2C B5A4D1FB81CED473A458 74BBE014DB61C320666DBC BAC03EB2 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE3-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced FB55A E77D F6541 EA13848D33C2C7F4F4BAA3348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE0404E24A3500B7E0CEBAE76EDF85B8B14 0E CD123BE8A20B87DA3AAF5CB0524DE7F8286FFD3FA35FC7AF7AD77DD6EFB6D1E722147DCF B74437DE D000D452FB6A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C2771D1-5AB6-11E8-B7AC-B2C276BFC88}.dat Microsoft Word Document Size (bytes): 3000 Copyright Joe Security LLC 2018 Page 12 of 24

13 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2C2771D1-5AB6-11E8-B7AC-B2C276BFC88}.dat Entropy (8bit): EDCCF8363DEE6C0DD08565E0FFF 4F0FE2D044B3A568BD842CEC7308E0ED6C2824B 2127C7C2BF8582FC772C3F443C338F5E7B33BA5EEACB774570C6BEE2C476 CEA33ACFC36278D8F5013B C01D16FEF8A7FBAFDF8E3481FDE3F567357D6576FAB5D6F8723AF12 51EC06AC5FAC55564F122A0E2EEDDD0DCD8 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2C2771D3-5AB6-11E8-B7AC-B2C276BFC88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): B5070A4ED3A5A80C3F34BC20A 73A A AD5B50C46E7D0B7 6723EC8475AC7BFA02BA3F8D5B7E54C721FAF2B1844A DFE1D88A1EB5 2B7C343054C4F03CDAE23A1E552F21B8ED81FF22D45FBDB60A047E413EEF60E3206B33B80FA4A058C 37A3088EE64BD A3F8C7A17D6DA21 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{ AB6-11E8-B7AC-B2C276BFC88}.dat Size (bytes): 1684 Microsoft Word Document Entropy (8bit): B6FFC2DC38CBE876AF2DC2A146334A7 FF5C7364CCC3EBCD207CD2C164CF228C23E EBC3C8C4CC1B12FC2A05AD57761A3B F7AD538AFF6D5374 F5F F1D4E6C F6B46CC1C1A EF27355C46576CB3557E2B CF8 C781AB63D42B635A04BC8A56F745815E0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\http_403[1] Size (bytes): 4585 Entropy (8bit): HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 3215E2E80AA8BFABA83D76AEF71F1B C7582D414EE6A1DAE08F6DBBBF68ED641D0023 D1C22EF F346B8C8BC6F887E2E5C28135A421EE46800F6C8451B24 60E4D6222AD14D3D842DABE86651B4CC2E4C873A50E5B7FC4FD53662A70360ECC7064ACEA7751E6CE C0E6B05D24F0030D68773C67B3DCBAE00 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\info_48[1] Size (bytes): 4113 Entropy (8bit): PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced FCC163AA3A7F0B746416CE6 B7CC66471FCDEE07D0EE36C7FB03F342C231F8F 5112C6C8A82EA41F8857C31146ECEC14C4AF A7A20C6C8485 E60EA153B0FECE4D D3B763B14BA140105A36A13DAD23C206735EAAB02236DEB8C68EF078E8864 D6E288BEF7EF1731C1EF1ADB0170B5AC134 Copyright Joe Security LLC 2018 Page 13 of 24

14 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNTWD\down[1] Size (bytes): 748 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced C4F558C4C8B56858F15C0037CD6625A EE47CC061D6A7A5BB66DEFEA65FA8145BA240 3E7DE847CF731EAA72338AD053217B5785DE27B50B6474EC D60353D3FBEA22D675BA30B20727B022B164B204B2221D33CA7CE AC11F8F F76 8F4840BCD5B62CB6A032EF22A8B0E52A44 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNTWD\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B6CD71F68FE35ACE0D7EA17B5F1B2BADEA8FA 7F7D106CA8A852C1C8EB36E1D88FE6AC17ECB8EFF1F66FC5EBFEB A 1676D43B77C07A3F6A5473F12FD16E A1CB771D0F18B EE7480C33A010F08DC521E57332EC4 C4D888D63C6A2323C7750E764018C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTXDT\background_gradient[1] JPEG image data, JFIF standard 1.02 Size (bytes): 453 Entropy (8bit): F0110ED5E4E0D5384A46E488013B 51F5FC61D8BF1100DF0F8AADAA57FCDC BE1E53C2640FE7BAEECBC624530B D3F2815DFCE1865D5B 5F52C117E346111DD3B A80BEC03147C00E27F07AAB47FE38E31FE83444F3E0E36DEF1E86D D7C56C25E44B14EFDC3F13B45EDEDA064DB5A C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTXDT\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced FB55A E77D F6541 EA13848D33C2C7F4F4BAA3348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE0404E24A3500B7E0CEBAE76EDF85B8B14 0E CD123BE8A20B87DA3AAF5CB0524DE7F8286FFD3FA35FC7AF7AD77DD6EFB6D1E722147DCF B74437DE D000D452FB6A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTXDT\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B B7B CE6A63F6DF3A1CCCB81720E21204B825E0238C 46E01FA34465F4ED06A665D1827B AD82E8BE01EDB1DDBC4D3AD 8CBF4EF582332AE7EA605F10AD6F8A4BC FA84F0843A72CAC2CF0FA32B6AF4C20C67E1FAC2C5 BA16B5A64A23AF0C11EEFBF6625B8FF0C8FA Copyright Joe Security LLC 2018 Page 14 of 24

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTXDT\httpErrorPagesScripts[1] C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ErrorPageTemplate[1] Size (bytes): 2168 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators F4FE1CB77E758E1BA56B8A8EC20417C5 F4EDA0601EDB8633A686B11D02F425F827BF0 8D B33DA8EB3CE0B21D11E1D414E5024C368F2BE804EB577B5F 62514AB345B6648C A8E530DFB88A0355E26206E0A6428C3A4A1C06C6143E561074BFAC A416C0733F24E846884B6843DC222B436 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\bullet[1] Size (bytes): 447 Entropy (8bit): PNG image data, 15 x 15, 8-bit colormap, non-interlaced 26F71D87CA00E23BD2D064524AEF BEFF2F4F8FABC315608A13BF26CABAD27D 1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B A7EABEDCD41D C62EB51BE301BB6C8053D66A73CD17CA2021D5D A37DB72E E581CC652F3D846B30003 CA6C62DAD2AD57164C620B7777AEAA1B15 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation cdn.googletoolservices.com true 3%, virustotal, Browse unknown Contacted URLs Name Process Contacted IPs Copyright Joe Security LLC 2018 Page 15 of 24

16 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious Bulgaria DAINTERNATIONALGROUPGB Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Copyright Joe Security LLC 2018 Page 16 of 24

17 Timestamp Port Dest Port IP Dest IP May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST Copyright Joe Security LLC 2018 Page 17 of 24

18 Timestamp Port Dest Port IP Dest IP May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST UDP Packets Timestamp Port Dest Port IP Dest IP May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST Copyright Joe Security LLC 2018 Page 18 of 24

19 Timestamp Port Dest Port IP Dest IP May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :11: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST May 18, :12: CEST ICMP Packets Timestamp IP Dest IP Checksum Code Type May 18, :11: CEST cffe (Port unreachable) May 18, :11: CEST d00 (Port unreachable) Destination Unreachable Destination Unreachable DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class May 18, :11: CEST xd3bd Standard query (0) cdn.google toolservices.com A (IP address) IN (0x0001) May 18, :11: CEST xd3bd Standard query (0) cdn.google toolservices.com A (IP address) IN (0x0001) May 18, :11: CEST xd3bd Standard query (0) cdn.google toolservices.com A (IP address) IN (0x0001) May 18, :11: CEST xd3bd Standard query (0) cdn.google toolservices.com A (IP address) IN (0x0001) May 18, :11: CEST x87e Standard query (0) cdn.google toolservices.com A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class May 18, xd3bd No error (0) cdn.google 18:11: toolservices.com CEST May 18, xd3bd No error (0) cdn.google 18:11: toolservices.com CEST May 18, xd3bd No error (0) cdn.google 18:11: toolservices.com CEST May 18, xd3bd No error (0) cdn.google 18:11: toolservices.com CEST May 18, x87e No error (0) cdn.google 18:11: toolservices.com CEST A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) Copyright Joe Security LLC 2018 Page 1 of 24

20 HTTP Request Dependency Graph cdn.googletoolservices.com HTTP Packets Session ID IP Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data May 18, :11: CEST 18 OUT GET /jquery-ui.js HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: cdn.googletoolservices.com DNT: 1 Connection: Keep-Alive May 18, :11: CEST 20 IN HTTP/ Not Found Date: Fri, 18 May :13:02 GMT Server: Apache Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso Content-Language: en Data Raw: d 0a 3c 3f 78 6d 6c f 6e 3d e e 63 6f e 67 3d 22 0d 0a d 0a f 2d d f 3e 0a 3c f d 6c c d 2f 2f f 2f d 4c e f 2f 45 4e 22 0a a 2f 2f e e 6f f f d 6c 31 2f f d 6c 31 2d e e 0a 3c d 6c d 6c 6e 73 3d a 2f 2f e e 6f f f d 6c c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e d 6c 3a 6c 61 6e 67 3d 22 0d 0a d 0a 65 6e 22 3e 0a 3c e 0a 3c c 65 3e 0d 0a d 0a 4f 62 6a e 6f f 75 6e c 2f c 65 3e 0a 3c 6c 6 6e 6b d 22 6d d 22 6d c 74 6f 3a 0d 0a d 0a d e 6e f 3e 0a 3c c d f e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a f b f 6c 6f 72 3a b b f 75 6e 64 2d 63 6f 6c 6f 72 3a b 20 7d 0a a 6c 6 6e 6b 20 7b f 6c 6f 72 3a b 20 7d 0a c b 6d e 2d 6c a d 3b 7d 0a e 20 7b 66 6f 6e 74 2d a 65 3a d 61 6c 6c b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f c 65 3e 0a 3c 2f e 0a 0a 3c 62 6f e 0a 3c e 0d 0a d 0a 4f 62 6a e 6f f 75 6e c 2f e 0a 3c 70 3e 0a 0d 0a d 0a 0a 0a c e 6f f 75 6e f 6e e 0a 0a d 0a d 0a 0a 0a f e c 20 6d 61 6e c 6c c b f a c 6c 6 6e e e 2e 0a 0a d 0a 32 0d 0a 0a 0a 0d 0a 3 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a d 0a f e 6b f 72 2c c f 6e a c d 22 6d c 74 6f 3a 0d 0a d 0a d e 6e e d c 2f 61 3e 2e 0a 0d 0a d 0a 0a 3c 2f 70 3e 0a 0a 3c e f d 0a d 0a c 2f e 0a 3c e 0a c d 22 2f 22 3e 0d 0a d 0a e 2e 67 6f 6f 67 6c f 6f 6c e 63 6f 6d 3c 2f 61 3e 3c f 3e 0a d 0a 3 0d 0a 0a c e 3e 0d 0a d 0a d a a c f 3e 0a d 0a d 0a c 2f e 3e 0a 3c 2f e 0a 3c 2f 62 6f e 0a 3c 2f d 6c 3e 0a 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1e<?xml version="1.0" encoding="afiso-885-1"?><!doctype html PUBLIC "-//W3C//DTD XHTML 1.0 Strict //EN" " xmlns=" lang="een" xml:lang="13en"><head><title>38object not found!</title><link rev="made" href="mailto:10cwebmaster@61805.net" /> <style type="text/css">.../*--><![cdata[/*>...*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: # 0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/*...*/--></style></head><body><h1>1bobject not found!</h1><p>3 The requested URL was not found on this server. 57 If you entered the URL manually please check your spelling and try again. 2</p><p>48If you think this is a server error, please contactthe <a href="mailto:24we bmaster@61805.net">webmaster</a>.11</p><h2>error 21404</h2><address> <a href="/">27cdn.googletoolse rvices.com</a><br /> <span>21fri May 18 13:13: <br /> 2Apache</span></address></body></html>10 Session ID IP Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data May 18, OUT GET /favicon.ico HTTP/1.1 18:11: CEST User-Agent: AutoIt Host: cdn.googletoolservices.com Copyright Joe Security LLC 2018 Page 20 of 24

21 Timestamp kbytes transferred Direction Data May 18, :11: CEST 43 IN HTTP/ Not Found Date: Fri, 18 May :13:15 GMT Server: Apache Vary: accept-language,accept-charset Accept-Ranges: bytes Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso Content-Language: en Data Raw: d 0a 3c 3f 78 6d 6c f 6e 3d e e 63 6f e 67 3d 22 0d 0a d 0a f 2d d f 3e 0a 3c f d 6c c d 2f 2f f 2f d 4c e f 2f 45 4e 22 0a a 2f 2f e e 6f f f d 6c 31 2f f d 6c 31 2d e e 0a 3c d 6c d 6c 6e 73 3d a 2f 2f e e 6f f f d 6c c 61 6e 67 3d 22 0d 0a 65 0d 0a 65 6e d 6c 3a 6c 61 6e 67 3d 22 0d 0a d 0a 65 6e 22 3e 0a 3c e 0a 3c c 65 3e 0d 0a d 0a 4f 62 6a e 6f f 75 6e c 2f c 65 3e 0a 3c 6c 6 6e 6b d 22 6d d 22 6d c 74 6f 3a 0d 0a d 0a d e 6e f 3e 0a 3c c d f e 3c 21 2d 2d 2f 2a 2d 2d 3e 3c 21 5b b 2f 2a 3e 3c 21 2d 2d 2a 2f 20 0a f b f 6c 6f 72 3a b b f 75 6e 64 2d 63 6f 6c 6f 72 3a b 20 7d 0a a 6c 6 6e 6b 20 7b f 6c 6f 72 3a b 20 7d 0a c b 6d e 2d 6c a d 3b 7d 0a e 20 7b 66 6f 6e 74 2d a 65 3a d 61 6c 6c b 7d 0a 2f 2a 5d 5d 3e 2a 2f 2d 2d 3e 3c 2f c 65 3e 0a 3c 2f e 0a 0a 3c 62 6f e 0a 3c e 0d 0a d 0a 4f 62 6a e 6f f 75 6e c 2f e 0a 3c 70 3e 0a 0d 0a d 0a 0a 0a c e 6f f 75 6e f 6e e 0a 0a d 0a d 0a 0a 0a f e c 20 6d 61 6e c 6c c b f a c 6c 6 6e e e 2e 0a 0a d 0a 32 0d 0a 0a 0a 0d 0a 3 0d 0a 3c 2f 70 3e 0a 3c 70 3e 0a 0d 0a d 0a f e 6b f 72 2c c f 6e a c d 22 6d c 74 6f 3a 0d 0a d 0a d e 6e e d c 2f 61 3e 2e 0a 0d 0a d 0a 0a 3c 2f 70 3e 0a 0a 3c e f d 0a d 0a c 2f e 0a 3c e 0a c d 22 2f 22 3e 0d 0a d 0a e 2e 67 6f 6f 67 6c f 6f 6c e 63 6f 6d 3c 2f 61 3e 3c f 3e 0a d 0a 3 0d 0a 0a c e 3e 0d 0a d 0a d a a c f 3e 0a d 0a d 0a c 2f e 3e 0a 3c 2f e 0a 3c 2f 62 6f e 0a 3c 2f d 6c 3e 0a 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 1e<?xml version="1.0" encoding="afiso-885-1"?><!doctype html PUBLIC "-//W3C//DTD XHTML 1.0 Strict //EN" " xmlns=" lang="een" xml:lang="13en"><head><title>38object not found!</title><link rev="made" href="mailto:10cwebmaster@61805.net" /> <style type="text/css">.../*--><![cdata[/*>...*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: # 0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;}/*...*/--></style></head><body><h1>1bobject not found!</h1><p>3 The requested URL was not found on this server. 57 If you entered the URL manually please check your spelling and try again. 2</p><p>48If you think this is a server error, please contactthe <a href="mailto:24we bmaster@61805.net">webmaster</a>.11</p><h2>error 21404</h2><address> <a href="/">27cdn.googletoolse rvices.com</a><br /> <span>21fri May 18 13:13: <br /> 2Apache</span></address></body></html>10 Session ID IP Port Destination IP Destination Port Process Timestamp kbytes transferred Direction Data May 18, :11: CEST 42 OUT GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: cdn.googletoolservices.com DNT: 1 Connection: Keep-Alive May 18, :11: CEST 44 IN HTTP/ Forbidden Date: Fri, 18 May :13:15 GMT Server: Apache Accept-Ranges: bytes Content-Length: 5 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: a Data Ascii: VIP! Code Manipulations Copyright Joe Security LLC 2018 Page 21 of 24

22 Statistics Behavior iexplore.exe iexplore.exe ssvagent.exe Click to jump to process System Behavior Analysis iexplore.exe PID: 3412 Parent PID: 548 General Start time: 18:11:51 Start date: 18/05/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' -Embedding 0x bytes CA1F703CD665867E8132D246FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Copyright Joe Security LLC 2018 Page 22 of 24

23 Analysis iexplore.exe PID: 3468 Parent PID: 3412 General Start time: 18:11:51 Start date: 18/05/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: '' SCODEF:3412 CREDAT: /prefetch:2 0x bytes CA1F703CD665867E8132D246FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis ssvagent.exe PID: 3536 Parent PID: 3468 General Start time: 18:11:53 Start date: 18/05/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0x bytes 053A026487FD1E655B75B63B083B7 true C, C++ or other language Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Copyright Joe Security LLC 2018 Page 23 of 24

24 Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 24 of 24

ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version: ID: 5945 Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis