ID: Cookbook: browseurl.jbs Time: 23:19:26 Date: 20/08/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 23:19:26 Date: 20/08/2018 Version:"

Jody Washington
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 23:19:26 Date: 20/08/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains URLs Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted URLs Contacted IPs Public Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 Code Manipulations Statistics Behavior System Behavior Analysis iexplore.exe PID: 3464 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3520 Parent PID: 3464 General File Activities Registry Activities Analysis ssvagent.exe PID: 3588 Parent PID: 3520 General Registry Activities Disassembly Copyright Joe Security LLC 2018 Page 3 of 65

Analysis Report Overview General Information Joe Sandbox Version: 23.0.0 Analysis ID: 73278 Start date: 20.08.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start date: Start time: 23:19:26 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 4m 44s light browseurl.jbs ces=smalt-buffalo&cid=dv27d2a141a45911e8 81fd0685b3f519305b0236c0a45411e881fd0685 b3f f4471accad4b&br=&cr=unknow n&country=us Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Timeout CLEAN EGA enabled clean0.win@5/35@6/3 Adjust boot time Correcting counters for adjusted boot time Browsing link: ationskills.review/popup1/?utm_sources=smaltbuffalo&cid =dv27d2a141a45911e881fd0685b3f b0236c0a45411e881fd0685b 3f f4471accad4b& br=&cr=unknown&country=us# Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe HTTP Packets have been reduced TCP Packets have been reduced to 100 Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 2018 Page 4 of 65

5 Confidence Strategy Score Range Further Analysis Required? Threshold true Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Copyright Joe Security LLC 2018 Page 5 of 65

6 Sample HTTP request are all non existing, likely the sample is no longer working Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Networking System Summary Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Tries to download non-existing http data (HTTP/ Not Found) Urls found in memory or binary data Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 6 of 65

Behavior Graph ID: 73278 URL: http://communicationskills.review/popup1/?utm_sources=sma.

7 Behavior Graph ID: URL: Startdate: 20/08/2018 Architecture: WINDOWS Score: 0 started Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend iexplore.exe Is Windows Process Number of created Registry Values Number of created Files cs9.wpc.v0cdn.net , 443, 49177, ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States started Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious iexplore.exe 3 38 ssl.au.sf-stg.com.c.footprint.net communicationskills.review , 443, 49172, LVLT Level3CommunicationsIncUS , 49162, 49163, AS-CHOOPA-ChoopaLLCUS 6 other IPs or domains started United States United States ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 23:19:43 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Source Detection Scanner Label Link 81fd0685b3f519305b0236c0a45411e881fd0685b3f f4471accad4b&br=&cr=unknow n&country=us 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link communicationskills.review 0% virustotal Browse Copyright Joe Security LLC 2018 Page 7 of 65

8 Source Detection Scanner Label Link ssl.au.sf-stg.com.c.footprint.net 0% virustotal Browse cs9.wpc.v0cdn.net 1% virustotal Browse 0% virustotal Browse prd-static-default-2.sf-cdn.com 0% virustotal Browse prd-static-default.sf-cdn.com 0% virustotal Browse prd-static-default-1.sf-cdn.com 0% virustotal Browse URLs Source Detection Scanner Label Link 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 81fd0685b3f519305b0236c0a45411e881fd0685b3f f4471accad4b&br=&cr=unknow n&country=us 81fd0685b3f519305b0236c0a45411e881fd0685b3f f4471accad4b&br=&cr=unknow n&country=us jpg jpg 0% virustotal Browse 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe jpg jpg 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe jpg tf 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe ot? 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe jpg 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe x jpg 0% Avira URL Cloud safe 0% Avira URL Cloud safe Copyright Joe Security LLC 2018 Page 8 of 65

9 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 9 of 65

$exe (PID: 3520 cmdline: '' SCODEF:3464 CREDAT:275457 /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3588 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.$

10 Startup System is w7 cleanup iexplore.exe (PID: 3464 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3520 cmdline: '' SCODEF:3464 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3588 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\~DF0A355C89F992E971.TMP File Type: FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): E08D380A908030FFCEF0CA56F7A64D22 0D2E9F7272AB846EF90A2B9BF FD06B577 FDEFC8BDB6F2F17EEEC988D405EA01B8001F895E779690E1DA814845A4422F89 C1ED92BC6CC3F4B46229BB90F9158F41C3F0764EE2831E6AE5A449FD6E45FB28A5EA1D2C99B49C00E11BA947E 6A F7577BB17AB712D017B208EA8C7 Copyright Joe Security LLC 2018 Page 10 of 65

11 C:\Users\HERBBL~1\AppData\Local\Temp\~DF459360BF6465BA06.TMP File Type: FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): CB124DD77F8CDDDC229114CA31 D59D A3B191A74E8E1AACE3DC57328A1F 7AC651137D92A776C5C3A0DFECA314783D66D0A26E940C D8DEFFB2C C6C414A5AE2C9EB02CD7B749CFF7B782C08C0421BC2FF4B097DACB94ED3D7FDD14A3C8BA9DD8E9D32E AB60F7A87833FB340F686AA0E61FD45E5F7 C:\Users\HERBBL~1\AppData\Local\Temp\~DF9CFB1E386BB7844D.TMP File Type: FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): CE8B E39FDCF3602CDCA9 E02E073C815F458E C2ACB8578F79432B2 520CFDFEA83068A82FBEF047FED953AE07670BC2E6ABB8913E624A3FDFEEE7DE F7BCBE521EAB221C751FF7E4F8C52EB309E820908B622BBFF79C1C5F7FCD374A99CAE181B2B385FA47464DC15 6BB978236B1CE4391BA4CD5A4CD80567A1BFD47 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico File Type: Size (bytes): 237 Entropy (8bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\YWD82FSO\communicationskills[1].xml File Type: Size (bytes): 13 ASCII text, with no line terminators Entropy (8bit): C1DDEA3EF6BBEF3E7060A1A9AD89E4C5 35E3224FCBD3E1AF306F2B6A2C6BBEA9B B71E4D B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB 6BE8CEC7C862AFAE5B37AA32DC5BB A DA41BF808A4EF92C318B355E616BF45A257B995520D72 B7C08752C0BE445DCEADE5CF79F FED C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C068ABA1-A4BE-11E8-B7AC-B2C276BF9C88}.dat File Type: Size (bytes): Microsoft Word Document Entropy (8bit): D7B002423B97F558FA6D4B5A709D621 1FF57B987DB04A8561DF637ABDC F55D1 AE F4895DB4FA401F A759CC8D826CCE7CECF9C988DFDB78F4 D5C6E42AA33F204D8B7F1968B3E715E688543D33BACA44DD0BD1F9C554C FA4D11A8E32C4933CC20912D 6456C2F5B7D43FE8D593E46924A86FD Copyright Joe Security LLC 2018 Page 11 of 65

12 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C068ABA1-A4BE-11E8-B7AC-B2C276BF9C88}.dat C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C068ABA3-A4BE-11E8-B7AC-B2C276BF9C88}.dat File Type: Size (bytes): Microsoft Word Document Entropy (8bit): B36BE C6A E791DE AA533F4C795A7D602F9DC208D1FBA518E C57107EBE81796B8885A461F15ECCC30DC19BBCCC009ED552E317FE3D FF55397F AEE099CD56DCEF641D9FF8CEE344828C4C700FB7431C3CB40BF6FB5E392C7C5D080C D3CB21A32F9BB4CA B5BA9665B34C25 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C7A01D50-A4BE-11E8-B7AC-B2C276BF9C88}.dat File Type: Size (bytes): Microsoft Word Document Entropy (8bit): FBA214366E91A809B716978D84DE7EB6 FD71C73BB42F EE06DC0DB1EEF4E99D C858A9DB27B976918DB67A3AD7C3540DEF95323AE6A368D2CD5A2DAD CAFC343F0B40C0E F19EA938CF220F6F1010D303EB66D6E19A04C0D1E0FE4D6ABB7F2EF45CE2DC A82F F2A5181DD162DB66F83419A339 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\fb4mf11\imagestore.dat File Type: data Size (bytes): 845 Entropy (8bit): F0727CB1C A2AB544B1366F1 6D538A3CFE309BDD6F868738D355D1A54B C2271BC59858FB610C71E80FDA1D32BC87FEBA5BA5250B A6AFFF0A A761835C223CED0EE9B96470F028B92DCB9BE4CDF91D776486BC35816B92035D800DF7BBD840488E0FCA4974B3 131CE79794EB6D0F47F2451A8969EB400498B6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _Deals-wall-panel-UKIE-336x [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): BC16A9798E154E205924C28E96EE2D C63D6647A0C274DC3C82DD342E E5754 B9AAB82D5D379CC2E69F D2354FA915A89CA5078FCB451CA301E3866E B5D331E2ACC0C5701F30E1ACF453D76E6636BB8165BC745CF6F6B0E791E5ACE978F8DAEBF289C206E9F237D07 99FD BA3CF1ECFBED34A4532AB0B0BF C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _Deals-magnets-UKIE-336x [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): Copyright Joe Security LLC 2018 Page 12 of 65

13 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _Deals-magnets-UKIE-336x [1].jpg F5DAE2B168DAFC9C50728C35B05A0923 0C5176F74818BAD22EE4C1FD87D9243F1330EE24 E233551CF4A9C8CB6C2199FCC F23CE3C1FBA455A44E40CBCAFD33 668B517E75CEAB1EFAFD A28D5C7DC81B39EE2D4DE4E1BE0AE10A3D624C41F878E8BB1A AF9CA493DF16B04AA180499CD9874D7195A02F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _eu-delivery-980x470-uk [ 1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): ED35153FEB1076E561972A472E3AC 09F9FA57BBF7B6ECAF723F860B6E677657B4B29E B4A158ED82B226ECE726BC7667C2681E6095CA01F0FC367035A495863D8D0C14 B3C1EAB0E5FA7B3E4BC771E8BC9433B9FF3426F9702B7CF33D9E118EE9595D69F83DFE4EB1A061C21AE51998B C2CC75BA327095F3AA493B2F53235E44E4F73ED C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _tracked-delivery-980x470-uk [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): A43A3F2548D77621E734D0B9AFD2 08EEEECF7F3BE5B8C557C F250DDF6DC F72BB1185AFA86600D4405C46B28ADD1B0ED92C D2EDDDA3B4 F5BC144B783112C8C2D9B69353AAD63964F4397D7A40A44DBA95364ED5EBA5B1D82F07449E5EB F98B31 AE4AB C14AD7D71235D0AEA2FD2EA C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _Deals-gift-finder-UKIE-336x [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): AC4BC849E FEB02376B764C3 A4F27A9D82B7B448BA9E63A12281A63EE90144D7 DDF165DFA1A9F8451F1AB4C649F7BBFD7BC028B775A84062C101B70130C780A3 8530AC8DB E CB8DA1E6878F57564F3075B09CEF28DA D5F9E716269D5DDE9319FDEFA A93346FE A D263B3C5 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _1-Deals-UKIE-336x [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): CB5017A73CD8E8FDB AF3E98 DF52CDA62AD514814B29689B49C0A221ED7B014E 051EA348AE604EBD273246DC98C2DAC BC73AAAC9B705091FA68FD9 0CF346461A3FF24BCB CBD97CAEA0297B EC1F F98B F33E7C200E D9 0CCA99F79A5FAA30F62C0825C333FF30CA94 Copyright Joe Security LLC 2018 Page 13 of 65

14 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\ _1-Deals-UKIE-336x [1].jpg C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\crm D--UK_EN [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): F9B7D42CD745AD607DD C40 F9E1C178BFFF85F6A05AA997458A39FA41A4BD6D 47B20FD412E6B4E5BF4A70DF03280A721A190DC33F518A55979B83232FFBCF18 B1FB47B7A9DAF04F7197C2B691A976EAF7E799F8D1B DFFEA37F9BD08DB47290E3120A2FB5FD73060AF1 8D4435C308A781BFECB77E1CC77E1123D20520 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\UK-crm_ _Phone_wide--UK_EN [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): ED74194AC8721BF12B68046E9DF9E128 0C1DC2B1AA0D547CC35E85A E06C1130 8BECDC3313F6966F27E361A46F715DA249BC570AECEDA90215A7A28103A8AB90 B E247989F6478EB211B6FEDCD6E17ED75CC8C800F38170A03963E C088B222E339D48AD448CC C194CE21888F08A2AC9303B D5A13EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\UK-crm_ _blog_wide--UK_EN [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): FAB2285AA60C7D D59FA0C43B1A3D67B206796A86B923392B FED D4B668C3AE8E E8D80BA6A1D B8B0AD7FBCA 3F984801FD D84AB904E A5E69B82A13890EDB8877B44F56774AA61825AA6813B76B3F797CEE9C5 B5DC2538D A093B35D55789E7497 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\app[1].css File Type: Size (bytes): Entropy (8bit): ASCII text, with very long lines, with no line terminators DD7D7106FDA7649CFF94D4A6BFC FF2B8ABC4228FA275D EA08507 D4557E0A888FE3C523683E DA180E1D5A5CB0AB33C769BE8A87609A 69DD2DCBBBA9C49FA6A A9EA1DC2EB0DAEA9656F075939C5F62C95FC9A6DCE76D71114AE0C0387CB3 A10E25F0F3FC6202EC7D5306F9110AB7AC5E3255 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[2].ico File Type: PNG image data, 16 x 16, 4-bit colormap, non-interlaced Size (bytes): 237 Copyright Joe Security LLC 2018 Page 14 of 65

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\favicon[2].ico Entropy (8bit): FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\popup1[1].htm File Type: Size (bytes): Entropy (8bit): HTML document, UTF-8 Unicode text, with very long lines EB611F7E7577DFC1E8C0A70048AD19AD 671BEF5F5DD5FCDD912C70B662C02EC250B3B92C CB62C3BA5E926DF5DC2FF9B137B8EDBE97C3E323AFBA140D8370A A5C99BA121DA68EB7A8465F9107A87B283EB04D96FE59995AF8EAD5232D A0AD4E65A4CF4DDA2D9E1 DADE00C1ACCC6DCB56A0514F2BA092C5A65C71F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\sf_favicon_16x16_ _xim_icon[1].png File Type: Size (bytes): 577 Entropy (8bit): PNG image data, 16 x 16, 8-bit colormap, non-interlaced 135A5605D02A04303DACB5E5F4F052F0 DC82E01EBAFBA3C25AB495EC4626C CF6419A9BA2C5A1712B5E28D101F80A5F2B AA27F6AA95FEE940A1CA6 CEFAE38165D80D02302BB63DD21830E2B9D331471FA0D21FB8DA12B7AA8C7C5911B82736B57EF1FDEE1615E7B 66C92575D3FCC4C306C393C595A37BDE3F36241 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\user-data[1] File Type: Size (bytes): 2003 Entropy (8bit): ASCII text, with very long lines, with no line terminators 83E2BDBD9ED22B9453E16AD14AA0DBF4 9B2977C8D1E0AE9A5881BB0743B9FAE7DC5D99FE 2973A0DAB9D38B19E6E13DA2262AC4D B96E44E7A04C42F0F61AA7C0 B3E13B E05B86FBA A E67CDCEA2874F499B494A4373DF797EF3849D39EE585C5664C6 446BEF1874B277A5F10DE701F2DD73CCA7F6 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ _980x470-uk [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): FCB3FDBB203211F12956AFDC30FE54 CE825D67FB15CF79CE0214C2F4767C7E F 6DAD362F2F5694D688148AF5E5BC886A137333F67B8741DE3A5C55E3AAE8E A1E7BEC3ADA30E BB9BE9DC485BE4B7DF0B4750F1542E28A599BCA0C5BD39B0CC2A548F C9A83E9F8A92D4ECD6FC728620CC1DDAF2AEB Copyright Joe Security LLC 2018 Page 15 of 65

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\ _1-Deals-UKIE-336x [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): D3C26CFE9EEC0A0EBE4898A744FF965A CED78BF7F355C8BCA31389BD7D8279F71D1CE6DD 7FDF93CC53717FB4C92C130219B093DA4CAD1B4E208CCC056ACDAACD6CC91512 EE86C154C1000DA9C9EB12A8C023E77B6E02B9C0A89A50E260A061A3637B00C95379C57DD8F84D44988ADB4B3E E5C7BDD04A67D96E9A64E4349CA4ABBD C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\common-lockup[1].css File Type: Size (bytes): ASCII text, with very long lines Entropy (8bit): A4A2D6B F2D1A637F5349F3FA 87965FA39C6566EAD790020AF00E09F5AFFC5AE4 4E74FAB16B2AA82ECB001ABFDA67E2CFE9893CB872C96CF353526FA095E6768A B69D9B86D7CD9708E959D7B99DF7D4A514F886E3BF8211D93CF50C8E7C41BB178FBAAE C3BE1CBD52FB FA2050A26B0745F103CCC65152C7B182D6A3E28 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\crm UK_EN [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): F1BE234314B BA879E2038D ABF96C65CF4D799A42E5E7978FDEBDC850F E5DC6DF20267DFE717FE BFAB69943B6B4AE582A1491FD4D AA B76FAE191E08FD A0B302D D6F8F A2562AF CC18FBA136F62218 FC59FF287F18CB230F4E37FD1B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\jquery.min.js[1].download File Type: Size (bytes): ASCII text, with very long lines Entropy (8bit): CCD0EDD113B78697E04FB5C1B519A5CD A6EEDF84389E1BC9F757BC2D19538F8C8D1CAE9D A57B5242B9A9ADC4C1EF846C365147B89C472B9CD770FACE331EFCB965346B25 7A9CC9F66B3ED0FABECC532B1B595754DBE311782D7CAC7D8AE116AB3DE199B694DA6FC3A75A5C9A9633B EA5FA3CC223CCC3B2185C0C73E4A480584C16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin File Type: data Size (bytes): 16 Entropy (8bit): FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 Copyright Joe Security LLC 2018 Page 16 of 65

17 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ _Deals-UKIE-336x [1]. jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): E3DECBD2DFF068E F62867FBC2F520D99D46CD534C05D1306C4CB72A F909083C5AD20BD8EBD3780A94F82BAB081FBE118DDFFB06F4B499A D A32BCDB772666EF9ABA77F5E A CBD99A40D51C34E0AD2A60C613B1E C76922 B E443F15BC799930CDE3280BE11E C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ _Deals-UKIE-336x [1].jp g File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): DFD BFC1366AB3B5B0278FBD 475BFE056C099BE24AF83396AA870139EFFF6F9C F3E9D59F48D43251BBD461040FA01DDE70677D75E494B07EA094112CDF 847A02AC BB053D8B3AEB863DA1DA5B6ABA99EC2621EDDB4EC0747EF5E5F7C3293B2998C1A22252B 5A2DA471D7A06C6437DCA592A9865D418534CF0 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ _2-Deals-UKIE-336x [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): B82CFF8E04CCAD581E10D8650FC CF9BCC E5B716C518CD2F85 1A EAF454ECA1CC709B64B8F58D4D54B12F022D21A3DB70CA707011D6C 16FAE0A190EE3BAF95EC E9075BBD6CB7A54328EB75B82081BECA2FCCB1146B4725D6A6CF1441 C87A7A9C6A242000B73942E24D2EB75916BC19F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\ _2-Deals-UKIE-336x [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): F2DBCB3BDCA0C75E54B94F0E8280B25C 6D8F19FF4157C00953B35DD631917B6A5644DEBD B147E D00DD1385B1E9F51CD74DB9A924B81E2B21306A73A2CE5DD6D3 9AA9CBCD7F49BAFE F92D44E50C1B8C214455F4F66A0E066CD8053A679A5EB86763E93735D4AD0E7452 8BC9A2A1462CD E256AC06F55073B536 Copyright Joe Security LLC 2018 Page 17 of 65

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\UK-crm_ _10OFF--UK_EN [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): AF70C61D149971D05D78792E9CFE3 45BB3249ACEECCAC75832BDE4CB01D373EF3283D 8B2F E543A0BA9020BBA1DCB5800BEE0650AD0E22CD2031AC7656E E0F3AB F47A2325C4B0B959F5574D76D22D3B6A163DF9EEB9C0056DA3EAA880C417374DD8190E0 1A9A4D3E9640BC FE04C0136DDC5102 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\UK_CRM_170713_3for5magnets--UK_EN [1].jpg File Type: Size (bytes): JPEG image data, EXIF standard Entropy (8bit): AC1655D85FEA8D555A823EFD D3641BE175EF78A85C740274EA74A960B1E9B8BF AC53B8CE8D0A2B972999DA908BA4C9D490E0A122D5F4F148D3A5160FCC2726E1 1A56BD9C1020E177C8B F65AEC B7228B32CE45BBC3F05DE48F2A57CDFD76829FC10933D14ED 2FDA9301DBE94418F7727C25A5F77BCEC8C91F Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation communicationskills.review true 0%, virustotal, Browse unknown ssl.au.sf-stg.com.c.footprint.net true 0%, virustotal, Browse high cs9.wpc.v0cdn.net true 1%, virustotal, Browse unknown unknown unknown 0%, virustotal, Browse prd-static-default-2.sf-cdn.com unknown unknown 0%, virustotal, Browse unknown prd-static-default.sf-cdn.com unknown unknown 0%, virustotal, Browse unknown prd-static-default-1.sf-cdn.com unknown unknown 0%, virustotal, Browse unknown Contacted URLs Name c0a45411e881fd0685b3f f4471accad4b&br=&cr=unknown&country=us Process Copyright Joe Security LLC 2018 Page 18 of 65

19 Name Process Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious United States 1326 ANSBB-ASNNET-1- AdvancedNetworksServicesIncUS United States LVLT Level3CommunicationsIncUS United States AS-CHOOPA-ChoopaLLCUS Static File Info No static file info Copyright Joe Security LLC 2018 Page 19 of 65

20 Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Source Port Dest Port Source IP Dest IP 23:20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: Copyright Joe Security LLC 2018 Page 20 of 65

21 Source Port Dest Port Source IP Dest IP 23:20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: UDP Packets Copyright Joe Security LLC 2018 Page 21 of 65

22 Source Port Dest Port Source IP Dest IP 23:20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: :20: DNS Queries Source IP Dest IP Trans ID OP Code Name Type Class 23:20: x346d Standard query (0) communicat ionskills.review A (IP address) IN (0x0001) 23:20: x5277 Standard query (0) prd-static-default- 2.sf-cdn.com A (IP address) IN (0x0001) 23:20: x7372 Standard query (0) prd-static-default- 1.sf-cdn.com A (IP address) IN (0x0001) 23:20: xc614 Standard query (0) sh.co.uk A (IP address) IN (0x0001) 23:20: xdd83 Standard query (0) prd-staticdefault.sfcdn.com A (IP address) IN (0x0001) 23:20: x64c3 Standard query (0) prd-staticdefault.sfcdn.com A (IP address) IN (0x0001) DNS Answers Source IP Dest IP Trans ID Replay Code Name CName Address Type Class x346d No error (0) communicat 23:20: ionskills.review 23:20: x5277 No error (0) ssl.au.sfstg.com.c. 23:20: footprint.net 23:20: x7372 No error (0) ssl.au.sfstg.com.c. 23:20: footprint.net xc614 No error (0) 23:20: sh.co.uk x5277 No error (0) prd-staticdefault-2.sfcdn.com ssl.au.sfstg.com.c.footprint.net x7372 No error (0) prd-staticdefault-1.sfcdn.com ssl.au.sfstg.com.c.footprint.net origin-snapfishwww.snapfish.com.akadn s.net A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) Copyright Joe Security LLC 2018 Page 22 of 65

23 Source IP Dest IP Trans ID Replay Code Name CName Address Type Class 23:20: xdd83 No error (0) ssl.au.sfstg.com.c. 23:20: footprint.net 23:20: x64c3 No error (0) ssl.au.sfstg.com.c. 23:20: footprint.net x3747 No error (0) ie9comview 23:20: vo.msecnd.net x3747 No error (0) cs9.wpc.v0 23:20: cdn.net xdd83 No error (0) prd-staticdefault.sfcdn.com ssl.au.sfstg.com.c.footprint.net x64c3 No error (0) prd-staticdefault.sfcdn.com ssl.au.sfstg.com.c.footprint.net cs9.wpc.v0cdn.net CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) HTTP Request Dependency Graph communicationskills.review HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process kbytes transferred Direction Data 23:20: OUT GET /popup1/?utm_sources=smalt-buffalo&cid=dv27d2a141a45911e881fd0685b3f519305b0236c0a45411e881fd068 5b3f f4471accad4b&br=&cr=unknown&country=us HTTP/1.1 Accept: text/html, application/xhtml+xml, */* 23:20: IN HTTP/ OK Date: Mon, 20 Aug :20:03 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Vary: Accept-Encoding Expires: Fri, 02 Jul :49:22 GMT Last-Modified: Mon, 20 Aug :20:03 GMT Pragma: no-cache Cache-Control: no-store, no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: d 0a 1f 8b ed 3d e9 7a db bf 3b 4f df 44 f d9 96 4c f7 3a 3e 12 4f 3b b6 d7 4a 3a ed d c e 92 3c 6e 3f cd be c9 3e d c d2 e9 8d d3 9f fb b0 48 b0 50 2c 14 ea ef f9 d1 c5 e1 bb 7f 5e 1e e8 d8 fb cf f6 9e 2b 0a 09 e e be ad b5 a5 6e 8c c3 d0 0b 3a b5 da 74 3a ad 06 2e f ae 1a bc 1a 5d d7 ea b5 09 8f 8c 31 f3 03 c5 64 d4 0e 14 3e 1c c2 0d d3 20 d0 4b 51 c0 7c c8 14 9b 8f f da 6c 36 e0 b3 e4 d a dc ba 13 1a c4 3f 21 9b ca b b8 5c 09 f c4 b8 cd 0d 1a 5a dc 25 1e 0f d b 3e db 26 0d e c 58 ae c9 66 cc c 83 b1 31 a6 2e c0 8c ad 20 e4 fe 0d 31 7d 3a a2 ae 69 fa dc 13 f5 b8 71 cd c2 80 f8 a e3 c0 a6 c4 89 ec d0 f2 6c d4 b8 1e f9 3c 72 cd c0 fa ee 9b cc b7 1c 7c a7 bc f6 a c7 67 c1 98 9a 7c 4a 90 ec f8 92 7b d4 b e b c0 3b 83 db f b9 a1 b8 f1 19 f0 c3 48 c1 42 9f ba c1 90 fb ce dc 5d c3 4c ef 2d 09 3c e4 6e 38 a b9 cc b a 32 b1 4c c6 09 8d 4c 8b d 8d 4c 40 f d d6 8d 6f ee 5f 63 0f 52 cf b3 2d c f da 96 cb f0 2a 70 2c 1b 8b 0c db f2 3c 1a 8e a0 c4 3d 98 5d 2a 53 9f 7a c c c4 4f 91 5a 66 db 1c e4 01 2a 9a a5 fd 3d c4 b0 bf e7 b0 10 ba e 61 9f 23 6b a2 97 0e e 2b 91 b8 49 7a c eb 12 e8 5b 3f 60 a1 fe fe dd 89 b b b4 d9 fe af b d4 f1 ba e4 08 e5 b3 43 de f f1 b9 1c f d7 d6 30 4c c0 2e 7d 0b fb e1 77 d2 8b 25 9d bc ff 65 af a2 8a 0c 2d c5 a c3 20 e c 64 b9 1f 83 f0 c6 66 c1 98 b1 f0 37 7c 24 6e c7 d4 42 7f 95 f6 07 dc bc b9 75 a8 0f 15 3a ea 1d de f 0c f3 6f 11 4c a1 b b b2 e4 Data Ascii: 1dcd=z8;O(DgS"uL:>O;J:3$<n?>V<%YVHP,@`^q+dsDWTn:t:.V0]1d>Q@xa KQ %ixol6f#j?!d#\edz%b1>&x f4dl1. 1}:iq%lxs@<r7# ieg J{BhB%$;;#/GHB]L-<n8VZ2LLdL@`oS_cR-dB`2*p,<2f8=]*Szp OZf*=DNa#ke#w7+IzY\C[? `B+dCA_H!0L.}w%e&1-)7 Xhldf7 $nidbu:uaohol5r; Copyright Joe Security LLC 2018 Page 23 of 65

24 kbytes transferred Direction Data 23:20: OUT GET /popup1/index_files/app.css HTTP/1.1 Accept: text/css, */* 23:20: IN HTTP/ OK Date: Mon, 20 Aug :20:03 GMT Content-Type: text/css Last-Modified: Thu, 20 Jul :22:35 GMT Transfer-Encoding: chunked Vary: Accept-Encoding ETag: W/"5970bcab-4de1f" Expires: Wed, 19 Sep :20:03 GMT Cache-Control: max-age= Pragma: public Cache-Control: public, must-revalidate, proxy-revalidate Content-Encoding: gzip Data Raw: d 0a 1f 8b ec bd 0d 73 e3 36 b2 28 fa 57 f4 3c c a1 a8 0f 5b 76 ed bc bb 49 4e b d9 cd dd cf a2 28 ca e6 0c 25 6a 29 c9 f6 8c ca f7 b7 3f 7c b b c a 8d 46 a3 d1 00 1a 8d 65 b6 4d c2 45 b9 5b cd 93 6d 5e ae 82 e5 bf 82 cd a fd a2 5c 6d b2 cc 8b f f 97 ab e2 7d 6f b6 ea 25 ab 79 ef d ee f3 f9 f6 f6 aa 37 8a b2 e5 f9 e7 67 d7 fc 27 f9 f1 b8 b4 91 2e b3 79 be 5b b6 62 cd eb 28 0a a3 c ab 9b 0c c3 cb 8b 31 ac d f9 d7 4a 90 4f f9 64 e4 46 fe d0 11 fb 54 b f fe d0 15 fd 20 b6 f0 ab a4 c7 cf fa 9f 5d cd b e4 4b b2 d8 66 d5 3e f f9 10 6c f2 0f f9 ea e6 6a f3 ac a2 29 d7 c1 7d 36 7b 97 6f 1d b9 68 ea e3 ed f4 67 e5 fc 3d a a f9 c8 d fa ee a6 a2 0d bc 7a b1 58 2c ae d3 b2 28 ab ab c9 e4 7a 9d cc e bd 24 0d ce 57 e4 8b d6 e6 2f 2a d2 d0 72 f5 c7 aa dc 66 9b 7f ed b2 33 9e 7d 9f e5 37 b7 db ab e5 49 9b ed fb be ca 82 5b 0e 34 b8 5e 97 9b 9c 72 f6 aa ca 0a c2 e2 bb ec 3a dd 55 1b 42 c2 3c 5b 24 bb 62 fb 98 5c dd b d e6 2b c2 a4 c7 7c 79 d3 2f 67 6f b3 74 db cf 96 b3 6c be af ee 5a ec b6 e5 a b a6 1c b b9 2e 0b d1 c7 e5 3c bb 9a e5 e9 8e fc 7d 7c b1 4c d6 3f a7 c9 ea 2e d9 f4 68 9d f a8 a5 88 9a 42 a a ad 42 a0 01 ab f5 fe 9f 7c b9 2e ab 6d b2 da 3e b6 d8 ee c af e8 57 2d af a2 cd ec bb 96 9b d f2 87 fd 67 1f ca a8 53 a4 d4 d5 09 5c fa 52 d2 61 d9 6a 7b 75 d6 3b bb 9e e7 9b bc bf da 26 b3 22 7b b4 20 e9 4f db db c7 70 9b 3d 6c fb f9 cd ca a6 95 e d 35 cb 4c 33 da 2b a7 d8 90 6f 77 9b 6d be 78 0f b 9b cf b3 bd 6c 12 e5 f d d9 10 c b 4b ec b2 24 ed a2 d2 0f bc f9 8a 09 f2 ac 28 d3 77 d b7 79 9a 14 a2 f6 65 3e 9f a 92 2a 4b f af a9 5e 10 bf c7 d1 fa e b4 f7 6b d1 25 5d 5a de 83 df 62 f4 31 ee Data Ascii: 600as6(W<5uY[vIN6s+w(%j)? 4HP3G4FeME[m^2)\mEWg}oVY%y2y7g'.y[bW( 61QbIuJOdFTIa6 ]EYeKf>XY ljvv)}6{ohvyg=dw(zfizx,(zwt$w/*rf3}7uyyi")e[4^r:ub<[$b\w+"y]+ y/gotl%6zt'k H7C.<} L?.h7CBPhBr.m>EElW-YRgry5S\Raj{u;u&"{ O"ip=lF&qM5L3+owmxAE{lcHsR 23:20: OUT GET /popup1/index_files/ _2-deals-ukie-336x jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 23:20: OUT GET /popup1/index_files/ _2-deals-ukie-336x jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5 Copyright Joe Security LLC 2018 Page 24 of 65

ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version: ID: 5945 Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis