ID: Cookbook: browseurl.jbs Time: 15:26:33 Date: 16/03/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 15:26:33 Date: 16/03/2018 Version:"

Erin Jefferson
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 15:26:33 Date: 16/03/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Software Vulnerabilities: Networking: Persistence and Installation Behavior: Spreading: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Language, Device and Operating System Detection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 HTTP Packets Code Manipulations Statistics Behavior System Behavior Analysis Process: iexplore.exe PID: 3456 Parent PID: 548 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 3512 Parent PID: 3456 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3620 Parent PID: 3512 General Registry Activities Analysis Process: rundll32.exe PID: 4092 Parent PID: 3456 General File Activities Registry Activities Analysis Process: ehshell.exe PID: 2512 Parent PID: 4092 General File Activities File Created File Written Registry Activities Key Created Key Value Created Key Value Modified Analysis Process: vga256.dll PID: 4 Parent PID: -1 General Analysis Process: vga64k.dll PID: 4 Parent PID: -1 General Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 31

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 15:26:33 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 45s light browseurl.jbs Files/Smrf.NodeXL.ExcelTemplate_1_0_1_394/Smrf.No dexl.control.wpf.dll.deploy Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 8 Number of new started drivers analysed: 4 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout MAL mal48.expl.win@9/26@1/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Failed Failed Adjust boot time Correcting counters for adjusted boot time URL browsing timeout Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, vga.dll, dllhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: ehshell.exe Detection Copyright Joe Security LLC 2018 Page 4 of 31

Strategy Score Range Reporting Detection Threshold 48

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 31

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious

Analysis Advice Sample tries to load a library which is not present or installed on

Overview Vulnerabilities Software Networking and Installation Behavior Persistence

Anti Analysis System Evasion Malware and other Techniques for Hiding and Protection

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Signature Overview Vulnerabilities Software Networking and Installation Behavior Persistence Spreading Summary System / PFW / Operating System Protection Evasion HIPS Debugging Anti Analysis System Evasion Malware and other Techniques for Hiding and Protection Hooking Language, Device and Operating System Detection Copyright Joe Security LLC 2018 Page 6 of 31

7 Click to jump to signature section Software Vulnerabilities: Browser exploit detected (process start blacklist hit) Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Downloads executable code via HTTP Social media urls found in memory data Persistence and Installation Behavior: Drops PE files Drops files with a non-matching file extension (content does not match file extension) Spreading: Enumerates the file system System Summary: Found GUI installer (many successful clicks) Uses Rich Edit Controls Found graphical window changes (likely an installer) Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Creates files inside the user directory Creates temporary files Parts of this applications are using the.net runtime (Probably coded in C#) Reads ini files Reads software policies Runs a DLL by calling functions Spawns processes Uses an in-process (OLE) Automation server Creates mutexes Searches the installation path of Mozilla Firefox Spawns drivers Tries to load missing DLLs HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Copyright Joe Security LLC 2018 Page 7 of 31

Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Contains long sleeps (>= 3 min) Enumerates the file system Hooking and other Techniques for Hiding

8 Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Contains long sleeps (>= 3 min) Enumerates the file system Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Language, Device and Operating System Detection: Queries the cryptographic machine GUID Queries the volume information (name, serial number etc) of a device Behavior Graph Behavior Graph ID: URL: Files/... Startdate: 16/03/2018 Architecture: WINDOWS Score: 48 Legend: Process Signature Created File DNS/IP Info Is Dropped Hide Legend Drops files with a non-matching file extension (content does not match file extension) started started started Is Windows Process Number of created Registry Values Number of created Files iexplore.exe vga256.dll vga64k.dll Visual Basic Delphi Java Browser exploit detected (process start blacklist hit) started started.net C# or VB.NET C, C++ or other language Is malicious iexplore.exe rundll32.exe , 50323, 50900, GOOGLE-GoogleIncUS United States , 49165, 49166, 80 AMAZON-AES-AmazoncomIncUS United States dropped dropped started started Smrf.NodeXL.Contro...loy.psokecy.partial, PE32 C:\...\Smrf.NodeXL.Control.Wpf.dll[1].deploy, PE32 ssvagent.exe ehshell.exe Simulations Behavior and APIs Copyright Joe Security LLC 2018 Page 8 of 31

9 Time Type Description 15:27:50 API Interceptor 6107x Sleep call for process: iexplore.exe modified 15:27:54 API Interceptor 1x Sleep call for process: ssvagent.exe modified 15:28:38 API Interceptor 2x Sleep call for process: rundll32.exe modified 15:29:01 API Interceptor 347x Sleep call for process: ehshell.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link 0% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Copyright Joe Security LLC 2018 Page 9 of 31

10 Domains No context ASN No context Dropped Files No context Screenshot Startup Copyright Joe Security LLC 2018 Page 10 of 31

11 System is w7 cleanup iexplore.exe (PID: 3456 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3512 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3456 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3620 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) rundll32.exe (PID: 4092 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Microsoft\W indows\temporary Internet Files\Content.IE5\DEWWYACU\Smrf.NodeXL.Control.Wpf.dll.deploy C E275C8F2AD04B687A68CE2) ehshell.exe (PID: 2512 cmdline: 'C:\Windows\eHome\ehshell.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWY ACU\Smrf.NodeXL.Control.Wpf.dll.deploy' B0222BD0F9D97488D691BCC02B051A92) vga256.dll (PID: 4 cmdline: unknown B11BCD430977E5FBCB3A5804C675C5A0) vga64k.dll (PID: 4 cmdline: unknown 7FFE091344E7939B3BAD6E8ADAD617B3) Created / dropped Files C:\ProgramData\Microsoft\eHome\logs\FirstRun.log Size (bytes): 562 Entropy (8bit): XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF, LF line terminators 8732DD35C6D2B CB53FEC31198 C51CA0A301CB9FC2A43AAFA419342BCB1B6E01B9 3F55EF DE5501AE47DA57FFB613BDE E642DD9DFCCE99E9 B78248C6DEA4BC4C6F015F9C627FD2124B90F89CC8C107ED232F70F9FCBBEA8E317676AC4BEE11D638E6265FC DEB9F D06593A9A745FFF490AE72A193B C:\ProgramData\Microsoft\eHome\mcepg2-0.db data Size (bytes): Entropy (8bit): F430B5AC4BD0A60B0AEBDAF9C DA04ED5FCA8A364D7E1DE87CD45E74A4F44E DCCB9D20CDDAF5704B6F8018C0BC16C07B736B695A68003EC21743ECB0468FF9 9C90399CE917F2FF4A6E1FA242868E673CB FFA15E759ECEE27BB1526ACB4E37C8C2D1BF E46 D3DE0F51839A4CF05E58B45000F8F91F0461B4 C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): D4AA883311C9D28F50C90C199EB BFC315AB1A88F9BBF572EF693260A6B94CF78 6C559D78FD32D0C3FAD3E72D4170A86E9C38CCDBD5CAB09B BF4 1C3F9C5993B C837BBBF BD1CBBADDEC25B2D103AF11BB26CE5A5D443C102255C70FA98F68C9 526CD89DC70183C82FBE16F686D573D4356BF5 C:\Users\HERBBL~1\AppData\Local\Temp\~DF0812B22E6BFDB390.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): FEE4E1980D DA1A2C746B82 293F949D1EF8B FE3074E6B44433A5000 D5F0BD79A5F4F4DE89929F62C4C1492EF23E29A9D13A9D0B21FD606AED E22E2EBD7C4C49B6A4BCB24DB7436FE17AD6C2A957E8CB90DE5083FB74EE9AFA85561B09308A62507F7B7B DC96CA284B DF370D6B721734D4ACDED Copyright Joe Security LLC 2018 Page 11 of 31

12 C:\Users\HERBBL~1\AppData\Local\Temp\~DF8F49440D676AD82A.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): F253BD7E5A3C90CB9BE7D2F35521BD BA0DC45C44295ED4576E31F47FADC44583B1 D E35E70ACE6094F6B EEE543BFF985025D028CE5A34A0 D7F2A7F244D8A414ED1C1A2DEB651D7A715F3CD69E0D6B9044F40F715076B93354F377D2D11AC CA75F4 7A3204DABCD9AAF46B2A CBC04B5389 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (8bit): B93B055F18ED02AC BFA E49C843005A144BE3DE9485B1F9BC4E5A9126D A2649B55B45DF55AC2A B428AD312A749BDA88AA21B6C800DCE6AD4CED 1A7E8C92A1516E9B2E224E239C29EA395C615585A429B5FDF66B794DBBE6336C2BCE435ACD4F145563E5ACB4E DDBE001566E1BB345BF9F6F5EAE0341B9AAB2A6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 4221 Entropy (8bit): EBCDD9823F89EC48ADA65C3E6F D276145E99F2A28F2C24CC86767DD0FC25F3DD 2203AF94B8C5CEBA DAF8103A099A387FF6D9C5F9AA85AEF5146AB FB0C F28F0D4984A9132AC57CEBB E00AC40C07875FB4371E7F7A43FB266B5F7AB162BE2C4 AD5EE8A386A05A6F0E8CECD0995E213E18C93 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 data Size (bytes): 340 Entropy (8bit): BD3CAD380FD8F2BA7A34A DD4357B E CE419FA47495AD DBFEC3CB0C7E6158CA581E805F943234FABC50F CA4AB34C02 A05268E08430A5D8C3ADCCA3A9B9701B6DDC4D8E7666E1A22FE8B0934FF0D8306E A8474A6D6E922E 9D4AD534D1CF85A1A2AF03C9DB527B6763C6C5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 data Size (bytes): 868 Entropy (8bit): A00F45A1D9795A5D648B8AD01946D9E3 27A47A3D2E030182BB5E06862FE33EAB462B80A3 908AA545AD606F56411C4EE52D0AD8F24C6DA D99B6C05C2C66F748CD 5C1D2AD7ACBDB1BECFA5EAC3CB39090CC43BA90CA86CB9919D67A8C5BEB1A6E21B587CB8CE A F3F91CBCF D8FC0378EC17E48FBB Copyright Joe Security LLC 2018 Page 12 of 31

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F data Size (bytes): 226 Entropy (8bit): DDC46A92992FE8B14AE7D998D0D BC30F144E5579B7098A478AEF9E77EEFA49C1 46DE6A3920EFAE83173EB00A7937D42E2BBD00B006728CA751B FFC3A9 E2D650976C7CA97428DE490C5A981AC13AAD865CDD B50DB6DD1173B0F4FA97DAB1C3DFC2ADB8F EE88331D2A3E FA6936EF3A3B5A454 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators D534C9D7074D6D1997FB9EBFBB349AE AD4A084A5AC34B FA0A0902FA F4A9CB1F24F1A96A16541D589B65D3A7AD7BC96C41C6FA3D91FDC C13CD53FEDFE61CC06D4E6E45BD37B5CC3A082BDA4B1CEAB252FF85AAF042F3D6F76465B2165 E034B01070B5A7550D26D4CADC2811D14CCCA42 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{33D E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): BB719A2DB664E C5B90C3E3D5 23C0AE07A384B6F0EF148FF37CCF481A2DC26FFC 51ABA22E1D1A63164C085B98C5F33545CBB37E529E73E2D C44764CF6 8EC2936B43C3C0EEB9C2E26E46F794BD6927E80022D10ECA D5098BE04A7ACF9FCD23B69B9497D83DBA 233D0EDCB60AD C2AF3EB4F3B37E C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{33D E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): DC1BE92727BC944A5C32FD034BD1E C017DAA F6A51FBA313E82 A0863BED0D2DD02DD59BE0F127D8DFBAEA9841B9E79FB2776EF3A2F5F52D F4F98F B0D5257E5AE63477F6A824A07D569DCB04C0360A8F0D4A6FC6C54C6B7561B66B9D3E96E3855E C885DF4DE59F44AB41D ED F C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver29E4.tmp XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators Copyright Joe Security LLC 2018 Page 13 of 31

14 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver29E4.tmp Size (bytes): Entropy (8bit): C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED9 70E219B6CEBBF68F9A12B6C629B6816CDE1615C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\iecompatviewlist[1].xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators E5C53C B F1D541D440B 81EC E699A0BFA191B2AE1B74320D316CE 7DA1E84B3EE4D8FAD40B8A2B775F2CE1D8C38931D6B403294AE4EE8426FAFB7F 8094EA2119B2D321EB62916CD5584A8DF20A BCDBF2E9F20D5EEB5306D1F30A8607B EFF3F2E31 6F3634DAF3EEADFDC CB1C961644A92 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\suggestions[1].en-US data Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 9B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\Smrf.NodeXL.Control.Wpf.dll[1].deploy Size (bytes): Entropy (8bit): PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows B566D679E30B46989B8D77288FA502D DA153FC C274B34AA1B1D3196EC C3DA71B196B780AEF EF26C7C C135F4EA3203AA2BD2 66A E353193BC18D3B107977BABA455D128551DA1841D7DA28ABE0AF F2C46499FEA FDD11EFFE3D893878D386B3C0B3C8BACB true C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Smrf.NodeXL.Control.Wpf.dll.deploy.psokecy.partial PE32 executable (DLL) (console) Intel Mono/.Net assembly, for MS Windows Copyright Joe Security LLC 2018 Page 14 of 31

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Smrf.NodeXL.Control.Wpf.dll.deploy.psokecy.partial Size (bytes): Entropy (8bit): B566D679E30B46989B8D77288FA502D DA153FC C274B34AA1B1D3196EC C3DA71B196B780AEF EF26C7C C135F4EA3203AA2BD2 66A E353193BC18D3B107977BABA455D128551DA1841D7DA28ABE0AF F2C46499FEA FDD11EFFE3D893878D386B3C0B3C8BACB true C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Smrf.NodeXL.Control.Wpf.dll.deploy.psokecy.parti al:zone.identifier Size (bytes): 26 ASCII text, with CRLF line terminators Entropy (8bit): FBCCF14D504B7B2DBCB5A5BDA75BD93B D59FC84CDD5217C6CF F78DA6B582B EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC C5C2E53F803CD9E 3973DDEFC68966F974E124307B5043E654443B98 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Smrf.NodeXL.Control.Wpf.dll.deploy:Zone.Identifier Size (bytes): 1 Entropy (8bit): 0.0 very short file (no magic) ECCBC87E4B5CE2FE28308FD9F2A7BAF3 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB 4E BEDB8B60CE05C1DECFE3AD16B DE01F640B7E4729B49FCE 3BAFBF08882A2D A1B8433F50563B93C14ACD05B79028EB1D A66C276A E26C43B739BC65C4E16B10C3AF6C202AEBB C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S \8f96978fc46d9f00d d7_0f4f fa-4204-b1c4-585fbb81cd25 Size (bytes): 59 Entropy (8bit): data DB733E033C397FEC F94D1DAA0FC4EC1B2D4CBCB93730D8EDB77A2B7 1F3FFADD3B80C7F95BE06E E8302A24E573868DA3C6FD BDC 9A9BB4CF6380BB0A73EA414CA2226A344C7DA003E49610DC38BD10892DC17244E4C88BF8A E3C064C6 93AD99014E6853FFF51EDB21CB690B926B962F \samr Size (bytes): 116 Entropy (8bit): Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Copyright Joe Security LLC 2018 Page 15 of 31

16 Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection true 0%, virustotal, Browse Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States AMAZON-AES-AmazoncomIncUS United States GOOGLE-GoogleIncUS Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) Copyright Joe Security LLC 2018 Page 16 of 31

17 TCP Packets Timestamp Port Dest Port IP Dest IP Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Copyright Joe Security LLC 2018 Page 17 of 31

18 Timestamp Port Dest Port IP Dest IP Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Copyright Joe Security LLC 2018 Page 18 of 31

19 Timestamp Port Dest Port IP Dest IP Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET UDP Packets Timestamp Port Dest Port IP Dest IP Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Copyright Joe Security LLC 2018 Page 19 of 31

20 Timestamp Port Dest Port IP Dest IP Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :27: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET Mar 16, :28: CET DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Mar 16, :27: CET x6bb9 Standard query (0) graphgallery.org A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Mar 16, x6bb9 No error (0) 15:27: graphgallery.org CET A (IP address) IN (0x0001) HTTP Request Dependency Graph HTTP Packets Session ID IP Port Destination IP Destination Port Process C:\Program Files\Internet Explorer\iexplore.exe Timestamp kbytes transferred Direction Data Copyright Joe Security LLC 2018 Page 20 of 31

21 Timestamp Mar 16, :27: CET Mar 16, :27: CET kbytes transferred Direction Data 1 OUT GET /NodeXLSetup/Application%20Files/Smrf.NodeXL.ExcelTemplate_1_0_1_394/Smrf.NodeXL.Control.Wpf.dll.deploy HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: DNT: 1 Connection: Keep-Alive 3 IN HTTP/ OK Content-Type: application/octet-stream Last-Modified: Thu, 08 Mar :52:33 GMT Accept-Ranges: bytes ETag: "509b813c6b7d31:0" Server: Microsoft-IIS/10.0 X-Powered-By: ASP.NET Date: Fri, 16 Mar :27:21 GMT Content-Length: Data Raw: 4d 5a ff ff b e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a c a1 5a e b 01 0b e a b c c c e a e a e c 6f c c a c0 a c ea c 39 6e 44 e b2 64 7f 2e b6 5c b f b5 70 d1 d3 9d 00 ca 7d c1 9e e9 bd 26 e3 50 bf 1d 31 d3 f9 d5 a5 55 ff 81 5e b1 28 0d 5d da 9a ad 4d 4d f0 9c a2 cd 8 a 52 ed ba 22 a3 b7 90 1f 06 ba c ae db df fd 3d 0b d1 e3 1f 8c c 4a d b 7 61 e5 9f d8 9c 7f e f a d b a f b fe fe a f a 16 fe a fe fe 01 0a 06 2d 0f a d b fe fe a f a 16 fe a f a 16 fe fe 01 0a 06 2d 0f f a b fe fe a f a 16 fe a fe 03 0a 06 2d 0f b a c b fe fe a f a 16 fe a fe 02 0a 06 2d 0f b a b fe fe a f a 16 fe a a a 16 fe 01 0a 06 2d 0f b a f b fe fe a f a 16 fe Data Ascii: MZ@!L!This program cannot be run in DOS mode.$pel`xz!(f ` U`DFW`8E H.text& ( `.rsrc8`*@@.reloc0@b FHL`P & 9nD)Agd.\`+7bGGp})da&P1U^(]MMR"HUP=)TgcJ3a3 )r@b(}(*0?((o(-rp(*0m((o((o-rp(*0d((o(#-rkp(*0<((o(-rkp(*0 G((o(s(-rkp(*0?((o( Code Manipulations Statistics Behavior iexplore.exe iexplore.exe ssvagent.exe rundll32.exe ehshell.exe vga256.dll vga64k.dll Copyright Joe Security LLC 2018 Page 21 of 31

22 Click to jump to process System Behavior Analysis Process: iexplore.exe PID: 3456 Parent PID: 548 General Start time: 15:27:49 Start date: 16/03/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding 0x12a bytes CA1F703CD665867E8132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Completion Count Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis Process: iexplore.exe PID: 3512 Parent PID: 3456 Copyright Joe Security LLC 2018 Page 22 of 31

23 General Start time: 15:27:50 Start date: 16/03/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3456 CREDAT: /prefetch:2 0x12a bytes CA1F703CD665867E8132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count Registry Activities Key Path Name Type Old Data New Data Completion Count Analysis Process: ssvagent.exe PID: 3620 Parent PID: 3512 General Start time: 15:27:54 Start date: 16/03/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0x bytes 0953A FD1E655B75B63B9083B7 true C, C++ or other language Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis Process: rundll32.exe PID: 4092 Parent PID: 3456 General Start time: 15:28:17 Start date: 16/03/2018 Path: C:\Windows\System32\rundll32.exe Wow64 process (32bit): Copyright Joe Security LLC 2018 Page 23 of 31

24 Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: 'C:\Windows\system32\rundll32.exe' C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content. IE5\DEWWYACU\Smrf.NodeXL.Control.Wpf.dll.deploy 0x bytes C E275C8F2AD04B687A68CE2 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Analysis Process: ehshell.exe PID: 2512 Parent PID: 4092 General Start time: 15:29:00 Start date: 16/03/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Windows\ehome\ehshell.exe 'C:\Windows\eHome\ehshell.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\Smrf.NodeXL.Control.Wpf.dll.deploy' 0x3f bytes B0222BD0F9D97488D691BCC02B051A92 true.net C# or VB.NET File Activities File Created File Path Access Attributes Options Completion Count c:\programdata\microsoft\ehome\mcepg2-0 c:\programdata\microsoft\ehome\mcepg2-0\blocks.mem c:\programdata\microsoft\ehome\counter.mem c:\programdata\microsoft\ehome\mcepg2-0\root.mem read data or list directory and synchronize read attributes and synchroniz e and generic read and generic write read attributes and synchroniz e and generic read and generic write read attributes and synchroniz e and generic read and generic write normal none none none directory file and success or wait 1 13A061D CreateDirectoryW synchronous io non alert and open for backup ident and open reparse point synchronous io non alert and n on directory file and random a ccess synchronous io non alert and n on directory file and random a ccess synchronous io non alert and n on directory file and random a ccess success or wait 1 13A0838 CreateFileW success or wait 1 13A0838 CreateFileW success or wait 1 13A0838 CreateFileW Copyright Joe Security LLC 2018 Page 24 of 31

25 File Path Access Attributes Options Completion Count c:\programdata\microsoft\ehome\mcepg2-0\events.mem read attributes and synchroniz e and generic read and generic write none synchronous io non alert and n on directory file and random a ccess success or wait 1 13A0838 CreateFileW C:\Users\user\AppData\Roaming\Microsoft\eHome read data or list directory and synchronize normal directory file and success or wait 1 13A061D CreateDirectoryW synchronous io non alert and open for backup ident and open reparse point C:\ProgramData\Microsoft\eHome\Logs\FirstRun.log read attributes and synchroniz e and generic write none synchronous io non alert and n on directory file and open no recall success or wait 1 13A132F CreateFileW File Written File Path Offset Length Value Ascii Completion Count C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 2 ff fe.. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 4 3c 00 3f 00 <.?. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown d 00 6c 00 x.m.l. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown f 00 6e 00 3d e e f e d d v.e.r.s.i.o.n.=." "..e. n.c.o.d.i.n.g.=.".u.t.f ". success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 4 3f 00 3e 00?.>. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 2 0a 00.. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 4 0d 00 0a success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 2 3c 00 <. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown e 00 5f f 00 6e 00 F.i.r.s.t.R.u.n._.E.x.e.c.u.t. i.o.n. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown f d S.t.a.r.t._.t.i.m.e. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 2 3d 00 =. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown ". success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown f f a a /.1.6./ :.2. 9.:.1.6. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown ". success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown e d U.s.e.r.n.a.m.e. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 2 3d 00 =. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown ". success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown c b e 00 H.e.r.b..B.l.a.c.k.b.u.r.n. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown ". success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown f 00 6e 00 V.e.r.s.i.o.n. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown 2 3d 00 =. success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown ". success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown success or wait 1 13A2113 WriteFile C:\ProgramData\Microsoft\eHome\logs\FirstRun.log unknown ". success or wait 1 13A2113 WriteFile Copyright Joe Security LLC 2018 Page 25 of 31

ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/2018 Version: ID: 50646 Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis