ID: Sample Name: DOCS.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 16:07:38 Date: 06/02/2018 Version:

Size: px

Start display at page:

Download "ID: Sample Name: DOCS.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 16:07:38 Date: 06/02/2018 Version:"

Gertrude Taylor
6 years ago
Views:

1 ID: Sample Name: DOCS.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 16:07:38 Date: 06/02/2018 Version:

2 Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview AV Detection: Software Vulnerabilities: Networking: Persistence and Installation Behavior: Data Obfuscation: System Summary: HIPS / PFW / Operating System Protection Evasion: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTPS Packets Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 Code Manipulations Statistics Behavior System Behavior Analysis Process: WINWORD.EXE PID: 3684 Parent PID: 3372 File Activities File Deleted Registry Activities Analysis Process: 608_OrderDOCS.exe PID: 3860 Parent PID: 3684 Analysis Process: WINWORD.EXE PID: 3872 Parent PID: 548 File Activities File Created Registry Activities Key Created Analysis Process: 608_OrderDOCS.exe PID: 3968 Parent PID: 3684 Analysis Process: WINWORD.EXE PID: 3980 Parent PID: 548 File Activities Registry Activities Analysis Process: 608_OrderDOCS.exe PID: 4072 Parent PID: 3684 Analysis Process: WINWORD.EXE PID: 2052 Parent PID: 548 File Activities Registry Activities Analysis Process: 608_OrderDOCS.exe PID: 324 Parent PID: 4072 Analysis Process: 608_OrderDOCS.exe PID: 1220 Parent PID: 3860 Analysis Process: 608_OrderDOCS.exe PID: 148 Parent PID: 3968 Analysis Process: explorer.exe PID: 1448 Parent PID: 324 Analysis Process: services.exe PID: 2292 Parent PID: 1448 Analysis Process: cmd.exe PID: 2284 Parent PID: 1220 Analysis Process: services.exe PID: 2384 Parent PID: 148 Analysis Process: cmd.exe PID: 2452 Parent PID: 2292 Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 39

4 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: Start time: 16:07:38 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 11m 49s light DOCS.doc defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 19 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 1 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal92.evad.expl.windoc@24/24@2/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 20.6% (good quality ratio 19%) Quality average: 68.6% Quality standard deviation: 29.1% Cookbook Comments: Warnings: Adjust boot time Found application associated with file extension:.doc Found Word or Excel or PowerPoint document Simulate clicks Word/Excel/PowerPoint window no longer existing Number of clicks 0 Close Viewer Show All Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, conhost.exe, dllhost.exe Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: WINWORD.EXE, 608_OrderDOCS.exe, WINWORD.EXE, 608_OrderDOCS.exe, WINWORD.EXE, 608_OrderDOCS.exe, WINWORD.EXE Copyright Joe Security LLC 2018 Page 4 of 39

5 Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 5 of 39

Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious

starting applications), analyze the sample with the 'Simulates keyboard and window changes'

encrypted data' cookbook for further analysis Signature Overview Detection AV Vulnerabilities

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Detection AV Vulnerabilities Software Networking and Installation Behavior Persistence Obfuscation Data Summary System / PFW / Operating System Protection Evasion HIPS Debugging Anti Analysis System Evasion Malware Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 39

7 Click to jump to signature section AV Detection: Antivirus detection for dropped file Antivirus detection for submitted file Software Vulnerabilities: Found inlined nop instructions (likely shell or obfuscated code) Potential document exploit detected (performs DNS queries) Potential document exploit detected (performs HTTP gets) Potential document exploit detected (unknown TCP traffic) Document exploit detected (process start blacklist hit) Document exploit detected (creates forbidden files) Document exploit detected (drops PE files) Networking: Downloads files Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS Persistence and Installation Behavior: Drops PE files Data Obfuscation: Uses code obfuscation techniques (call, push, ret) System Summary: Checks whether correct version of.net is installed Found graphical window changes (likely an installer) Document is a ZIP file with path names indicative for goodware Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols Binary contains paths to development resources Copyright Joe Security LLC 2018 Page 7 of 39

8 Classification label Creates files inside the user directory Creates temporary files Found command line output Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic) Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Contains functionality to call native functions Detected potential crypto function Found potential string decryption / allocating functions Reads the hosts file Office process drops PE file HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Maps a DLL or memory area into another process Modifies the context of a thread in another process (thread injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Checks if the current process is being debugged Contains functionality for execution timing, often used to detect debuggers Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) Contains functionality to read the PEB Enables debug privileges Malware Analysis System Evasion: Queries a list of all running processes Contains functionality for execution timing, often used to detect debuggers Found a high number of Window / User specific system calls (may be a loop to detect user behavior) May sleep (evasive loops) to hinder dynamic analysis Sample execution stops while process was sleeping (likely an evasion) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Stores large binary data to the registry System process connects to network (likely due to code injection or exploit) Behavior Graph Copyright Joe Security LLC 2018 Page 8 of 39

Behavior Graph Hide Legend ID: 45263 Legend: Sample: DOCS.doc Startdate: 06/02/2018 Architecture: WINDOWS Score: 92 Process Signature gytrr.01g.info www.linestampkyouryoku.

9 Behavior Graph Hide Legend ID: Legend: Sample: DOCS.doc Startdate: 06/02/2018 Architecture: WINDOWS Score: 92 Process Signature gytrr.01g.info Created File started started started started DNS/IP Info Antivirus detection for dropped file Antivirus detection for submitted file Document exploit detected (drops PE files) Office process drops PE file Is Dropped WINWORD.EXE WINWORD.EXE WINWORD.EXE WINWORD.EXE Is Windows Process Number of created Registry Values 3 5 gytrr.01g.info , 443, OVHFR France , 50446, 50955, GOOGLE-GoogleIncUS United States dropped dropped dropped Number of created Files Visual Basic Delphi C:\Users\user\...\608_OrderDOCS[1].exe, PE32 C:\Users\SAMTAR~1\...\608_OrderDOCS.exe, PE32 C:\Users\user\Desktop\~$DOCS.doc, data started started started Java Document exploit detected (creates forbidden files) System process connects to network (likely due to code injection or exploit) Document exploit detected (process start blacklist hit).net C# or VB.NET C, C++ or other language 608_OrderDOCS.exe 608_OrderDOCS.exe 608_OrderDOCS.exe Is malicious started Modifies the context of a thread in another process (thread injection) started started 608_OrderDOCS.exe 608_OrderDOCS.exe 608_OrderDOCS.exe Maps a DLL or memory area into another process injected started started explorer.exe cmd.exe services.exe started services.exe started cmd.exe Simulations Behavior and APIs Time Type Description 16:08:27 API Interceptor 606x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 100ms 16:08:57 API Interceptor 2x Sleep call for process: WINWORD.EXE modified from: 30000ms to: 100ms 16:10:00 API Interceptor 300x Sleep call for process: explorer.exe modified from: 60000ms to: 100ms Antivirus Detection Initial Sample Detection Cloud Link DOCS.doc 43% virustotal Browse Dropped Files Detection Cloud Link C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe 33% virustotal Browse C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K Z\608_OrderDOCS[1].exe 33% virustotal Browse Copyright Joe Security LLC 2018 Page 9 of 39

10 Domains Detection Cloud Link gytrr.01g.info 2% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN Match Associated Sample Name / URL SHA 256 Detection Link Context OVHFR 1XCDFRVVCDE.js 04a233e32a9c805a7a0ba86637c malicious Browse edbb4471cbd2e6782e1eeb78a86 6fbbc6c468 54PI#80477.INV exe vfd.exe 3CNNBFHFJE.js 1.exe Emotet.doc 7f15cca9c4c593200ed6ce0ed35 malicious Browse dfae25ac9e11c111b2bbc2a5f023 a5c58078e c86fd81aede1a694f978ee09be2f malicious Browse c6bcd e666883d69d bb9c4c1ae f7f7a636a47b436d6bce52dec222 malicious Browse f44fe8b1f0cf74435ab9461f38d3f e21f0f9 27f7e3c15ed7a253fb9eabf7163c malicious Browse b582cc9f7e90ff9571c9e76a0 e82dc5b1 9e7a51d4c86a41a01d0e6bcac1c malicious Browse ebae68bb08b7840cad7f350 03a Copyright Joe Security LLC 2018 Page 10 of 39

11 Match Associated Sample Name / URL SHA 256 Detection Link Context Conference_on_Cyber_ Conflict (2).doc...exe ficevericheck/alioff icevericheck s/wp-includes/text/b le/index.php?userid= billy.bubba@bubba.com Emotet2.doc invoce.doc.exe jun.exe 49STATEMENT OF ACCOUNT exe 67New_P.O.#6_11_201. exe 47New_P.O.#6_11_201. exe 67NEW_P.O_ # _pd.exe 70iUuqJ39i.exe 57Sample_#3245.exe e5511b22245e26a003923ba476d malicious Browse c b2d1936e17a9b35b ae 6fa7da5f b6c2a4b malicious Browse f a8c55d f92 8a malicious Browse malicious Browse febddc8bf29d57cee5e527e malicious Browse a386d0d32afa4ae9bc1fa4a18cf 849f5be3 malicious Browse be468f7a7eb00e890482de26fdb5 malicious Browse c2b2f04c8ea1df624026ac5 8295f78a 07fbbb5eb8d6c7fa8c c5b malicious Browse e42aacebbf7be685a f5e e45ac9b897f7079d36f33467d45d malicious Browse c31bf6a36f3fca03e3d3d6614c b5ef1ed2 6c0d725538e bd73252c5 malicious Browse d646b795eb710164ef2 4cc2e1ef53 67f7ef59986dc7019e4bc7cf1c01 malicious Browse e36d5deb6504e24e3c4c141fbe5 d0d15ccfa f485911b6c07c4e7ba622e1009d 65832bcb3303c462c6e4fddc24c 6064b566ab malicious Browse abf10dea3a51b324d955c18c3ef3 malicious Browse fcc099158c0be6e9517a4d70 c4fa d3a a7bfd7407b4e87 malicious Browse b6405b6815aef8770e1eb2f22c 54d22d0b1 Dropped Files No context Screenshot Copyright Joe Security LLC 2018 Page 11 of 39

$Startup System is w7 WINWORD.EXE (PID: 3684 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\DOCS.doc 5D798FF0BE2A8970D932568068ACFD9D) 608_OrderDOCS.$

12 Startup System is w7 WINWORD.EXE (PID: 3684 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\DOCS.doc 5D798FF0BE2A8970D ACFD9D) 608_OrderDOCS.exe (PID: 3860 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe' A123B4314B0694E0F27109A75CCC225F) cleanup 608_OrderDOCS.exe (PID: 1220 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe' A123B4314B0694E0F27109A75CCC225F) cmd.exe (PID: 2284 cmdline: C:\Windows\System32\cmd.exe AD7B9C14083B52BC532FBA B98) 608_OrderDOCS.exe (PID: 3968 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe' A123B4314B0694E0F27109A75CCC225F) 608_OrderDOCS.exe (PID: 148 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe' A123B4314B0694E0F27109A75CCC225F) services.exe (PID: 2384 cmdline: C:\Windows\System32\services.exe 0780A42DBD7D9969F9BF4A19AA4285B5) 608_OrderDOCS.exe (PID: 4072 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe' A123B4314B0694E0F27109A75CCC225F) 608_OrderDOCS.exe (PID: 324 cmdline: 'C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe' A123B4314B0694E0F27109A75CCC225F) explorer.exe (PID: 1448 cmdline: C:\Windows\Explorer.EXE 6DDCA324434FFA506CF7DC4E51DB7935) services.exe (PID: 2292 cmdline: C:\Windows\System32\services.exe 0780A42DBD7D9969F9BF4A19AA4285B5) cmd.exe (PID: 2452 cmdline: /c del 'C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe' AD7B9C14083B52BC532FBA B98) WINWORD.EXE (PID: 3872 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding 5D798FF0BE2A8970D ACFD9D) WINWORD.EXE (PID: 3980 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding 5D798FF0BE2A8970D ACFD9D) WINWORD.EXE (PID: 2052 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding 5D798FF0BE2A8970D ACFD9D) Created / dropped Files C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): Copyright Joe Security LLC 2018 Page 12 of 39

13 C:\Users\SAMTAR~1\AppData\Local\Temp\608_OrderDOCS.exe Entropy (8bit): Antivirus: A123B4314B0694E0F27109A75CCC225F 3882F9D478ED91CA7187B A3968EEE E8E74E68E043FD9F00C0D11CCE14431E6891D935628A405DABAC409BDCF6A EA35AB82CE7E620B8FCA72D955F40F408A72B5301C985E E0A22F6BA370660DF8B561F014E63B54D895BA 4E62D2637F70CE3C474FF278E1434ABF9BC0B true low Antivirus: virustotal, Detection: 33%, Browse C:\Users\SAMTAR~1\AppData\Local\Temp\TZ3GYJZSAY4QKHX.sct File Type: Size (bytes): 2533 Entropy (8bit): XML document, ASCII text, with CRLF, LF line terminators BFEB6E286C26EED4EA2408A48A1F7EBC 3FE190DE70EF8B9D878497D4B1F43DF45A0D45E4 EB5DB3E840DF29FF2C EC8467ACD0529CED3D8C44F24449F76ABE0A38 ABDD1A73A19C66A24E DA42953EFB FD9960F3C5CEECCF2E3001C54C6366E33114FF258D4CB369 D223C75FB4189F4B16B4A707F60F2DD34F2F63 low C:\Users\SAMTAR~1\AppData\Local\Temp\TZ3GYJZSAY4QKHX.sct:Zone.Identifier File Type: Size (bytes): 26 ASCII text, with CRLF line terminators Entropy (8bit): FBCCF14D504B7B2DBCB5A5BDA75BD93B D59FC84CDD5217C6CF F78DA6B582B EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC C5C2E53F803CD9E 973DDEFC68966F974E124307B5043E654443B98 moderate, very likely benign file C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0255CEC2C51D081EFF _8E4BFDD938C93D361D792C301FE53D45 File Type: data Size (bytes): 471 Entropy (8bit): F7BC42C02E191130D1AEEE0F7E EA9A43296A4050D59F36C07A18BC51AA2E E547D38820A013839AB470F02A A76CA197847B29F783BC29009FE8E EFAD586AB966DD52F835311A2B202146D9DB657B199DE661CBD1FFF99332F0DCE7842AF76FAAA9AF1CF60284B A87041DBA013F0E9B38FC290A62DFCC036565AF low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFD A File Type: data Size (bytes): 728 Entropy (8bit): AD679437C56DFA9E B77F928D A DEC3F143E FB4B2F806F88 74FAA1A536AF4146A6C834EE BF415255A39C26ECA7EBFA335FA31 06B0F0D47ACDA054F174E84E8AEF2AB07C5B81FC2E5C2091E237943D8723ADCAD7650F3AD6A6A2EC2D355D270 5CED8F9BCC7CD3DCB63EA38A09A8B48D959A037 low Copyright Joe Security LLC 2018 Page 13 of 39

14 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B 4 File Type: data Size (bytes): 471 Entropy (8bit): E3B815CF1A653A B18906E6C 751A50593F6C5EBE6D53F017975C2B057C6BAB84 D3B320F8A49BBD4217D6CD43B550A6CF4CA47F90ACDC E9009E25040CD F48C0A09305FBAEAB04133D0BF858F190894B2227E7644C4D44A0C69B7CD5382FFF3E1B9E7A2B3CE46DD06D1C E71BCB0345F7BDBC22138BFED66724A6C9DC6EE low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0255CEC2C51D081EFF _8E4BFDD938C93D361D792C301FE53D 45 File Type: data Size (bytes): 800 Entropy (8bit): E4963C55AE D43560C3D6AB BA13EF7C22278B5C5AAACF0C6EE217F22641D244 B0460D5CB30B03988F4B02B99C3B30FB57E8DCAD4608DA7839B1BD2DAC6E8D4A BD1888AA282A531898DD602EF9225C0657E B0A987693CDE0FEE00D4D90DFBA1A94325A4A88BA2 C55D0CCAE0CE5A215735CB4D4C09E16D75D5E low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAF DA File Type: data Size (bytes): 792 Entropy (8bit): B2DA5276F9819BE76B910DA884726A4E 792B4AB3BDC63E1259F1BEEDC314C0EA A D55CEC8286C54E6EE129AEFBB5B12D6C2CDEF0C70ECED86507F7FE24E0 A9EE0597AA4790B78C9C31E65E26C60CA8D6DD81492DD3CB1CD14CA30B74CCC83DEB51111C80BD98ED4DB3B 0D589A390466B5A48D E0BA409E13F88 low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2 B4 File Type: data Size (bytes): 796 Entropy (8bit): CC71367FCFB09EAD11A7BBA 249B780A3127C58DB00834BEA951B00B8480DAC6 49D98076B105B5026F7A9D82CFB647408D5036BCE031BE9148E27FC2A3DE0A11 CD7505EF8E EB09C8BE460E30CF62C5ADF09101B9EFDFA9E570874D886769DB53AB0AD3D1C99463F681E A63098C1F A168A2513B79E1EED1CA low C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 File Type: data Size (bytes): 340 Entropy (8bit): DC67FEAE435E91E802E0508A6A996CFD EBF EA246F67C75AED3A F3F 90C6D1907E73748A2A0C4FEFE674B25F1BE3E11766C61B3B016E73A936AB8EC0 D97B08D423635D75216F2C8F11A796C2114F82A163617A0EF71D753F19D9FA5C0FEEE2BAA8E1C11AB431CFB7DC ACD4F6EC6C90B E221F1DD514857E1EB low Copyright Joe Security LLC 2018 Page 14 of 39

15 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\608_OrderDOCS[1].exe File Type: Size (bytes): Entropy (8bit): Antivirus: PE32 executable (GUI) Intel 80386, for MS Windows A123B4314B0694E0F27109A75CCC225F 3882F9D478ED91CA7187B A3968EEE E8E74E68E043FD9F00C0D11CCE14431E6891D935628A405DABAC409BDCF6A EA35AB82CE7E620B8FCA72D955F40F408A72B5301C985E E0A22F6BA370660DF8B561F014E63B54D895BA 4E62D2637F70CE3C474FF278E1434ABF9BC0B true low Antivirus: virustotal, Detection: 33%, Browse C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0000.tmp File Type: Microsoft Word Size (bytes): Entropy (8bit): D3AEAC7427E194EC6596E73DD7A2C957 9D69B2FEDE535EFA0BBA0793DE3F7704EB68BBB1 FECD833924AF32AFD8A A9784F621FC5EBF07093FD BFEE0B9CBFF502B45A774A E9D9FD4E0BC ECEDA2D51D391FDE AA396440F599138E51E E48FB89983E6BF3D9BD4E63D197F03 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0001.tmp File Type: Microsoft Word Size (bytes): Entropy (8bit): D3AEAC7427E194EC6596E73DD7A2C957 9D69B2FEDE535EFA0BBA0793DE3F7704EB68BBB1 FECD833924AF32AFD8A A9784F621FC5EBF07093FD BFEE0B9CBFF502B45A774A E9D9FD4E0BC ECEDA2D51D391FDE AA396440F599138E51E E48FB89983E6BF3D9BD4E63D197F03 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRC0002.tmp File Type: Microsoft Word Size (bytes): Entropy (8bit): D3AEAC7427E194EC6596E73DD7A2C957 9D69B2FEDE535EFA0BBA0793DE3F7704EB68BBB1 FECD833924AF32AFD8A A9784F621FC5EBF07093FD BFEE0B9CBFF502B45A774A E9D9FD4E0BC ECEDA2D51D391FDE AA396440F599138E51E E48FB89983E6BF3D9BD4E63D197F03 low C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{2F BE1-41C A11F45B39010}.tmp File Type: FoxPro FPT, blocks size 0, next free block index , 1st used item "\375" Size (bytes): 1024 Entropy (8bit): D4D94EE7E06BBB0AF B23A DBB111419C704F116EFA8E72471DD83E86E C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D D997CC5FD1 95F83AE84CAFCCED5EAF C34D5F9710E5CA2D F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 high, very likely benign file Copyright Joe Security LLC 2018 Page 15 of 39

16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{49E145A4-568F-4BDD-92B4-20D }.tmp File Type: FoxPro FPT, blocks size 0, next free block index , 1st used item "\375" Size (bytes): 1024 Entropy (8bit): D4D94EE7E06BBB0AF B23A DBB111419C704F116EFA8E72471DD83E86E C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D D997CC5FD1 95F83AE84CAFCCED5EAF C34D5F9710E5CA2D F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 high, very likely benign file C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6A D BAC-12E0886DC9CB}.tmp File Type: FoxPro FPT, blocks size 0, next free block index , 1st used item "\375" Size (bytes): 1024 Entropy (8bit): D4D94EE7E06BBB0AF B23A DBB111419C704F116EFA8E72471DD83E86E C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D D997CC5FD1 95F83AE84CAFCCED5EAF C34D5F9710E5CA2D F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6B660EF-5D2C-43AF-88E3-2A850C14E0CE}.tmp File Type: FoxPro FPT, blocks size 0, next free block index , 1st used item "\375" Size (bytes): 1024 Entropy (8bit): D4D94EE7E06BBB0AF B23A DBB111419C704F116EFA8E72471DD83E86E C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D D997CC5FD1 95F83AE84CAFCCED5EAF C34D5F9710E5CA2D F2FBECCB25F9CF50BBFC272BD75E1A66A 18B7783F09E1C1454AFDA519624BC2BB2F28BA4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CB77E48F-F BB A715B49}.tmp File Type: data Size (bytes): 1024 Entropy (8bit): AD5FAB3C309524F6AE48DC553FD8E51A 7F1970AFD6775A79874D5C71612BAB536C7F2E26 78B4E2331FAACF535CCEE701C597A1F23D6E789ED6C764D3B43265F81F116AFF 8208A91BCFE94CE32D7C636325C8879C245FE E955BC48CE3CC0F4F4CF5858E040DA89EC94DD1D4BC8 B29846DF713CADF27BC9ECED37068E65C494B8 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\DOCS.LNK File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=sun Sep :02: , mtime=sun Sep 24 14:02: , atime=tue Feb 6 15:08: , length=11161, window=hide Size (bytes): 2004 Entropy (8bit): D10345FDFFE7A1E3625B17EF6BBC63 3D66811E E11456C0CC80C2EE92F655 99E6E8C67AFF8561B1F9F1C309CD97D1F11F306EA0F6AC D34A7CEBB1A DBB865D36DB3F81EAE06128E481D096B89D654A6F6309D1EB8A4BCCFFB23CB45BC39DFD FB1CF6ECFC8 DF2EBCA3EC68DA4657A1FE0F30C14E62BC91109 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat File Type: ASCII text, with CRLF line terminators Size (bytes): 50 Entropy (8bit): Copyright Joe Security LLC 2018 Page 16 of 39

17 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat 0D277104D0B5F3E2DB0D2A9411F1CBA5 966C13F55798DA02ED83FEC6331E4B4264B78DF7 32B775F3AE7507E4B58E7FD0A5A87DB33718DCA10A8435AB7F56A3E3C6AE24D8 6812F26419F53CA3BB51F946FB43D7A82C8106AA7165D8801D060E76D4A95557E6798ED6C8FC2745D7CA45B278B 32F7FD7CD5E11CEC1C29F033DCB3DE0109DEA C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm File Type: data Size (bytes): 162 Entropy (8bit): E7BD B9CFB276BECD6CE969F 55D998570D5B808657E7C140888B339F657E15C4 0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E E 1FA62183BAC9C51409F44D219365B94043CBC5 C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex File Type: Size (bytes): 2 Entropy (8bit): 1.0 Little-endian UTF-16 Unicode text, with no line terminators F3B25701FE362EC84616A93A45CE9998 D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F 0EFAF F9755A9BFDF1C54CA0D84 C:\Users\user\Desktop\~$DOCS.doc File Type: data Size (bytes): 162 Entropy (8bit): E7BD B9CFB276BECD6CE969F 55D998570D5B808657E7C140888B339F657E15C4 0D1CF856000A144E9D320940FA37FFD38C9B45A19A149513D70A31EAD7F F506312D879F3FAF033BEF23EC3AA67E7ADD90AFD85DE82BD492FCE41D04AF8724CEF38FB7823C0E E 1FA62183BAC9C51409F44D219365B94043CBC5 true Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection true gytrr.01g.info true true 2%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 2018 Page 17 of 39

18 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious France OVHFR true United States GOOGLE-GoogleIncUS Static File Info File type: Entropy (8bit): ASCII text, with very long lines, with no line terminators TrID: Rich Text Format (4004/1) % File name: File size: SHA256: SHA512: File Content Preview: DOCS.doc 18ced99acef023a08c08938e a 28dea8c82ff5ce44e e74f45c39b d969c9958baa94bd7763f6db4bf5c1ec3a3391ea dce589fecd88b8d8 a38ef4b50b02f4ca1ac2b3c69848e762bf e209 c52717a4f531fcee71b7b9a4c615c0988f54ea32e1de855 f957b dbabcc19af2cfff3e7e089 {\rt{\object\objemb\objw1\objh1{\*\oleclsid \'50\'61\'63\'6B\'61\'67\'65}{\*\objdata b f50a a a5a b48582e a5c66616b c545a a5a b48582e File Icon Network Behavior Network Port Distribution Copyright Joe Security LLC 2018 Page 18 of 39

19 Total Packets: (HTTPS) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Copyright Joe Security LLC 2018 Page 19 of 39

20 Timestamp Port Dest Port IP Dest IP Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Copyright Joe Security LLC 2018 Page 20 of 39

21 Timestamp Port Dest Port IP Dest IP Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Copyright Joe Security LLC 2018 Page 21 of 39

22 Timestamp Port Dest Port IP Dest IP Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Copyright Joe Security LLC 2018 Page 22 of 39

23 Timestamp Port Dest Port IP Dest IP Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Feb 6, :08: CET Copyright Joe Security LLC 2018 Page 23 of 39

ID: Sample Name: FsQHOWXph8.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 20:31:13 Date: 16/03/2018 Version:

ID: Sample Name: FsQHOWXph8.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 20:31:13 Date: 16/03/2018 Version: ID: 50648 Sample Name: FsQHOWXph8.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 20:31: Date: 16/03/2018 Version: 22.0.0 Table of Contents Analysis Report Overview Information Detection Confidence