ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/2018 Version:"

Gavin Poole
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets ICMP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics Copyright Joe Security LLC 201 Page 2 of 22

3 Behavior System Behavior Analysis Process: iexplore.exe PID: 3436 Parent PID: 54 General File Activities Registry Activities Analysis Process: iexplore.exe PID: 3492 Parent PID: 3436 General File Activities Registry Activities Analysis Process: ssvagent.exe PID: 3612 Parent PID: 3492 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 22

Analysis Report Overview General Information Joe Sandbox Version: 22.0.0 Analysis ID: 50646 Start time: 20:27:59 Joe Sandbox Product: CloudBasic Start date: 16.03.

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 20:27:59 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 4m 44s light browseurl.jbs U164.g03.dbankcloud.com Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean1.win@5/21@2/2 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time URL browsing timeout Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Copyright Joe Security LLC 201 Page 4 of 22

Threshold 4 0-5 Confidence Classification

clean Exploiter Banker Spyware Trojan / Bot

5 Confidence Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 201 Page 5 of 22

6 Signature Overview Networking System Summary HIPS / PFW / Operating System Protection Evasion Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Social media urls found in memory data System Summary: Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Searches the installation path of Mozilla Firefox HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 201 Page 6 of 22

Behavior Graph ID: 50646 URL: U164.g03.dbankcloud.

7 Behavior Graph ID: URL: U164.g03.dbankcloud.com Startdate: 16/03/201 Architecture: WINDOWS Score: 1 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend started Number of created Registry Values iexplore.exe started iexplore.exe Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 10..., 4940, 50323, GOOGLE-GoogleIncUS United States u164.g03.dbankcloud.com , 49163, 49164, 4916 CHINANET-BACKBONENo31Jin-rongStreetCN China started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 20:2:51 API Interceptor 5271x Sleep call for process: iexplore.exe modified 20:2:56 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link U164.g03.dbankcloud.com 4% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Copyright Joe Security LLC 201 Page 7 of 22

8 No Antivirus matches Domains Detection Scanner Label Link u164.g03.dbankcloud.com 4% virustotal Browse Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 201 Page of 22

9 Startup System is w7 cleanup iexplore.exe (PID: 3436 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding CA1F703CD66567E132D2946FB55750) iexplore.exe (PID: 3492 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3436 CREDAT: /prefetch:2 CA1F703CD66567E132D2946FB55750) ssvagent.exe (PID: 3612 cmdline: 'C:\PROGRA~1\Java\JRE1~1.0_1\bin\ssvagent.exe' -new 0953A026479FD1E655B75B63B903B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\~DF52C0C3D4FFE0BC.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): FCF972B35A07A9B14A0A40F493D3705 6F04A5CF4F41C F27703AD3ACC4912 E32D5CDF36401DF27411F574D514E2DB13641E54754A9CD11457DE17E EC57ECBB7C3456CDCACFD2EE7C F56506A9F745039BC03DF067BED14EF90EEAA4AB559E2B3 3D766979D24F07B926E D54CD Copyright Joe Security LLC 201 Page 9 of 22

10 C:\Users\HERBBL~1\AppData\Local\Temp\~DFB579234C55AAE4.TMP data Size (bytes): Entropy (bit): A1D30C633CF7272AC49B96BBAEFD9 2A3EFEC4CAC9DE067196E66C99F0A05EEDA3F 0BEB77446D6CB6599D5CDA4431B45236C367A5D4206FBC1E3DB99331D694D C605901B2DDF090E49176AA6C734117A421F3B9D29D2CB47A666D2DA9535A00FDCE031E7E67C399701A 41F79A1A416755A2A1CC7AA2FF36CDA54 C:\Users\HERBBL~1\AppData\Local\Temp\~DFE56A56D7CD9FDE53.TMP FoxPro FPT, blocks size 25, next free block index Size (bytes): Entropy (bit): FBF00C4F4ED797351BB702217D490CC D3CC070C09F C5A30AE2C C60664BB4C7F30CBEE090A57FEA3C6FB4711B53EA9341F2201B 4EDC D32646B3761CADDD56576BEFB9AE024F6CE0AD37A305CCC4CA4D3F2A2BE9AB6B606E 091F39EB6DD7A5201BC403FD570E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E0 4 data Size (bytes): 471 Entropy (bit): B93B055F1ED02AC BFA E49C43005A144BE3DE945B1F9BC4E5A9126D A2649B55B45DF55AC2A374490B42AD312A749BDAAA21B6C00DCE6AD4CED 1A7EC92A1516E9B2E224E239C29EA395C61555A429B5FDF66B794DBBE6336C2BCE435ACD4F145563E5ACB4E DDBE001566E1BB345BF9F6F5EAE0341B9AAB2A6 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2CB34DD3343FE727DF90D352E0DF data Size (bytes): 4221 Entropy (bit): EBCDD923F9EC4ADA65C3E6F D276145E99F2A2F2C24CC6767DD0FC25F3DD 2203AF94BC5CEBA DAF103A099A37FF6D9C5F9AA5AEF5146AB FB0C F2F0D494A9132AC57CEBB E00AC40C0775FB4371E7F7A43FB266B5F7AB162BE2C4 AD5EEA36A05A6F0ECECD0995E213E1C93 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57CEDB95DF3F0AD4EE2DC2BCFD4157 data Size (bytes): 340 Entropy (bit): DB94355D D529AAC610D 3EBC9D0D5A40D61AB614F63975BE7F239B0EC 3D31D666E210D414BFCA5051BB442BA4FFDA479A5A BB0E6A06 0D350C61903EF71B6094CB365F4974B4FEFFB49959DED02A7FA9DBCB94FEC5CB156FF030A203EFE1EA3 9CCEA7E CB1B6FC959EACA0E97 Copyright Joe Security LLC 201 Page 10 of 22

11 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA974A10C4BD62CC921D13E43B1_BEB37ABADF B E04 data Size (bytes): 434 Entropy (bit): D32DB64D62E6AA2505E5FB D03EF1A520B7772EA21121EBA957B5D320B 6E73BC22B61936D521A0A027202A1607B610D120AEAF07EFE477470DF2 7B263972AFBECB5297E277B5BD70DE C44D3FA326ABAB547445A25D47D1D311CB197A69BC37905 CCE26CD655DB5CCA E7E30ABB1E1F5D C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2CB34DD3343FE727DF90D352E0DF data Size (bytes): 226 Entropy (bit): BA4402F036AFCD260192FF27C76D133F 6AC3DA7A14DA0A66A9343EEC045BD0ABD59A29 BE1FA74F3D94C0F63CA96C315CCCCB2F05951E16F11079FDA93A3AD3BF 52165B269FF66C7334D C AD99A F2C0CBEF4F62A767A42ABDD6343B3E 5CB96514C B6B94B99D67B5B C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416BB2E3A}.ico Size (bytes): 237 Entropy (bit): PNG image data, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D64202F6541 EA134D33C2C7F4F4BAA3934AEB1DBFAD3DF31 6DA01DC7647BC21D003B5FE04049E24A B7E0CEBAE76EDF5BB914 0E09356CD123BEA20B7D9A3AAF5CB05249DE7F26FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96AECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 data Size (bytes): 1176 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 09B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml Size (bytes): Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators 55F46265DF0372AADDBE5D EB9F0E15BC1F9BF1101B92C9BB566627BF3C1BE 66A54E77EFCAB239FDF532F5462AD4A04F2BBAA9FA9AAC559E631F1CB66 93B3B14990F293560B16EF5D6EBDD3BFA7E4221BEBABD0EF6BDD1595AFA1A200397CCC6AAFEFB2E5D 4BB9CB962743E51F7460CAC66724BCD4B5 Copyright Joe Security LLC 201 Page 11 of 22

12 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4121BCE E-B7AC-B2C276BF9C}.dat Size (bytes): Microsoft Word Document Entropy (bit): C432409EB411EC0E6F44C0AA401C AE159CD37A67724ADCF15A42AF799E724A 2A49F50AB390D406E24ED50D103E72EF4A1DAF37F6AE35D EA6BAA2EF9F1459EDF3515D5F64A6D14D550271D97D669365B9AF04C02CC530D9F9BDAA4C7A39627AE1E1 D5B79146DC005B71B35FE97E73579A5E05004 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4121BCE E-B7AC-B2C276BF9C}.dat Size (bytes): 1694 Microsoft Word Document Entropy (bit): F4A3BBB0B126F537FF1E659C17E 66CB9BBAFBEDA9EE19539E12E1719CA22BAD3DC CDA1FCBEAB70EFA504A F7436ECA1A70B DED4AC F79A462365AA413BDA5521DCFF5AC6CBEB5C2C77395E932A614B59AC29FCE30BD23AEF6FCAD2F13474F6E E4E41B113AEAB4FB4EEE53F5D337DDEB50ACFEF C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4DFA E-B7AC-B2C276BF9C}.dat Size (bytes): 1694 Microsoft Word Document Entropy (bit): E373B9DB47ADECC A3F7C A3BE2375ABCEA9D5DECF64D61B17AC53B4A6CF 1297D132ED9D3DCD6714ED2EC37BAC66D34EA2EFB2B5EB1D21547BD F35E7791DF9BCB1015C7C93616EC61572B25451B17E31E11DC4B2D2699C913D46312CE37202BA901657ABD B4D0F90BBC1793FFFCD311F57401BE2 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2C01.tmp Size (bytes): 1545 Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators 095C726DE7D90E6526DC0D7F3F6 A1CAE12FB7E6C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A07DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F2310B33D5C740BC9F290C79646C422AFFC27DDB476C931D6E4A966EED97 0E219B6CEBBF6F9A12B6C629B616CDE1615C C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\urlblockindex[1].bin Size (bytes): 16 Entropy (bit): data FA51E3DFAECA3A0E495460FD60C791 E4F30E D37267C0162FD4A093400C C4B4E5F3F9FD5A27E61C471B3EE126396B6D129499AA7 D21667F3FB01D39B57917E74E9BB1B6E9A97F C165729A5F177DC0ADADD90CD026C7A601D416665A 1AC13A69E49A6A2FE2FDD096793AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\favicon[1].ico PNG image data, 16 x 16, 4-bit colormap, non-interlaced Copyright Joe Security LLC 201 Page 12 of 22

13 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\favicon[1].ico Size (bytes): 237 Entropy (bit): FB559A E77D64202F6541 EA134D33C2C7F4F4BAA3934AEB1DBFAD3DF31 6DA01DC7647BC21D003B5FE04049E24A B7E0CEBAE76EDF5BB914 0E09356CD123BEA20B7D9A3AAF5CB05249DE7F26FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96AECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\iecompatviewlist[1].xml Size (bytes): 344 Entropy (bit): XML 1.0 document, UTF- Unicode (with BOM) text, with CRLF line terminators E5C53C B F1D541D440B 1EC E699A0BFA191B2AE1B74320D316CE 7DA1E4B3EE4DFAD40BA2B775F2CE1DC3931D6B403294AE4EE426FAFB7F 094EA2119B2D321EB62916CD554ADF20A BCDBF2E9F20D5EEB5306D1F30A607B EFF3F2E31 6F3634DAF3EEADFDC990962CB1C961644A92 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\suggestions[1].en-US data Size (bytes): 1176 Entropy (bit): A34CB996293FDE2CB7A4AC957393A 3C96C D1A7773CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A4AD296BE25C0CC05A1F34DBAD E1B7D F E70F6B1BE6FD0CA65DCCF4FF D4427D3A77F704AEDFF59D2DBC0D56A6 09B2590CEC0DD6BC4AB30F1DAD0C07A0A3EE Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection u164.g03.dbankcloud.com true 4%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 201 Page 13 of 22

14 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious... United States GOOGLE-GoogleIncUS China 4134 CHINANET-BACKBONENo31JinrongStreetCN Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTP) 53 (DNS) TCP Packets Copyright Joe Security LLC 201 Page 14 of 22

15 Timestamp Port Dest Port IP Dest IP Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Copyright Joe Security LLC 201 Page 15 of 22

16 Timestamp Port Dest Port IP Dest IP Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Copyright Joe Security LLC 201 Page 16 of 22

17 Timestamp Port Dest Port IP Dest IP Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET Mar 16, :30: CET UDP Packets Timestamp Port Dest Port IP Dest IP Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Copyright Joe Security LLC 201 Page 17 of 22

18 Timestamp Port Dest Port IP Dest IP Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :2: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Copyright Joe Security LLC 201 Page 1 of 22

19 Timestamp Port Dest Port IP Dest IP Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET Mar 16, :29: CET ICMP Packets Timestamp IP Dest IP Checksum Code Type Mar 16, :2: CET cffe (Port unreachable) Mar 16, :29: CET d00a (Port unreachable) Destination Unreachable Destination Unreachable DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Mar 16, :2: CET xae3 Standard query (0) u164.g03.d bankcloud.com A (IP address) IN (0x0001) Mar 16, :2: CET xae3 Standard query (0) u164.g03.d bankcloud.com A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Mar 16, xae3 No error (0) u164.g03.d 20:2: bankcloud.com CET Mar 16, xae3 No error (0) u164.g03.d 20:2: bankcloud.com CET A (IP address) IN (0x0001) A (IP address) IN (0x0001) HTTP Request Dependency Graph u164.g03.dbankcloud.com HTTP Packets Session ID IP Port Destination IP Destination Port Process C:\Program Files\Internet Explorer\iexplore.exe Copyright Joe Security LLC 201 Page 19 of 22

20 Timestamp Mar 16, :2: CET kbytes transferred Direction Data 2 OUT GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: u164.g03.dbankcloud.com DNT: 1 Connection: Keep-Alive Session ID IP Port Destination IP Destination Port Process C:\Program Files\Internet Explorer\iexplore.exe Timestamp Mar 16, :30: CET kbytes transferred Direction Data 310 OUT GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: u164.g03.dbankcloud.com DNT: 1 Connection: Keep-Alive Code Manipulations Statistics Behavior iexplore.exe iexplore.exe ssvagent.exe Click to jump to process System Behavior Analysis Process: iexplore.exe PID: 3436 Parent PID: 54 General Start time: 20:2:51 Start date: 16/03/201 Path: C:\Program Files\Internet Explorer\iexplore.exe Copyright Joe Security LLC 201 Page 20 of 22

21 Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding 0x bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Completion Count Old File Path New File Path Completion Count File Path Offset Length Value Ascii Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis Process: iexplore.exe PID: 3492 Parent PID: 3436 General Start time: 20:2:51 Start date: 16/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3436 CREDAT: /prefetch:2 0x bytes CA1F703CD66567E132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count Registry Activities Key Path Name Type Old Data New Data Completion Count Analysis Process: ssvagent.exe PID: 3612 Parent PID: 3492 Copyright Joe Security LLC 201 Page 21 of 22

22 General Start time: 20:2:56 Start date: 16/03/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Java\jre1..0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE1~1.0_1\bin\ssvagent.exe' -new 0xf bytes 0953A026479FD1E655B75B63B903B7 true C, C++ or other language Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Disassembly Code Analysis Copyright Joe Security LLC 201 Page 22 of 22

ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version:

ID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version: ID: 5945 Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis