ID: Cookbook: browseurl.jbs Time: 14:54:22 Date: 05/09/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 14:54:22 Date: 05/09/2018 Version:"

Magdalene Dalton
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 14:54:22 Date: 05/09/2018 Version:

2 Table of Contents Table of Contents 2 Analysis Report d=0&h=1&pnid=4&domain=hmapsanddrivingdirection.com&implementation_id=maps_spt_&source=g-ccc7-lp0- bb9&adprovider=appfocus1&user_id=93b1d c-4dd2-b98db9dc &dfn=maps%20and%20driving%20direction&spo=0&appname=maps%20and%20driving%20direction&appde Overview 33 General Information 3 Detection 3 Confidence 4 Classification 4 Analysis Advice 5 Signature Overview 5 AV Detection: 6 Networking: 6 System Summary: 6 Data Obfuscation: 6 Persistence and Installation Behavior: 6 Hooking and other Techniques for Hiding and Protection: 6 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 Dropped Files 9 Screenshots 9 Startup 9 Created / dropped Files 10 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 13 Public 13 Static File Info 13 No static file info 13 Network Behavior 13 Network Port Distribution 13 TCP Packets 14 UDP Packets 15 DNS Queries 16 DNS Answers 16 HTTP Request Dependency Graph 16 HTTP Packets 16 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process: iexplore.exe PID: 3232 Parent PID: General 18 File Activities 18 Registry Activities 18 Analysis Process: iexplore.exe PID: 3284 Parent PID: General 18 File Activities 18 Registry Activities 18 Analysis Process: ssvagent.exe PID: 3340 Parent PID: General 19 Registry Activities 19 Disassembly 19 Copyright Joe Security LLC 2018 Page 2 of 19

3 Analysis Report =4&domain=hmapsanddrivingdirection.com&implementation_id=map s_spt_&source=g-ccc7-lp0-bb9&adprovider=appfocus1&user_id=93 b1d c-4dd2-b98d-b9dc &dfn=maps%20and%20driving% 20Direction&spo=0&appname=Maps%20and%20Driving%20Direction&a ppdesc=get%20directions%20or%20lookup%20maps%20for%20free.%2 0Search%20Maps,%20Local%20Traffic,%20and%20Driving%20Directi ons.&ies=s,h&sso= Overview General Information Joe Sandbox Version: Analysis ID: Start date: Start time: 14:54:22 Joe Sandbox Product: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: CloudBasic 0h 2m 30s light browseurl.jbs 0&h=1&pnid=4&domain=hmapsanddrivingdirec tion.com&implementation_id=maps_spt_&source=gccc7-lp0-bb9&adprovider=appfocus1&user_id=93 b1d c-4dd2-b98d-b9dc &dfn=m aps%20and%20driving%20direction&spo=0&ap pname=maps%20and%20driving%20direction&a ppdesc=get%20directions%20or%20lookup%20 maps%20for%20free.%20search%20maps,%20lo cal%20traffic,%20and%20driving%20directi ons.&ies=s,h&sso= Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: Cookbook Comments: Warnings: Errors: Timeout MAL EGA enabled mal56.win@5/7@2/1 Adjust boot time URL browsing timeout or error Show All Exclude process from analysis (whitelisted): dllhost.exe TCP Packets have been reduced to 100 Report size getting too big, too many NtProtectVirtualMemory calls found. Unable to browse the URL Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 3 of 19

Strategy Score Range Reporting Detection Threshold 56

4 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold Classification Copyright Joe Security LLC 2018 Page 4 of 19

Ransomware Miner Spreading malicious malicious malicious Evader

Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Joe

or HTTPS issue), try to browse the URL again later Signature

and Installation Behavior Persistence Hooking and other

5 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Joe Sandbox was unable to browse the URL (domain or webserver down or HTTPS issue), try to browse the URL again later Signature Overview Detection AV Networking Summary System Obfuscation Data and Installation Behavior Persistence Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 5 of 19

6 Click to jump to signature section AV Detection: Antivirus detection for dropped file Multi AV Scanner detection for dropped file Networking: Downloads executable code via HTTP Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data System Summary: PE file contains executable resources (Code or Archives) PE file contains strange resources Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found GUI installer (many successful clicks) Uses new MSVCR Dlls Data Obfuscation: PE file contains sections with non-standard names Persistence and Installation Behavior: Drops PE files Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Copyright Joe Security LLC 2018 Page 6 of 19

Behavior Graph ID: 75522 URL: Startdate: 05/09/2018 Architecture: Score: 56 Behavior Graph http://www.springdwnld2.com/download/?d=0&h=1&pnid=4&doma.

7 Behavior Graph ID: URL: Startdate: 05/09/2018 Architecture: Score: 56 Behavior Graph WINDOWS Antivirus detection for dropped file Multi AV Scanner detection for dropped file started Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend Number of created Registry Values iexplore.exe started iexplore.exe 12 Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious nt-www-prod-lb us-east-1.elb.amazonaws.com , 49162, 49163, 80 AMAZON-AES-AmazoncomIncUS ie9comview.vo.msecnd.net dropped United States started C:\...\6[1].exe, PE32 ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 14:54:44 API Interceptor 53x Sleep call for process: iexplore.exe modified 14:54:44 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample No Antivirus matches Dropped Files Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D T\6[1].exe C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D T\6[1].exe C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9D T\6[1].exe 100% Avira ADWARE/Spigot.rtyrb 15% virustotal Browse 14% metadefender Browse Copyright Joe Security LLC 2018 Page 7 of 19

8 Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link 3% virustotal Browse URLs Detection Scanner Label Link domain /home/terms 0% Avira URL Cloud safe domain 0% Avira URL Cloud safe domain /Home/Terms?source=ae 0% Avira URL Cloud safe 0% Avira URL Cloud safe domain /home/privacy 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe 3% virustotal Browse 0% Avira URL Cloud safe 0% Avira URL Cloud safe domain /Home/ContactUs 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe domain /home/privacy?source=ae 0% Avira URL Cloud safe 0% Avira URL Cloud safe already_in 0% Avira URL Cloud safe domain /Home/ContactUs?source=ae 0% Avira URL Cloud safe domain?source=ae 0% Avira URL Cloud safe 0% Avira URL Cloud safe 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Copyright Joe Security LLC 2018 Page 8 of 19

9 Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Startup Copyright Joe Security LLC 2018 Page 9 of 19

10 System is w7 cleanup iexplore.exe (PID: 3232 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3284 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3232 CREDAT: /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3340 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new MD5: 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\~DFB2FE964627D689C1.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 0F8137B81CC04DE81F68FCF7E6214CAE D2D81BEE2901DB17FF63412C07F01E3CAC537A4A 33F61A4D92EEA88C1D77062F5EC7BE7C785C458F7B4F C463E7DFC4 CFABFB09E5BE0FF2D2341A678CEF F04BD990EE2B4C35159B268EB9DF97943A1ABA6DABD0A10A05EE74 D9E6C48A90590F9E31AF780A0B71E5721B3EB88 C:\Users\HERBBL~1\AppData\Local\Temp\~DFF0428B423CDFE625.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: CB42CFB8320BB0F9D0509E65154A9577 B0187EEBDE160734E7BC6F11D9484D05248DC43F 46A92A45F11FCDE CE26108A496C43648F4ABF94387BF68CCEE287FE9 D1C8514CB49188E2D92E26C340ED3CBD81CAA976BB36C7466CB3730EB686F3DC98987EAD52CBFBE0E11A9B3E8 9C3ADADC7F0F01B EF84A A6DC C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DB70AE81-B10A-11E8-B7AC-B2C276BF9C88}.dat Process: File Type: Size (bytes): C:\Program Files\Internet Explorer\iexplore.exe Microsoft Word Document Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: 7DD879521A517BA4BA3443E04BC963B6 0D0A4EC60BD56C5219C80A0D439CAB563AFACA46 4F6CCB8B0533E29DC6459F E362661C07325C824B234A83CF56A BF8D3E3DFA29CFD5DEECF27FFD1CD8949B8DDC378C8D05DF31A DE2431E9E17DDFE54AAC2C8AF86 DA328F910C9E38C681BC31EA51C78424AC2F0466 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DB70AE83-B10A-11E8-B7AC-B2C276BF9C88}.dat Process: File Type: Size (bytes): C:\Program Files\Internet Explorer\iexplore.exe Microsoft Word Document Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: B0ADBBD7907E7FA15301ECE89D2AB8C6 40E3ED260D10B672A2FE14D40CEA1B F F4E45D17B7F3A90D5981A23FDE3725F3CBFD7D6699C3D2048DBA496D6DE9C87A F08B82637FDA164C21D16C8324A1408FF CC35EF3C105C771540B DA3E7B1FCF4C4EE86E1988F0 FDAAF3455D0574C78F5152A7878B165207D2 Copyright Joe Security LLC 2018 Page 10 of 19

11 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\urlblockindex[1].bin Process: File Type: Size (bytes): 16 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: C:\Program Files\Internet Explorer\iexplore.exe data FA518E3DFAE8CA3A0E495460FD60C791 E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\6[1].exe Process: File Type: Size (bytes): Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Antivirus: C:\Program Files\Internet Explorer\iexplore.exe PE32 executable (GUI) Intel 80386, for MS Windows 0D83A645018D9C2CD6AD9D00FF E0C3CC6CA954CA08A0AAE0884C932CDDC991 90CFABF6F24FD6298A1F11E7DE6A101406B952642F303CCE54AE58F35FF546AA 4887CF3E8D654651EDCD7F35605C53D56A75A0B6BA8A84DE45E38C2CE437DE68B99272AB4303B B9C5EC 5D5884E495ECB A483C9342EC9EB01B4 true Antivirus: Avira, Detection: 100%, Browse Antivirus: virustotal, Detection: 15%, Browse Antivirus: metadefender, Detection: 14%, Browse \samr Process: File Type: Size (bytes): 116 Entropy (8bit): Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: C:\Program Files\Internet Explorer\iexplore.exe Hitachi SH big-endian COFF object, not stripped 080E701E8B8E2E9C68203C150AC7C6B7 4EF B805758AE1D3B122F9D FE129AE2A7C F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D C11D88B8E355B7B922B B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation nt-www-prod-lb us-east- 1.elb.amazonaws.com true unknown unknown 3%, virustotal, Browse URLs from Memory and Binaries Name Malicious Antivirus Detection Reputation domain /home/terms domain domain /Home/Terms?source=ae Avira URL Cloud: safe Avira URL Cloud: safe Avira URL Cloud: safe Copyright Joe Security LLC 2018 Page 11 of 19

12 Name Malicious Antivirus Detection Reputation domain /home/privacy bb9&uid=%1&uc=%2&ap=appfocus1&i_id= _spt bb9&uid=%1&uc=%2&ap=appfocus1&i_id= _spt nfig&id=%1&rf=%2 domain /Home/ContactUs domain /home/privacy?source=ae plementation_id= _spt 1.30&source=-lp0-bb9&su tex_accepted ex_already_in Avira URL Cloud: safe unknown Avira URL Cloud: safe Avira URL Cloud: safe unknown Avira URL Cloud: safe unknown Avira URL Cloud: safe unknown Avira URL Cloud: safe unknown 3%, virustotal, Browse Avira URL Cloud: safe Avira URL Cloud: safe Avira URL Cloud: safe Avira URL Cloud: safe unknown Avira URL Cloud: safe unknown Avira URL Cloud: safe Avira URL Cloud: safe unknown Avira URL Cloud: safe Copyright Joe Security LLC 2018 Page 12 of 19

13 Name Malicious Antivirus Detection Reputation domain /Home/ContactUs?source=ae domain?source=ae Avira URL Cloud: safe Avira URL Cloud: safe Avira URL Cloud: safe Avira URL Cloud: safe unknown Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Country Flag ASN ASN Name Malicious United States AMAZON-AES-AmazoncomIncUS Static File Info No static file info Network Behavior Network Port Distribution Copyright Joe Security LLC 2018 Page 13 of 19

14 Total Packets: (HTTP) 53 (DNS) TCP Packets Timestamp Port Dest Port IP Dest IP Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Copyright Joe Security LLC 2018 Page 14 of 19

15 Timestamp Port Dest Port IP Dest IP Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST UDP Packets Timestamp Port Dest Port IP Dest IP Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Sep 5, :55: CEST Copyright Joe Security LLC 2018 Page 15 of 19

16 Timestamp Port Dest Port IP Dest IP Sep 5, :55: CEST DNS Queries Timestamp IP Dest IP Trans ID OP Code Name Type Class Sep 5, :55: CEST xf2b5 Standard query (0) dwnld2.com A (IP address) IN (0x0001) Sep 5, :55: CEST xf2b5 Standard query (0) dwnld2.com A (IP address) IN (0x0001) DNS Answers Timestamp IP Dest IP Trans ID Replay Code Name CName Address Type Class Sep 5, xf2b5 No error (0) 14:55: dwnld2.com CEST Sep 5, :55: CEST Sep 5, :55: CEST xf2b5 No error (0) nt-www-prod-lb useast-1.elb.a mazonaws.com xf2b5 No error (0) nt-www-prod-lb useast-1.elb.a mazonaws.com Sep 5, x209d No error (0) ie9comview 14:55: vo.msecnd.net CEST nt-www-prod-lb us-east- 1.elb.amazonaws.com cs9.wpc.v0cdn.net CNAME (Canonical name) IN (0x0001) A (IP address) IN (0x0001) A (IP address) IN (0x0001) CNAME (Canonical name) IN (0x0001) HTTP Request Dependency Graph HTTP Packets Session ID IP Port Destination IP Destination Port Process C:\Program Files\Internet Explorer\iexplore.exe Timestamp kbytes transferred Direction Data Sep 5, :55: CEST 1 OUT GET /download/?d=0&h=1&pnid=4&domain=hmapsanddrivingdirection.com&implementation_id=maps_spt_&source=gccc7-lp0-bb9&adprovider=appfocus1&user_id=93b1d c-4dd2-b98d-b9dc &dfn=maps%20and%20d riving%20direction&spo=0&appname=maps%20and%20driving%20direction&appdesc=get%20directions%20or%20lo okup%20maps%20for%20free.%20search%20maps,%20local%20traffic,%20and%20driving%20directions.&ies=s,h& sso= HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: DNT: 1 Connection: Keep-Alive Copyright Joe Security LLC 2018 Page 16 of 19

17 Timestamp kbytes transferred Direction Data Sep 5, :55: CEST 2 IN HTTP/ OK Date: Wed, 05 Sep :55:01 GMT Content-Type: application/x-msdos-program Content-Length: Connection: keep-alive Server: Apache/ (Ubuntu) Content-Disposition: attachment; filename="6.exe" Last-Modified: Fri, 10 Aug :33:37 GMT Accept-Ranges: bytes Data Raw: 4d 5a ff ff b e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd f d e 6e 6f e e f d 6f e 0d 0d 0a a e 06 fa d1 6e 06 fa d1 6e 06 fa d1 da 9a 0b d fa d1 da 9a 09 d1 f3 06 fa d1 da 9a 08 d fa d1 b7 64 f9 d fa d1 b7 64 fe d0 4a 06 fa d1 b7 64 ff d fa d1 67 7e 79 d1 6b 06 fa d1 67 7e 69 d fa d1 6e 06 fb d fa d1 ca 65 f3 d0 7c 06 fa d1 ca d1 6f 06 fa d1 6e 06 6d d1 6c 06 fa d1 ca 65 f8 d0 6f 06 fa d e 06 fa d c a2 f5 5a e b 01 0e 0b 00 2e d d a d f c 0b d c 3e d e d c e c7 2c e e b a e c4 2c b e c c0 2e c e a ba e c 0b e 0b d e c 6f c 3e f Data Ascii: MZ@!L!This program cannot be run in DOS mode.$*gnnncsdvdjd)g~ykg~iynre eonmleorichnpelz.@@`@tx2 >0=8>h=@@.text,. `.rdatah@j2@@.data,@.aeseal@@.rsrcx@@.reloc Code Manipulations Statistics Behavior iexplore.exe iexplore.exe ssvagent.exe Click to jump to process System Behavior Analysis Process: iexplore.exe PID: 3232 Parent PID: 548 Copyright Joe Security LLC 2018 Page 17 of 19

18 General Start time: 14:54:43 Start date: 05/09/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding 0x bytes CA1F703CD665867E8132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Analysis Process: iexplore.exe PID: 3284 Parent PID: 3232 General Start time: 14:54:43 Start date: 05/09/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3232 CREDAT: /prefetch:2 0x bytes CA1F703CD665867E8132D2946FB55750 true C, C++ or other language File Activities File Path Access Attributes Options Completion Count File Path Offset Length Value Ascii Completion Count File Path Offset Length Completion Count Registry Activities Key Path Name Type Old Data New Data Completion Count Copyright Joe Security LLC 2018 Page 18 of 19

19 Analysis Process: ssvagent.exe PID: 3340 Parent PID: 3284 General Start time: 14:54:44 Start date: 05/09/2018 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Has administrator privileges: Programmed in: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0x10a bytes 0953A FD1E655B75B63B9083B7 true C, C++ or other language Registry Activities Key Path Completion Count Key Path Name Type Data Completion Count Key Path Name Type Old Data New Data Completion Count Disassembly Copyright Joe Security LLC 2018 Page 19 of 19

ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/2018 Version:

ID: Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/2018 Version: ID: 50646 Cookbook: browseurl.jbs Time: 20:27:59 Date: 16/03/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis