ID: Sample Name: emotet.exe Cookbook: defaultwindowsofficecookbook.jbs Time: 07:07:14 Date: 07/11/2017 Version:

Transcription

1 ID: 3626 Sample Name: emotet.exe Cookbook: defaultwindowsofficecookbook.jbs Time: 0:0:14 Date: 0/11/201 Version:

2 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview Networking: Data Obfuscation: Spreading: System Summary: Anti Debugging: Hooking and other Techniques for Hiding and Protection: Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static OLE Info OLE File "emotet.exe" Indicators Summary Document Summary Streams with VBA VBA File Name: BzifmdnXd.bas, Stream Size: 86 VBA File Name: IzPTiNVkT.bas, Stream Size: Copyright Joe Security LLC 201 Page 2 of 1

3 VBA File Name: LamBMUjJd.bas, Stream Size: 4843 VBA File Name: ThisDocument.cls, Stream Size: 24 VBA File Name: nvoftmjyq.bas, Stream Size: 3418 Streams \x1compobj, data, Stream Size: 114 \x5documentsummaryinformation, FoxPro FPT, blocks size 512, next free block index , Stream Size: 406 \x5summaryinformation, data, Stream Size: 412 1Table, data, Stream Size: 683 Data, data, Stream Size: 15 Macros/PROJECT, ASCII text, with CRLF line terminators, Stream Size: 55 Macros/PROJECTwm, data, Stream Size: 161 Macros/VBA/_VBA_PROJECT, data, Stream Size: 4846 Macros/VBA/dir, data, Stream Size: 18 WordDocument, data, Stream Size: 406 Network Behavior Code Manipulations Statistics System Behavior Analysis Process: ntvdm.exe PID: 3232 Parent PID: 268 File Activities File Created File Deleted File Written Disassembly Code Analysis Copyright Joe Security LLC 201 Page 3 of 1

4 Analysis Report Overview Information Joe Sandbox Version: Analysis ID: 3626 Start time: 0:0:14 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 3m 1s false light emotet.exe defaultwindowsofficecookbook.jbs Analysis system description: Windows SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 1, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled VBA Instrumentation enabled mal56.evad.winexe@1/2@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Found application associated with file extension:.exe Close Viewer Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, WMIADAP.exe, dllhost.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of 1

5 Strategy Score Range Further Analysis Required? Threshold false Confidence Classification Ransomware Evader Spreading malicious malicious malicious suspicious suspicious suspicious Exploiter Phishing clean clean clean Spyware Banker Adware Trojan / Bot Analysis Advice Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook Signature Overview Copyright Joe Security LLC 201 Page 5 of 1

6 Networking Data Obfuscation Spreading System Summary Anti Debugging Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Urls found in memory or binary data Data Obfuscation: Document contains an embedded VBA with many string operations indicating source code obfuscation Spreading: Checks for available system drives (often done to infect USB drives) System Summary: Classification label Creates temporary files Reads software policies Creates driver files Document contains an embedded VBA macro which executes code when the document is opened / closed Document contains an embedded VBA macro which may execute processes Document contains an embedded VBA with base64 encoded strings Anti Debugging: Checks if the current process is being debugged Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Simulations Behavior and APIs No simulations Copyright Joe Security LLC 201 Page 6 of 1

7 Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains No Antivirus matches Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Copyright Joe Security LLC 201 Page of 1

8 Screenshot Startup System is w cleanup ntvdm.exe (PID: 3232 cmdline: 'C:\Windows\system32\ntvdm.exe' -i1 MD5: 66F516A8C1D220FE0F42DF5EF0DE5D) Created / dropped Files C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp MD5: SHA1: SHA-256: SHA-512: Malicious: ASCII text, with CRLF line terminators D41D8CD8F00B204E8008ECF842E 1E3802F435BFF25ADFFE0221B2B11688C0E EE0621C3E025B84860A2460EAF628C F8C52C5A08ACC35D36C 44C10C0AA0CDAD64BCE43415B3E238BDFCC6A0FA8FFFF11FADDCAECCC D2D45044F44EB65833ED2ED 045FC603BFADBB false C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp DOS batch file, ASCII text, with CRLF line terminators MD5: D41D8CD8F00B204E8008ECF842E SHA1: 08C82DA03522D866E18A3F824385A5A05 SHA-256: 06D61C23E6CA5BDDAD16ECCC42C032CD8F6F424AF6CFEE5D085D36FFDFD Copyright Joe Security LLC 201 Page 8 of 1

9 C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp SHA-512: Malicious: BF605F553C28D45CFBD5DD CDA6C0238C242466E522624D3ED51B5FF30C10D4D80D04FFEF61DE8 C8230E646BF4B8224F42CDD5 false Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info File type: 0 TrID: Microsoft Word document (3200/1) 52.8% Microsoft Word document (old ver.) (1008/1) 31.41% Generic OLE2 / Multistream Compound File (8008/1) 13.23% Java Script embedded in Visual Basic Script (1500/0) 2.48% File name: File size: 360 MD5: SHA1: SHA256: SHA512: File Content Preview: emotet.exe 3ce28cb0068d35844d8b be4eebd3c6e808b3c8061a6b335da0fb8 555d28d06e2d5ec e204d3b6f5fd646c63ee0 8f4e3e002a1b3 eeda5ce23efbbbd245c bf0d4abe134bf11 2b848a0cf416f3bfe6b4fdadeb4d b08b 0d1a8b43e0343e81e4fca4513f3d...>...N...Q...M...{ File Icon Static OLE Info Document Type: OLE Number of OLE Files: 1 OLE File "emotet.exe" Indicators Has Summary Info: True Application Name: Microsoft Office Word Encrypted Document: Contains Word Document Stream: True Contains Workbook/Book Stream: Contains PowerPoint Document Stream: Contains Visio Document Stream: Contains ObjectPool Stream: Flash Objects Count: 0 Copyright Joe Security LLC 201 Page of 1

10 Indicators Contains VBA Macros: True Summary Code Page: 1252 Title: Subject: Author: waezqitk Keywords: Comments: Template: Normal.dotm Last Saved By: Revion Number: 1 Total Edit Time: 0 Create Time: :4:00 Last Saved Time: :4:00 Number of Pages: 1 Number of Words: 0 Number of Characters: 1 Creating Application: Microsoft Office Word Security: 0 Document Summary Document Code Page: 1252 Number of Lines: 1 Number of Paragraphs: 1 Thumbnail Scaling Desired: Company: Contains Dirty Links: Shared Document: Changed Hyperlinks: Application Version: Streams with VBA VBA File Name: BzifmdnXd.bas, Stream Size: 86 VBA File Name: Stream Size: 86 Macros/VBA/BzifmdnXd BzifmdnXd.bas Data ASCII: \\ c U x M E Data Raw: f c d ff ff ff ff fb b a ff ff b6 00 ff ff ff ff ff ff ff ff ff ff ff ff Keyword Function Attribute "BzifmdnXd" VB_Name PUjaAIUGM() Shell$ jaueroppf, VBA File Name: IzPTiNVkT.bas, Stream Size: Macros/VBA/IzPTiNVkT Copyright Joe Security LLC 201 Page 10 of 1

11 VBA File Name: Stream Size: IzPTiNVkT.bas Data ASCII: \\ c.... ( U [ x M E Data Raw: f c d ff ff ff ff b 55 5b f ff ff b6 00 ff ff ff ff ff ff ff ff ff ff ff ff Keyword ULALJaDHUW GcpVPwiVQlv ZOusjSJFTq KJZmsjaKD OsJzFviHD XrjKcDOGvTd JHKdhRv VLVfJ uwduibbej UBsJS zpzzdmdzzyu mtqkkxb lwfzdi qlnqg MCMhIPaOLu ZqharlnDNbc KcXGPTZO kjzbdsaru cjocxvznkzf FosPUL ATOdkRwj tzpton KJblABnKF wsskoanwwh RoYzJSqZv dghabd mjidmdzvbc ttdwbo ccyntezou CvpZK isuzo WBznrhIa QvDsfwvqR RWMduziIk YpMFNwjnsrD OPZzoqFQTBm zjgumtwoip BAUzvfzLn ixwlmvowsh oxoabfo jaueroppf() wibzusdzvhb GiNVu UwcRwrcBvt CsoNOBLM ZfjnANbpm Attribute JLRzl taiwlz mitdyx ossjcimkkml VB_Name Copyright Joe Security LLC 201 Page 11 of 1

12 Keyword FqqTzC GjRtiR "IzPTiNVkT" Function ivbtacapz zqfah jrtyy pfijwi jaueroppf tphymfewics ddhalblgda clirlqsj baclbmdborf WBiTUwC zicpzomxb VBA File Name: LamBMUjJd.bas, Stream Size: 4843 VBA File Name: Stream Size: 4843 Macros/VBA/LamBMUjJd LamBMUjJd.bas Data ASCII: U C x M E Data Raw: f d ff ff ff ff b c b ff ff b6 00 ff ff ff ff ff ff ff ff ff ff ff ff Keyword dbopwtre Mid("NCBfEuMWljQnAKnbj", Mid("PzEcMdJi=helcbK", Mid("sIpumsPZCi&&MZMiptARaWpPFKzViQfaVZznDMmBZWiCF", Kvihj zspzx jtjbmkz RuVfHtLITcW QqkckZntB Mid("aGvKTVccUBLpUQRFLoGFj=SmZlssnOSPjPvfWuQvRbJVSA", OOVdH rzmpmv RWMduziIk() Mid("ISbzYANifWoz^l&&dKi", GvwzIFiWEO Mid("jHTdzoTdQdbGCwAWwOBrmjauERoPPf%!EzBGmPZIZi", Mid("XpTwjMGwwuD", Mid("wrOKcwtnM&set Mid("jsdjAArEoVuzWbrOYa&&!%avuMWlqjNTEWKmVjSwLTH", Mid("wBNKNrTRLlAuhXJjMApTbvMHwwBNccjCjrs%=FAqI", sbflv PBZCuZDzjSG InjjfLWat IiHJbP Mid("DFQrset oaijkmrtwv PJIqQjE Mid("svFfRUda%=vfiwDBXjFXmYUDJzNADUuOfuCYhiJ", Mid("kKFoGIYkkucXQRtClEjps%!!%PUjaAIUpljFGNETXTAKj", Copyright Joe Security LLC 201 Page 12 of 1

13 Keyword Mid("lYj-MEdHnMRiiDkFAvdHOBcoqudamUFWFhbG", %avzqhtuozjoigrkxl", Mid("rSSSlBSXNzwoTLQRizt%qoLzIhwIFw", YmVjr %YvCOTua", iucucwcucdu Mid("GYEoVwdfAIUGM%=weEujwWSujbzfuhzDC", Mid("NTFIfVrwhfSiTYIfSn", %PUjahGFOiCpaOPznnXFEpXoN", XQHr", RWMduziIk PRlzrnDV PkkPJziaMm Mid("rj%!!%ZuhQFAvSTz", Mid("CuXcmTaEDdAkzGLkzfSWds%=p^o&zBQqR", EBrVVi AutoOpen() QGYIwB "LamBMUjJd" %JhShQdzjwizrwuKF", Mid("zkLMXRa&&set DGadJcMRJ Mid("WbptsMCFzCMBbseiDpt", Mid("FWvHtNfTwUOenc Mid("itBmPlaBbtdcqtDpnnwXLXset jzzjrj Mid("sVKusIWjkNEajwiVPuuFf Mid("DrqOVZAGMVt Mid("csjMqGMZFfsQYMVomrYfWECcJdcwz", Mid("jtJsFEMt Mid("zauERoPPf%PrcLTXcJJbIsK", Attribute zukwlrimzc VB_Name Mid("LLZbsqfBnunKXNYzvvqFWqbRwjTrMAbCtnkr^mYsm", Function %jtdlwnbrebnamzbytqlzslkiwzprtqnzw", pqtvbm JCNrHn", PUjaAIUGM Mid("jtbnSLktJpsPhs&&seSTPir", TRiFDwwtHlP zqccvwisk %CjnlLiXQjkLLqcKDXzUbQ", XCkjK knwigco cvmdfzstco VBA File Name: ThisDocument.cls, Stream Size: 24 VBA File Name: Stream Size: 24 Macros/VBA/ThisDocument ThisDocument.cls Data ASCII: U u x M E Data Raw: f e d da ff ff ff ff a f b 55 5 e ff ff a b6 00 ff ff ff ff ff ff ff ff ff ff ff ff Copyright Joe Security LLC 201 Page 13 of 1

14 Keyword VB_Exposed Attribute VB_Creatable VB_Name VB_PredeclaredId VB_GlobalNameSpace VB_Base VB_Customizable VB_TemplateDerived "ThisDocument" VBA File Name: nvoftmjyq.bas, Stream Size: 3418 VBA File Name: Stream Size: 3418 Macros/VBA/nvoFTMjYq nvoftmjyq.bas Data ASCII: \\ c U u x M E Data Raw: f c d ff ff ff ff d b 55 5 dd ff ff b6 00 ff ff ff ff ff ff ff ff ff ff ff ff Keyword hfsityifsn", QGYIwB PkkPJziaMm Mid("jtbnSLktJpsPh sbflv dbopwtre mysm", VB_Name Mid("LLZbsqfBnunKXNYzvvqFWqbRwjTrMAbCtnkd QvDsfwvqR() QvDsfwvqR Mid("NCBfEsQnAKnbj", EzBGmPZIZi", nospjpvfwuqvrbjvsa", Mid("NTFIfv zqccvwisk Mid("aGvKTVccUBLpUQRFLoGFj Function "nvoftmjyq" Mid("sVKusIWjkNEajwiVPuuFf%XQHr", Kvihj Mid("GYEoVwdf Mid("rSSSlBSXNzwoTLQRi/c Mid("PzEcMdJi zspzx zqhtuozjoigrkxl", Mid("X /TdlWNBrEbNAmzbYTqLzsLkiWzpRTqNZW", PJIqQjE Mid("rj Mid("WbptsMCFzCMBb Copyright Joe Security LLC 201 Page 14 of 1

15 Keyword RuVfHtLITcW EBrVVi JCNrHn", Mid("jtJsFEMpeQjkLLqcKDXzUbQ", jtjbmkz Mid("ISbzYANifWozcomdKi", Mid("FWvHtNfTwUO jzzjrj GvwzIFiWEO rzmpmv EujwWSujbzfuhzDC", knwigco TRiFDwwtHlP IiHJbP ZuhQFAvSTz", Mid("DFQr Mid("zkLM TwjMGwwuD", Mid("sIp%MZMiptARaWpPFKzViQfaVZznDMmBZWiCF", OOVdH Mid("wBNKNrTRLlAuhXJjMApTbvMHwwBNccjCjcqI", Attribute STPir", XCkjK qolzihwifw", cbk", Mid("zcPrcLTXcJJbIsK", Mid("jHTdzoTdQdbGCwAWwOBrm iucucwcucdu zukwlrimzc idpt", cvmdfzstco Mid("lYjmMEdHnMRiiDkFAvdHOBcoqudamUFWFhbG", Streams \x1compobj, data, Stream Size: 114 Stream Size: 114 \x1compobj Entropy: Data ASCII: data True F... M i c r o s o f t W o r d D o c u m e n t..... M S W o r d D o c..... W o r d. D o c u m e n t q Data Raw: fe ff 03 0a ff ff ff ff c d f 3 6f f d f d 65 6e a d f f f e 44 6f d 65 6e 4 2e f4 3 b \x5documentsummaryinformation, FoxPro FPT, blocks size 512, next free block index , Stream Size: 406 \x5documentsummaryinformation FoxPro FPT, blocks size 512, next free block index Stream Size: 406 Entropy: Data ASCII: , h p Copyright Joe Security LLC 201 Page 15 of 1

16 Data Raw: fe ff d5 cd d5 c 2e 1b b 2c f ae e c f c c b c a ac \x5summaryinformation, data, Stream Size: 412 Stream Size: 412 \x5summaryinformation Entropy: data Data ASCII: O h ' l X , H P Data Raw: fe ff e0 85 f f2 f 4f ab b 2 b3 d c a b bc c dc e Table, data, Stream Size: 683 Stream Size: 683 1Table Entropy: data True Data ASCII: s v... v... v... v... v... v... v... v... v > Data Raw: 0a 06 0f f e e e e e e e e Data, data, Stream Size: 15 Stream Size: 15 Entropy: Data data True Data ASCII: - M.. D. d P *.. `. a A ? " m. i. c. r. o. s. o. f. t... P. i. c. t. u. r. e C. :. \\. m. i. c. r. o. s. o. f. t... p. n. g..... " b. Data Raw: 2d 4d a f f0 b b2 04 0a f a b f f f c f bf Macros/PROJECT, ASCII text, with CRLF line terminators, Stream Size: 55 Stream Size: 55 Macros/PROJECT Entropy: Data ASCII: ASCII text, with CRLF line terminators True I D = " { E 5 E C E B - 8 A D - D C 2 D F F } ".. D o c u m e n t = T h i s D o c u m e n t / & H M o d u l e = I z P T i N V k T.. M o d u l e = L a m B M U j J d.. M o d u l e = n v o F T M j Y q.. M o d u l e = B z i f m d n X d.. N a m e = " P r o j e c t ".. H e l p C o n t e x t I D = " 0 ".. V e r s i o n C o m p a t i b l e 3 2 = " ".. C M G = " C 3 C 1 C 3 3 B F 3 D B F 3 D B F 3 D B F 3 D ".. D P B = " Copyright Joe Security LLC 201 Page 16 of 1

17 Data Raw: d 22 b d d d d d 22 0d 0a 44 6f d 65 6e 4 3d f d 65 6e 4 2f d 0a 4d 6f c 65 3d 4 a e 56 6b 54 0d 0a 4d 6f c 65 3d 4c 61 6d 42 4d 55 6a 4a 64 0d 0a 4d 6f c 65 3d 6e 6 6f d Macros/PROJECTwm, data, Stream Size: 161 Stream Size: 161 Macros/PROJECTwm Entropy: Data ASCII: T h i s D o c u m e n t. T. h. i. s. D. o. c. u. m. e. n. t... I z P T i N V k T. I. z. P. T. i. N. V. k. T... L a m B M U j J d. L. a. m. B. M. U. j. J. d... n v o F T M j Y q. n. v. o. F. T. M. j. Y. q... B z i f m d n X d. B. z. i. f. m. d. n. X. d..... Data Raw: data f d 65 6e f d e a e 56 6b a e b c 61 6d 42 4d 55 6a 4a c d d a 00 4a e 6 6f d 6a e f d 00 6a Macros/VBA/_VBA_PROJECT, data, Stream Size: 4846 Stream Size: 4846 Macros/VBA/_VBA_PROJECT Entropy: data Data ASCII:. a *. \\. G. { E. F C }. # #.. #. C. :. \\. P. R. O. G. R. A. ~. 1. \\. C. O. M. M. O. N. ~. 1. \\. M. I. C. R. O. S. ~. 1. \\. V. B. A. \\. V. B. A \\. V. B. E.... D. L. L. #. V. i. s. u. a. l.. B. a. s. i. c. Data Raw: cc 61 af ff e fe 00 2a 00 5c b d d d d d e Macros/VBA/dir, data, Stream Size: 18 Stream Size: 18 Macros/VBA/dir Entropy: Data ASCII: *..... p.. H..... d P r o j e c t. Q. =..... l {. [.... J. <..... r s t d. o l e >.. s. t.. d. o. l. e P... h. % ^.. *. \\ G { C } # # 0 # C :. \\ W i n d o w s. \\ s y s t e m 3. 2 \\. e 2. t l b. # O L E A u t. o m a t i o n. `.... E N o r m a l.. E N. C r. m. a Q. F *, \\ C m.. Data Raw: data True 01 ca b a e c f 6a d ad 02 0a c b d4 5b c 02 4a 12 3c 02 0a f 6c 65 3e f 00 6c d e a 00 5c 4 b WordDocument, data, Stream Size: 406 Stream Size: 406 WordDocument Entropy: data Data ASCII:.... [ b j b j. L. L &. b. &. b Copyright Joe Security LLC 201 Page 1 of 1

18 Data Raw: ec a5 c1 00 5b f8 12 bf e a 62 6a ca 4c ca 4c e a8 26 1a 62 a8 26 1a ff ff 0f ff ff 0f Network Behavior No network behavior found Code Manipulations Statistics System Behavior Analysis Process: ntvdm.exe PID: 3232 Parent PID: 268 Start time: 0:08:03 Start date: 0/11/201 Path: C:\Windows\System32\ntvdm.exe Wow64 process (32bit): false Commandline: 'C:\Windows\system32\ntvdm.exe' -i1 Imagebase: 0x4ef0000 File size: bytes MD5 hash: 66F516A8C1D220FE0F42DF5EF0DE5D Programmed in: C, C++ or other language File Activities File Created File Path Access Attributes Options Completion Count C:\MSDOS.SYS C:\IO.SYS C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp read attributes and synchroniz e read attributes and synchroniz e read attributes and synchroniz e and generic read read attributes and synchroniz e and generic read readony and hidden and system readony and hidden and system normal normal synchronous io non alert and n on directory file synchronous io non alert and n on directory file synchronous io non alert and n on directory file synchronous io non alert and n on directory file Source Address Symbol success or wait 1 E36FEF CreateFileA success or wait 1 E36A03 CreateFileA success or wait 1 E31A GetTempFileNameA success or wait 1 E31A GetTempFileNameA File Deleted Copyright Joe Security LLC 201 Page 18 of 1

19 File Path Completion Count Source Address C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp success or wait 1 E30DB DeleteFileA C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp success or wait 1 E30FA DeleteFileA Symbol File Written File Path Offset Length Value Ascii Completion Count C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp unknown f 3 3d c d 62 Source Address Symbol dos=high, umb success or wait 3 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp unknown 2 0d 0a.. success or wait 3 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp unknown d device= success or wait 1 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp unknown a 5c 5 6 6e 64 6f 3 C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp unknown f 5 6e 4 2 3d c c 43 3a 5c 5 6 6e 64 6f 3 5c d c 63 6f 5 6e 4 2 2e 3 3 0d 0a C:\Windows success or wait 1 E3032 WriteFile country=001,43,c:\windo ws\system32\country.sys.. C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp unknown c 6c 3d 43 3a 5c 5 6 6e 64 6f 3 5c d c 63 6f 6d 6d 61 6e 64 2e 63 6f 6d 20 2f a 5c 5 6 6e 64 6f 3 5c d shell=c:\windows\system 32\command.com /p C:\Windows\system32 success or wait 1 E3032 WriteFile success or wait 1 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6BD.tmp unknown 2 0d 0a.. success or wait 1 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp unknown f 20 6f 66 off success or wait 5 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp unknown 2 0d 0a.. success or wait 5 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp unknown 3 6c lh success or wait 3 E3032 WriteFile C:\Users\ANNEBO~1\AppData\Local\Temp\scsB6D3.tmp unknown a 5c 5 6 6e 64 6f 3 C:\Windows success or wait 3 E3032 WriteFile unknown unknown 1 invalid handle 34 E38D3 WriteFile Disassembly Code Analysis Copyright Joe Security LLC 201 Page 1 of 1