ID: Sample Name: Liste1.jar Cookbook: default.jbs Time: 23:20:23 Date: 02/11/2017 Version:

Transcription

1 ID: Sample Name: Liste1.jar Cookbook: default.jbs Time: 23:20:23 Date: 02/11/2017 Version:

2 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview AV Detection: Networking: Persistence and Installation Behavior: System Summary: Anti Debugging: Malware Analysis System Evasion: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info General File Icon Network Behavior Code Manipulations Statistics Behavior System Behavior Analysis Process: cmd.exe PID: 30 Parent PID: 264 General Analysis Process: 7za.exe PID: 3120 Parent PID: 30 General File Activities File Created File Written Copyright Joe Security LLC 2017 Page 2 of

3 Analysis Process: cmd.exe PID: 3136 Parent PID: 264 General File Activities File Created Analysis Process: java.exe PID: 3164 Parent PID: 3136 General File Activities File Created File Written Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 3 of 20

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 23:20:23 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 1m 41s light Liste1.jar default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal4.winjar@6/14@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Found application associated with file extension:.jar Stop behavior analysis, all processes terminated Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Skipping Hybrid Code Analysis (implementation is based on Java,.Net, VB or Delphi, or parses a document) for: java.exe Detection Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2017 Page 4 of 20

5 Strategy Score Range Further Analysis Required? Threshold Confidence Classification Ransomware Evader Spreading malicious malicious malicious suspicious suspicious suspicious Exploiter Phishing clean clean clean Spyware Banker Adware Trojan / Bot Signature Overview Copyright Joe Security LLC 2017 Page 5 of 20

6 AV Detection Networking Persistence and Installation Behavior System Summary Anti Debugging Malware Analysis System Evasion Hooking and other Techniques for Hiding and Protection Click to jump to signature section AV Detection: Antivirus detection for submitted file Networking: Urls found in memory or binary data Persistence and Installation Behavior: May use bcdedit to modify the Windows boot settings System Summary: Uses new MSVCR Dlls Binary contains paths to debug symbols Classification label Creates temporary files Executable is probably coded in java Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Anti Debugging: Creates guard pages, often used to prevent reverse engineering and debugging Malware Analysis System Evasion: May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2017 Page 6 of 20

7 ID: Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped Sample: Liste1.jar Startdate: 02/11/2017 Architecture: WINDOWS Score: 4 started cmd.exe started cmd.exe Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language Is malicious 1 started started 7za.exe java.exe 17 2 Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample Detection Cloud Link Liste1.jar 5% virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 2017 Page 7 of 20

8 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Startup System is w7 cmd.exe (PID: 30 cmdline: C:\Windows\system32\cmd.exe /c 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\Liste1.jar' AD7B9C1403B52BC532FBA594342B9) 7za.exe (PID: 3120 cmdline: 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\Liste1.jar' 42BADC1D2F03AB1E475740D3D49336) cmd.exe (PID: 3136 cmdline: 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\Liste1.jar' A >> C:\cmdlinestart.log 2>&1 AD7B9C1403B52BC532FBA594342B9) java.exe (PID: 3164 cmdline: java.exe -jar 'C:\Users\user\Desktop\Liste1.jar' A 02E26F23B FB5E33DB36BF0C) cleanup Created / dropped Files C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c46.timestamp File Type: ASCII text, with CRLF line terminators 99544D62EBFC57C137F4DCE1AC4B120F5B2E Copyright Joe Security LLC 2017 Page of 20

9 C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c46.timestamp 75FFE7EF67D771FA55C32ECA051D2C9FF7B1C34A2EFA2DA6C45A2942A F2AAC1B7CEF422A9332A74B577B9449A2CCE C1B30DBE1A26E0F77017F0A93D3FA941A4DBF6EA2D1F92 63D5F1B3616B3E7A2D17DC590A2 C:\cmdlinestart.log File Type: C source, ASCII text, with CRLF line terminators EB513DEF511DAEE69309F67950DF534505EDA97 3D3539C0D06DDC0D ADFCD267DE40D0A5EB0E6754AFFB FBDADC30F776B5BE43525B3FDE4671BB0CE6B24A5B9F7B1502FCD3330F3CC113E4120EEDA72E44B27A7F920B 0B43E9A5CD0B299D7A7516F5E7 C:\jar\A.class File Type: compiled Java class data, version EF30EC36CC50E AAE5209C76D9 C FCA944945E731B4D3CBBE4BB434AA40F2ACD1F1C310AE6F0E4AEBBC C4E55C EC14B4C122F070B E4B6BCA762DE229C9031B75AF5D2ABB9DD7B134716F E04C15EE D64B9FC C:\jar\B$B.class File Type: compiled Java class data, version 49.0 (Java 1.5) 20F C26EA706347C A5B6BBB1B04D65E7D740015CD9AAC92934A4C990D04F6B672142D36927AD B60D C61F5F1BA0FA39FE3A747B9D11A959BE324DF39C3AD113C09FF5EBDC672B422C9E9BA246792D5C E16F2C99FCBEC DBA C:\jar\B.class File Type: compiled Java class data, version 51.0 DEAAA9677F7D204BC0EAAB5F9FA5E7C11434B270 E4F51AC99B106C4F1365D2BA597BAB4D714025DEF74F496734AE0CAE6 FCBFC1B299A2DE252605DE0A11C F1F343F4C6B042CA221549D0B406F1512CC5A762B40A F7 B1926D55A420CB9FA30C313D C:\jar\C.class File Type: compiled Java class data, version 51.0 F20FE5C09465A0971CEE90711D0C4B0919DEB7 2A6AB36BE66DCF0F6AA0DC497C0BEEFA04FC47079AFC957254A5BD7C90CD 4CD1FFD BDBDD6E4C995457E44CF3FB4E35A09D15954F9A10CD70B6EE034014A07FBD1214A4045EA B9E01B032375FDFE37EDEECFD C:\jar\D$C.class File Type: compiled Java class data, version 49.0 (Java 1.5) 9463AFD263FCB A9F3DC9940A5CE2F 16CBAB52B9E0EC A2539C27E0BE5762AD32F714D4C32960BE 12922D7939F50DB0A4AA35F332F469D C614C DA4979D51A42F007375E2FB26C0A461D5FAF73745F7EC F5AF6999F97B01D5D14BB9A366 C:\jar\D.class File Type: compiled Java class data, version F465F0DC004F23B501A65FA5DE20193C34E 6C06EFD234CF05A04F7EA30942B03C22C905D5730AE47D775F73AA6CF3FF FC11EFDAD0A520B0634F214011CBBCC9DEFDE1BE62CCCA39E6C3AE EF9E066E66EDF96C49AEB942A1346D 1D9714A6E75AC1F70495F51C9A67 Copyright Joe Security LLC 2017 Page 9 of 20

10 C:\jar\META-INF\MANIFEST.MF File Type: ASCII text, with CRLF line terminators BC4C2D4FF1A AF0D1B7B99A6F2 C4D37D3913C6A69666F0E24BB19EEEECB2AC4232FB3BD155E FF BADBC3FB0E79AC0BE76EF9F620CD4D6A9EBD2B14A56ABAFB6BFEB319A049CDA6CFC1F33C3251D BFE4 4011F6E1F9FBEAB2AA2FF1570CF7 C:\jar\x File Type: ASCII text, with CRLF line terminators 9BCA713B9D22327C537DFE03307F3A3EEFE6A 601A3CF1FCDA143AAD03CCD D0D0A0ED25CCCCEBD3B5CF60BC 90206A1E0B1DB69BB277ABD409DB5B077C27E0C41C359D5D E02BDDA49D29F5C0167D66CE57B90C76DD D7E0D272B39260A5F2AC6643A5F C:\jar\ynf\ion\js.class File Type: compiled Java class data, version 49.0 (Java 1.5) 71E433C56AF0EECC6CBD2A7B06D0FE7D00 4B90F4D421C2AA337EDD4D9AA BF62D534962F5EBBD537FA2CF7362 9F562CBBEE64EEA9D27199D1BBA6E162F5E1A7732B5AE391C62EF21F4D3F315F239D62E52F5AFB09BAFEBFD2AF C6502A2A6124D53F942C C:\jar\ynf\ion\t.class File Type: compiled Java class data, version 49.0 (Java 1.5) C53DC377EA22EC1F5F7B69EB41E EF7402B546BF4A AF9A1DCF91F3F25AD00C2FCEDD7A0521B AA71BE9070F2A499C44DAFF6E203C7211C31E2B69E7EBA4D17CFA6C94549EA33A7F2E17DE6C11DAC722C01EA0A4 F1F9414AAF9DB7B1DF464BBCC3E2 C:\jar\z File Type: Microsoft a.out overlay standalone fixed-stack not-stripped V2.3 V small model object file Large Data Huge Objects Enabled not stripped 6B37A396CE02246E2B5EA5BB4A47BE716CFF5223 E34EEF96A35F153BEAEBB6D73D3A15EC490A2162BE771BDF997DD0F3537 EDCBAE FF134FA7A517003E22D6EF3EC22E7DB3FA630037FA13F5D1C67EAB9B42F C053462D223AFD7 DC0A5CA14CCC0CE1C006E4FEA6DA unknown File Type: ASCII text, with CRLF line terminators 4FBBE DA3769B3AA496F90D54FC916 DD9B55FE3EB205A2997F624DEF725390A1457DD9F1A40DBA3AED13B473CAAC E29A15196E1BCAF69552B3A A92F7B02E11B56F7331BF7ACCEE62CCE4FEBE35DD17D34BCB50C307AED FAC19C39DC13ACE59A72 Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Copyright Joe Security LLC 2017 Page 10 of 20

11 Static File Info General File type: Zip archive data, at least v2.0 to extract TrID: Java Archive (13504/1) 77.13% ZIP compressed archive (4004/1) 22.7% File name: File size: SHA256: SHA512: File Content Preview: Liste1.jar c059f5e92bbb6cbbab c254 2e7b5422d2d93aed5ec ee910623c2c af905b9273aae0f3f5e4997bccca6136e061c62b 9c2755e119fe6c3c0 5a5ce949adea5e0f4e1f91c73c65fece4b3dac521c3 fa9a2b13cf22d206be974a204016f9205b47ff44323bc5 35e3776f11cd3fc14357e120a PK...aK...B.class.(...pb.]A.Y.\[.u?._...LJ[.fk. File Icon Network Behavior No network behavior found Code Manipulations Statistics Behavior cmd.exe 7za.exe cmd.exe java.exe Click to jump to process System Behavior Copyright Joe Security LLC 2017 Page 11 of 20

12 Analysis Process: cmd.exe PID: 30 Parent PID: 264 General Start time: 23:20:17 Start date: 02/11/2017 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\Liste1.jar' 0x75a bytes AD7B9C1403B52BC532FBA594342B9 C, C++ or other language Analysis Process: 7za.exe PID: 3120 Parent PID: 30 General Start time: 23:20:17 Start date: 02/11/2017 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\System32\7za.exe 7za.exe x -y -oc:\jar 'C:\Users\user\Desktop\Liste1.jar' 0x75a bytes 42BADC1D2F03AB1E475740D3D49336 C, C++ or other language File Activities File Created File Path Access Attributes Options Completion Count C:\jar C:\jar\B.class C:\jar\ynf C:\jar\ynf\ion C:\jar\ynf\ion\t.class C:\jar\ynf read data or list directory and synchronize read data or list directory and synchronize read data or list directory and synchronize read data or list directory and synchronize directory file and non alert and open for backup ident and open reparse point directory file and non alert and open for backup ident and open reparse point directory file and non alert and open for backup ident and open reparse point directory file and non alert and open for backup ident and open reparse point Address Symbol object name collision 1 409D11 CreateDirectoryW success or wait 1 409D11 CreateDirectoryW success or wait 1 409D11 CreateDirectoryW object name collision 1 409D11 CreateDirectoryW Copyright Joe Security LLC 2017 Page 12 of 20

13 File Path Access Attributes Options Completion Count C:\jar\ynf\ion C:\jar\ynf\ion\js.class C:\jar\C.class C:\jar\A.class C:\jar\B$B.class C:\jar\D$C.class C:\jar\D.class C:\jar\z C:\jar\x C:\jar\META-INF C:\jar\META-INF\MANIFEST.MF read data or list directory and synchronize read data or list directory and synchronize directory file and non alert and open for backup ident and open reparse point directory file and non alert and open for backup ident and open reparse point Address Symbol object name collision 1 409D11 CreateDirectoryW success or wait 1 409D11 CreateDirectoryW File Written File Path Offset Length Value Ascii Completion Count Address Symbol Copyright Joe Security LLC 2017 Page 13 of 20

14 File Path Offset Length Value Ascii Completion Count C:\jar\B.class unknown 763 ca fe ba be B...java/lang/ f ClassLoader...Cipgoi a Lja f 6c 61 6e 67 va/util/hashmap;...cipgoi2 2f 43 6c c 6f 1...CipgoiKwqpmv [Ljava/lang/Str ing;...tqqkdqe... 6f c ()V...java/la 6a f ng/exception...java/io/fil 69 6c 2f d e b InputStream...Tqqkdqc f ()Ljava/io/File;...<ini c f t>...(ljava/io/ 69 4b d b 4c 6a f 6c 61 6e 67 2f e 67 3b b a f 6c 61 6e 67 2f f 6e c a f 69 6f 2f c e d e b c 6a f 69 6f 2f c 65 3b 0c a c 69 6e e c 6a f 69 6f 2f Address Symbol success or wait 1 40BDC WriteFile C:\jar\ynf\ion\t.class unknown 911 ca fe ba be ynf/ion/t...ja success or wait 1 40BDC WriteFile f va/lang/object...x... 6e 66 2f 69 6f 6e 2f 74 [Ljava/lang/Object; a (II)I...java/l f 6c 61 6e 67 ang/throwable...i...([bi)i. 2f 4f 62 6a E...(J)[B...J...(J) J...java/lang/NullPointerEx b 4c 6a cep 61 2f 6c 61 6e 67 2f 4f tion...java/lang/exception 62 6a b java/lang/Class...getD a eclaredmethods. 2f 6c 61 6e 67 2f f c b a 29 5b ff a a 29 4a e 6a f 6c 61 6e 67 2f 4e 75 6c 6c 50 6f 69 6e f 6e a f 6c 61 6e 67 2f f 6e f 6a f 6c 61 6e 67 2f 43 6c c d f Copyright Joe Security LLC 2017 Page 14 of 20

15 File Path Offset Length Value Ascii Completion Count Address Symbol C:\jar\ynf\ion\js.class unknown 916 ca fe ba be ynf/ion/js...j success or wait 1 40BDC WriteFile f a 79 ava/lang/object...v... 6e 66 2f 69 6f 6e 2f 6a [Ljava/lang/Object;...y (II)I...j 6a f 6c 61 6e ava/lang/throwable...b f 4f 62 6a ([BI)I...f...(J)[B...E (J)J...java/lang/NullPointer b 4c 6a 61 Exception...java/lang/Exc f 6c 61 6e 67 2f ep 4f 62 6a b tion...java/lang/class getDeclaredMet a f 6c 61 6e 67 2f f c b a 29 5b ff a 29 4a e 6a f 6c 61 6e 67 2f 4e 75 6c 6c 50 6f 69 6e f 6e a f 6c 61 6e 67 2f f 6e f 6a f 6c 61 6e 67 2f 43 6c c d C:\jar\C.class unknown 5333 ca fe ba be C...java/lang/ success or wait 1 40BDC WriteFile b Object...Cipgoi a [B...Cip f 6c 61 6e 67 goi21...ljava/lang/string;... 2f 4f 62 6a CipgoiKwqpmv...<clinit> ()V f java/lang/Exception...jav 02 5b a f /io/bufferedreader...java c 6a /i 61 2f 6c 61 6e 67 2f 53 o/inputstreamreader...t e 67 3b 01 qqkdqz c f 69 ()Ljava/io/InputStream;.. 4b d <ini c 63 6c 69 6e e a f 6c 61 6e 67 2f f 6e c a f 69 6f 2f e a f 69 6f 2f 49 6e d b a c 6a f 69 6f 2f 49 6e d 3b 0c a c 69 6e 69 Copyright Joe Security LLC 2017 Page 15 of 20

16 File Path Offset Length Value Ascii Completion Count Address Symbol C:\jar\A.class unknown 3397 ca fe ba be n...A...java/lang/ success or wait 1 40BDC WriteFile e Object...TqqkdqKwqpmv a.&(Lj f 6c 61 6e 67 ava/lang/string;)ljava/lang 2f 4f 62 6a /String;...OM..\ c (Ljava/lang/Objec 71 6b b t;ljava/lang/object;ljava/la 70 6d ng 4c 6a f 6c 61 /Object;Ljava/lang/Object;) 6e 67 2f Lja 6e 67 3b 29 4c 6a 61 va/lang/object; f 6c 61 6e 67 2f.R e 67 3b f 4d c 2 4c 6a f 6c 61 6e 67 2f 4f 62 6a b 4c 6a f 6c 61 6e 67 2f 4f 62 6a b 4c 6a f 6c 61 6e 67 2f 4f 62 6a b 4c 6a f 6c 61 6e 67 2f 4f 62 6a b 29 4c 6a f 6c 61 6e 67 2f 4f 62 6a b 0c a f a ee b4 9b ea b7 b6 ee b7 7 ea b6 7 ee b7 9b ea b6 7 ee b6 3 ea b6 a eb 0 9b ec c a9 eb 0 9d ec d a9 eb 0 a9 ec c b3 eb C:\jar\B$B.class unknown 909 ca fe ba be B$B...java/lan success or wait 1 40BDC WriteFile f g/object...e...[ljava/lang/ Object;...A...(II)I...java/lan 10 6a f 6c 61 g/throwable...v...([bi)i... 6e 67 2f 4f 62 6a g...(j)[b...u...(j)j java/lang/NullPointerExce b 4c 6a pti f 6c 61 6e 67 on...java/lang/exception.. 2f 4f 62 6a b java/lang/Class...getDe claredmethods a f 6c 61 6e 67 2f f c b a 29 5b ff a 29 4a e 6a f 6c 61 6e 67 2f 4e 75 6c 6c 50 6f 69 6e f 6e a f 6c 61 6e 67 2f f 6e f 6a f 6c 61 6e 67 2f 43 6c c d f d Copyright Joe Security LLC 2017 Page 16 of 20

17 File Path Offset Length Value Ascii Completion Count Address Symbol C:\jar\D$C.class unknown 913 ca fe ba be D$C...java/lan success or wait 1 40BDC WriteFile f g/object...v...[ljava/lang/ Object;...u...(II)I...java/lan 10 6a f 6c 61 g/throwable...b...([bi)i... 6e 67 2f 4f 62 6a e...(j)[b...g...(j)j java/lang/NullPointerExce b 4c 6a pti f 6c 61 6e 67 on...java/lang/exception.. 2f 4f 62 6a b java/lang/Class...getDe claredmethods a f 6c 61 6e 67 2f f c b a 29 5b ff a 29 4a e 6a f 6c 61 6e 67 2f 4e 75 6c 6c 50 6f 69 6e f 6e a f 6c 61 6e 67 2f f 6e f 6a f 6c 61 6e 67 2f 43 6c c d f d C:\jar\D.class unknown 900 ca fe ba be D...java/lang/ success or wait 1 40BDC WriteFile Object...Tqqkdqh../(LB; a [BLj f 6c 61 6e 67 ava/util/hashmap;ljava/util 2f 4f 62 6a /Ha shmap;z)v...java/lang/exc 71 6b eption...c...cipgoi6... 2f 2 4c 42 3b 5b 42 4c [B...Tqqkdqp...([B[B) 6a f [B c 2f d...java/util/jar/JarInp b 4c 6a utstream...java/io/bytear 61 2f c 2f 4 rayinputstream d b 5a a f 6c 61 6e 67 2f f 6e f b 42 0c 00 0b 00 0c a 00 0d b b 42 5b b 42 0c 00 0f a c 6a f c 2f 6a f 4a e d c 6a f 69 6f 2f e d C:\jar\z unknown 3276 success or wait 1 40BDC WriteFile Copyright Joe Security LLC 2017 Page 17 of 20

18 File Path Offset Length Value Ascii Completion Count C:\jar\z unknown d1 ef dc..va...&._...ns...p.v?\.9. success or wait 1 40BDC WriteFile 9f 26 ba 5f 92 f4 a3 ed..y.o.?..1.p j~...e 4e 73 cb 1a c W*..1...y}]d.W\...(..L9.S. b6 56 3f 5c f b j...l...!...xp...tup e5 59 7c 92 4f d2 3f c5.det...._._..dg+...{.k.}.7s e >2..<_;...1.P G a7 b6 a9 35 f *.`.~...>.(.q*.sQd..SY.s...}_ 9 6a 7e dd bc a g.ozZ<L.(..4.a..f..:t. e5 aa 57 2a f7 0b 31.!...o.b... d3 c 17 7 ea 79 7d 5d 64 f2 57 5c fa db a3 2 be e 4c a0 6a 1 0 d7 d5 a4 b9 4c f4 a2 ec 21 c5 11 f6 d3 e6 7f fc 5 50 ca 9a fd f b df 7c b e7 5f 1b 5f b5 dc b db cd a0 7b 12 4b ed 7d d c6 3e 32 d5 e4 3c 5f 3b ca 0a e 14 7f b e ca 50 a dc 0c af d2 e3 9e d 2a 1e e a1 0f a2 3e a 2 f2 71 2a ac b4 b d9 73 db 99 9d 7d 5f c 2b b 7c c4 67 fd 6f 7a 5a 3c 4c 02 2 b3 9b 34 d0 61 cc ba a 74 f fb 9c b7 df df b5 12 6f f1 62 be fe 1c C:\jar\x unknown b f b 2b c 6d e 31 2b b c 71 6f c b d f c 71 5a 2b c b 72 4f 4 6 4c 61 4f 0d 0a d b f 6b 5a 5 6c d 3d C:\jar\META-INF\MANIFEST.MF unknown 192 4d 61 6e d f 6e 3a e 30 0d 0a 41 6e 74 2d f 6e 3a e e 39 2e 34 0d 0a 5 2d 43 4f 4d 4d 45 4e 54 3a 20 4d e 2d 43 6c c 6c f 6d c 6c c 64 0d 0a 43 6c d a 20 0d 0a d a e 37 2e 30 5f d f c f f f 6e 29 0d 0a 4d e 2d 43 6c a d 0a 0d 0a sbkufoxvk+esbyurpgyv Lm4r9en1+ 3Xk7y4he2lqoS7lYySkqqI m5eo7iel qz+0sleakrohhlao..6ym ytk65rbc/kzxl1w== Address Symbol success or wait 1 40BDC WriteFile Manifest-Version: 1.0..Ant- Version: Apache Ant X-COMMENT: Main- Class will be added automatically by build..class-path:..created-by: 1.7.0_0-b15 (Oracle Corporation)..Main-Class: A... success or wait 1 40BDC WriteFile Copyright Joe Security LLC 2017 Page 1 of 20

19 File Path Offset Length Value Ascii Completion Count unknown unknown 460 0d 0a 37 2d 5a e f d f c 6f d d d 0a 0d 0a f e a a 5c c c b e 5c b 74 6f 70 5c 4c e 6a d 0a 0d 0a e e 63 6c d 0a e e 66 5c 69 6f 6e 5c 74 2e 63 6c d 0a e e 66 5c 69 6f 6e 5c 6a 73 2e 63 6c d 0a e e 63 6c d 0a e e 63 6c Zip (A) 9.20 Copyright (c) Igor Pavlov Processing archive: C :\Users\user\Desktop\Liste 1.jar...Extracting B.class..Extracting ynf\ion\t.class..extracting ynf\ion\js.class..extracting C.class..Extracting A. class Address Symbol success or wait FD WriteFile Analysis Process: cmd.exe PID: 3136 Parent PID: 264 General Start time: 23:20:17 Start date: 02/11/2017 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\Liste1.jar' A >> C:\ cmdlinestart.log 2>&1 0x755c bytes AD7B9C1403B52BC532FBA594342B9 C, C++ or other language File Activities File Created File Path Access Attributes Options Completion Count C:\cmdlinestart.log Address Symbol success or wait 1 4A5CDF1 CreateFileW Analysis Process: java.exe PID: 3164 Parent PID: 3136 General Start time: 23:20:1 Start date: 02/11/2017 Copyright Joe Security LLC 2017 Page 19 of 20

20 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: C:\ProgramData\Oracle\Java\javapath_target_27509\java.exe java.exe -jar 'C:\Users\user\Desktop\Liste1.jar' A 0x75a bytes 02E26F23B FB5E33DB36BF0C Java File Activities File Created File Path Access Attributes Options Completion Count C:\Users\HERBBL~1\AppData\Local\Temp\hsperfdata_user C:\Users\HERBBL~1\AppData\Local\Temp\hsperfdata_user\3164 read data or list directory and synchronize none and delete and synchronize and generic read and generic Address Symbol directory file and object name collision 1 69E505B CreateDirectoryA non alert and open for backup ident and open reparse point and delete on close success or wait 1 69E515 CreateFileA File Written File Path Offset Length Value Ascii Completion Count C:\ProgramData\Oracle\Java\.or acle_jre_usage\17dfc292991c7c46.timestamp unknown a 5c f d c c 4a c 6a e 3 2e 30 5f d 0a d 0a C:\cmdlinestart.log unknown 119 6a e 69 6f 2e c 65 4e 6f f 75 6e f 6e 3a a 5c c c b e 5c b 74 6f 70 5c 4c e 6a d e 6e 6f e C:\Program Files\Java\jre1..0 _ Address Symbol success or wait 1 6D0AA27 WriteFile java.io.filenotfoundexcep success or wait 12 6D0AA27 WriteFile tion: C:\Users\Herb%20Blackbu rn\desktop\liste1.jar (The system cannot find the path specified) Disassembly Code Analysis Copyright Joe Security LLC 2017 Page 20 of 20