Infosec Binary Analisys. Order_2018[10].jar

Size: px

Start display at page:

Download "Infosec Binary Analisys. Order_2018[10].jar"

Bernadette Walters
5 years ago
Views:

1 Order_2018[10].jar MalFamily: Adwind MalScore: 100 File type: File size: Java archive data (JAR) KB ( bytes) Compile time: :00:00 MD5: SHA1: 2b75faa67abae20e bb48aee 9f6e3ade58140db6799fe485271d81eaeafe2425 Submitted: :52:50 Antivirus Report Report date Detection Ratio Permalink :54:49 26/61 10 Behaviors detected by system signatures Created network traffic indicative of malicious activity - signature: ET DNS Query to a *.top domain - Likely Hostile Attempts to disable System Restore Creates a hidden or system file - file: C:\Users\Seven01\oUsZTWQEGIh\gOKhHhQlZaP.kJXFFD - file: C:\Users\Seven01\oUsZTWQEGIh\ID.txt - file: C:\Users\Seven01\oUsZTWQEGIh Installs itself for autorun at Windows startup - key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WDVvVoXJRza - data: "C:\Users\Seven01\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\Seven01\oUsZTWQEGIh\gOKhHhQlZaP.kJXFFD" Execution Options\MWASER.EXE\debugger Execution Options\V3SP.exe\debugger Page 1 Date: :36:39

2 Execution Options\clamscan.exe\debugger Execution Options\SCANWSCS.EXE\debugger Execution Options\MSASCui.exe\debugger Execution Options\WebCompanion.exe\debugger Execution Options\K7RTScan.exe\debugger Execution Options\CisTray.exe\debugger Execution Options\guardxkickoff_x64.exe\debugger Execution Options\K7PSSrvc.exe\debugger Execution Options\ProcessHacker.exe\debugger Execution Options\SDFSSvc.exe\debugger Execution Options\K7AVScan.exe\debugger Execution Options\GdBgInx64.exe\debugger Execution Options\AVKTray.exe\debugger Execution Options\fsgk32.exe\debugger Execution Options\K7EmlPxy.EXE\debugger Execution Options\V3Svc.exe\debugger Execution Options\MCShieldDS.exe\debugger Execution Options\AVKProxy.exe\debugger Execution Options\SAPISSVC.EXE\debugger Execution Options\GDScan.exe\debugger Execution Options\scproxysrv.exe\debugger Page 2 Date: :36:39

3 Execution Options\SDTray.exe\debugger Execution Options\SASCore64.exe\debugger Execution Options\FSHDLL64.exe\debugger Execution Options\virusutilities.exe\debugger Execution Options\nvcod.exe\debugger Execution Options\twssrv.exe\debugger Execution Options\EMLPROXY.EXE\debugger Execution Options\coreServiceShell.exe\debugger Execution Options\NS.exe\debugger Execution Options\mbamscheduler.exe\debugger Execution Options\fssm32.exe\debugger Execution Options\ClamWin.exe\debugger Execution Options\trigger.exe\debugger Execution Options\fsorsp.exe\debugger Execution Options\BullGuardUpdate.exe\debugger Execution Options\FortiTray.exe\debugger Execution Options\avpmapp.exe\debugger Execution Options\utsvc.exe\debugger Execution Options\mbamservice.exe\debugger Execution Options\FProtTray.exe\debugger Execution Options\escanmon.exe\debugger Page 3 Date: :36:39

4 Execution Options\nnf.exe\debugger Execution Options\K7TSMain.exe\debugger Execution Options\K7FWSrvc.exe\debugger Execution Options\acs.exe\debugger Execution Options\PtWatchDog.exe\debugger Execution Options\ONLINENT.EXE\debugger Execution Options\FilUp.exe\debugger Execution Options\FCDBlog.exe\debugger Execution Options\FSM32.EXE\debugger Execution Options\SDScan.exe\debugger Execution Options\FCHelper64.exe\debugger Execution Options\njeeves2.exe\debugger Execution Options\av_task.exe\debugger Execution Options\V3Medic.exe\debugger Execution Options\FPAVServer.exe\debugger Execution Options\CertReg.exe\debugger Execution Options\Bav.exe\debugger Execution Options\PSUAService.exe\debugger Execution Options\SBPIMSvc.exe\debugger Execution Options\FortiProxy.exe\debugger Execution Options\MCShieldRTM.exe\debugger Page 4 Date: :36:39

5 Execution Options\econceal.exe\debugger Execution Options\BullGuard.exe\debugger Execution Options\FilMsg.exe\debugger Execution Options\SUPERDelete.exe\debugger Execution Options\tshark.exe\debugger Execution Options\VIPREUI.exe\debugger Execution Options\nseupdatesvc.exe\debugger Execution Options\nwscmon.exe\debugger Execution Options\freshclam.exe\debugger Execution Options\nvcsvc.exe\debugger Execution Options\QUHLPSVC.EXE\debugger Execution Options\uiUpdateTray.exe\debugger Execution Options\procexp.exe\debugger Execution Options\OPSSVC.EXE\debugger Execution Options\cmdagent.exe\debugger Execution Options\BullGuardBhvScanner.exe\debugger Execution Options\BgScan.exe\debugger Execution Options\FortiSSLVPNdaemon.exe\debugger Execution Options\AdAwareTray.exe\debugger Execution Options\capinfos.exe\debugger Execution Options\Zanda.exe\debugger Page 5 Date: :36:39

6 Execution Options\dragon_updater.exe\debugger Execution Options\ScSecSvc.exe\debugger Execution Options\LittleHook.exe\debugger Execution Options\PtSvcHost.exe\debugger Execution Options\SCANNER.EXE\debugger Execution Options\BavTray.exe\debugger Execution Options\FSMA32.EXE\debugger Execution Options\FortiClient_Diagnostic_Tool.exe\debugger Execution Options\MpCmdRun.exe\debugger Execution Options\nvoy.exe\debugger Execution Options\UnThreat.exe\debugger Execution Options\K7SysMon.Exe\debugger Execution Options\NisSrv.exe\debugger Execution Options\Zlh.exe\debugger Execution Options\cis.exe\debugger Execution Options\AVK.exe\debugger Execution Options\UserReg.exe\debugger Execution Options\TRAYICOS.EXE\debugger Execution Options\SBAMTray.exe\debugger Execution Options\MpUXSrv.exe\debugger Execution Options\GDKBFltExe32.exe\debugger Page 6 Date: :36:39

7 Execution Options\AVKService.exe\debugger Execution Options\filwscc.exe\debugger Execution Options\ClamTray.exe\debugger Execution Options\FortiFW.exe\debugger Execution Options\V3Proxy.exe\debugger Execution Options\uiWatchDog.exe\debugger Execution Options\MsMpEng.exe\debugger Execution Options\nprosec.exe\debugger Execution Options\AVKWCtlx64.exe\debugger Execution Options\twsscan.exe\debugger Execution Options\freshclamwrap.exe\debugger Execution Options\MCShieldCCC.exe\debugger Execution Options\mergecap.exe\debugger Execution Options\fshoster32.exe\debugger Execution Options\TRAYSSER.EXE\debugger Execution Options\iptray.exe\debugger Execution Options\CONSCTLX.EXE\debugger Execution Options\V3Up.exe\debugger Execution Options\op_mon.exe\debugger Execution Options\SUPERAntiSpyware.exe\debugger Execution Options\VIEWTCP.EXE\debugger Page 7 Date: :36:39

8 Execution Options\FortiESNAC.exe\debugger Execution Options\K7TSecurity.exe\debugger Execution Options\K7TSMngr.exe\debugger Execution Options\escanpro.exe\debugger Execution Options\fmon.exe\debugger Execution Options\GDSC.exe\debugger Execution Options\schmgr.exe\debugger Execution Options\MWAGENT.EXE\debugger Execution Options\K7CrvSvc.exe\debugger Execution Options\PtSessionAgent.exe\debugger Execution Options\fcappdb.exe\debugger Execution Options\text2pcap.exe\debugger Execution Options\editcap.exe\debugger Execution Options\SBAMSvc.exe\debugger Execution Options\SSUpdate64.exe\debugger Execution Options\SDWelcome.exe\debugger Execution Options\nanosvc.exe\debugger Execution Options\AdAwareDesktop.exe\debugger Execution Options\ConfigSecurityPolicy.exe\debugger Execution Options\BavWebClient.exe\debugger Execution Options\BavUpdater.exe\debugger Page 8 Date: :36:39

9 Execution Options\uiWinMgr.exe\debugger Execution Options\psview.exe\debugger Execution Options\BDSSVC.EXE\debugger Execution Options\BavSvc.exe\debugger Execution Options\quamgr.exe\debugger Execution Options\nfservice.exe\debugger Execution Options\V3Main.exe\debugger Execution Options\PSANHost.exe\debugger Execution Options\uiSeAgnt.exe\debugger Execution Options\mbam.exe\debugger Execution Options\dumpcap.exe\debugger Execution Options\zlhh.exe\debugger Execution Options\econser.exe\debugger Execution Options\BullGuarScanner.exe\debugger Execution Options\AdAwareService.exe\debugger Execution Options\AgentSvc.exe\debugger Execution Options\SASTask.exe\debugger Execution Options\coreFrameworkHost.exe\debugger Execution Options\wireshark.exe\debugger Execution Options\rawshark.exe\debugger Execution Options\MCS-Uninstall.exe\debugger Page 9 Date: :36:39

10 Execution Options\cavwp.exe\debugger Execution Options\nanoav.exe\debugger Execution Options\bavhm.exe\debugger Execution Options\nbrowser.exe\debugger Execution Options\PSUAMain.exe\debugger Execution Options\FPWin.exe\debugger Execution Options\guardxservice.exe\debugger Execution Options\FortiClient.exe\debugger A process created a hidden window - Process: java.exe -> "C:\Program Files (x86)\java\jre1.8.0_74\bin\java.exe" -jar C:\Users\Seven01\AppData\Local\Temp\_ class - Process: java.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: java.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: java.exe -> cmd.exe - Process: java.exe -> reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WDVvVoXJRza /t REG_EXPAND_SZ /d "\"C:\Users\Seven01\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Seven01\oUsZTWQEGIh\gOKhHhQlZaP.kJXFFD\"" /f - Process: java.exe -> attrib +h "C:\Users\Seven01\oUsZTWQEGIh\*.*" - Process: java.exe -> attrib +h "C:\Users\Seven01\oUsZTWQEGIh" - Process: java.exe -> C:\Users\Seven01\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Seven01\oUsZTWQEGIh\gOKhHhQlZaP.kJXFFD - Process: java.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: java.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: java.exe -> xcopy "C:\Program Files (x86)\java\jre1.8.0_74" "C:\Users\Seven01\AppData\Roaming\Oracle\" /e - Process: java.exe -> cmd.exe - Process: javaw.exe -> C:\Users\Seven01\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Seven01\AppData\Local\Temp\_ class - Process: javaw.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: javaw.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: javaw.exe -> cmd.exe - Process: javaw.exe -> taskkill /IM ProcessHacker.exe /T /F - Process: javaw.exe -> cmd.exe /c regedit.exe /s C:\Users\Seven01\AppData\Local\Temp\rHYYVTtfJg reg - Process: javaw.exe -> taskkill /IM procexp.exe /T /F - Process: javaw.exe -> taskkill /IM MSASCui.exe /T /F - Process: javaw.exe -> taskkill /IM MsMpEng.exe /T /F Page 10 Date: :36:39

11 - Process: javaw.exe -> taskkill /IM MpUXSrv.exe /T /F - Process: javaw.exe -> taskkill /IM MpCmdRun.exe /T /F - Process: javaw.exe -> taskkill /IM NisSrv.exe /T /F - Process: javaw.exe -> taskkill /IM ConfigSecurityPolicy.exe /T /F - Process: javaw.exe -> taskkill /IM procexp.exe /T /F - Process: javaw.exe -> taskkill /IM wireshark.exe /T /F - Process: javaw.exe -> taskkill /IM tshark.exe /T /F - Process: javaw.exe -> taskkill /IM text2pcap.exe /T /F - Process: javaw.exe -> taskkill /IM rawshark.exe /T /F - Process: javaw.exe -> taskkill /IM mergecap.exe /T /F - Process: javaw.exe -> taskkill /IM editcap.exe /T /F - Process: javaw.exe -> taskkill /IM dumpcap.exe /T /F - Process: javaw.exe -> taskkill /IM capinfos.exe /T /F - Process: javaw.exe -> taskkill /IM mbam.exe /T /F - Process: javaw.exe -> taskkill /IM mbamscheduler.exe /T /F - Process: javaw.exe -> taskkill /IM mbamservice.exe /T /F - Process: javaw.exe -> taskkill /IM AdAwareService.exe /T /F - Process: javaw.exe -> taskkill /IM AdAwareTray.exe /T /F - Process: javaw.exe -> taskkill /IM WebCompanion.exe /T /F - Process: javaw.exe -> taskkill /IM AdAwareDesktop.exe /T /F - Process: javaw.exe -> taskkill /IM V3Main.exe /T /F - Process: javaw.exe -> taskkill /IM V3Svc.exe /T /F - Process: javaw.exe -> taskkill /IM V3Up.exe /T /F - Process: javaw.exe -> taskkill /IM V3SP.exe /T /F - Process: javaw.exe -> taskkill /IM V3Proxy.exe /T /F - Process: javaw.exe -> taskkill /IM V3Medic.exe /T /F - Process: javaw.exe -> taskkill /IM BgScan.exe /T /F - Process: javaw.exe -> taskkill /IM BullGuard.exe /T /F - Process: javaw.exe -> taskkill /IM BullGuardBhvScanner.exe /T /F - Process: javaw.exe -> taskkill /IM BullGuarScanner.exe /T /F - Process: javaw.exe -> taskkill /IM LittleHook.exe /T /F - Process: javaw.exe -> taskkill /IM BullGuardUpdate.exe /T /F - Process: javaw.exe -> taskkill /IM clamscan.exe /T /F - Process: javaw.exe -> taskkill /IM ClamTray.exe /T /F - Process: javaw.exe -> taskkill /IM ClamWin.exe /T /F - Process: javaw.exe -> taskkill /IM cis.exe /T /F - Process: javaw.exe -> taskkill /IM CisTray.exe /T /F - Process: javaw.exe -> taskkill /IM cmdagent.exe /T /F - Process: javaw.exe -> taskkill /IM cavwp.exe /T /F - Process: javaw.exe -> taskkill /IM dragon_updater.exe /T /F - Process: javaw.exe -> taskkill /IM MWAGENT.EXE /T /F - Process: javaw.exe -> taskkill /IM MWASER.EXE /T /F - Process: javaw.exe -> taskkill /IM CONSCTLX.EXE /T /F - Process: javaw.exe -> taskkill /IM avpmapp.exe /T /F - Process: javaw.exe -> taskkill /IM econceal.exe /T /F - Process: javaw.exe -> taskkill /IM escanmon.exe /T /F - Process: java.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: java.exe -> cmd.exe /C cscript.exe C:\Users\Seven01\AppData\Local\Temp\Retrive vbs - Process: java.exe -> cmd.exe Reads data out of its own binary image - self_read: process: cscript.exe, pid: 2968, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2968, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 2968, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 2968, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 2968, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 2968, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 2968, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2968, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2328, offset: 0x , length: 0x Page 11 Date: :36:39

12 - self_read: process: cscript.exe, pid: 2328, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 2328, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 2328, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 2328, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 2328, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 2328, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2328, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 1216, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 3000, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 676, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2844, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 572, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x000000e8, length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x000001e0, length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x00015e00, length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x00015e58, length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x00015f50, length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x , length: 0x self_read: process: cscript.exe, pid: 2104, offset: 0x , length: 0x Attempts to connect to a dead IP:Port (95 unique times) \x08\xef\xbf\xb6z\x16\xef\xbf\x8c\xef\xbf\xb5z\x160\xef\xbf\x81\xef\xbe\xa5\x17:0 \xef\xbf\xb8\xef\xbf\xb3\xef\xbe\x8f\x18\xef\xbe\xbc\xef\xbf\xb3\xef\xbe\x8f\x188kk\x17:0 h\xef\xbf\xb6\xef\xbe\x8f\x18,\xef\xbf\xb6\xef\xbe\x8f\x188kk\x17:0 \xef\xbe\xb8\xef\xbf\xad\xef\xbf\xae\x17 \xef\xbf\xad\xef\xbf\xae\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x Page 12 Date: :36:39

13 \xef\xbf\xb8\xef\xbf\xb1\xef\xbe\x8d\x18\xef\xbe\xbc\xef\xbf\xb1\xef\xbe\x8d\x188kk\x17:0 \xef\xbf\xa8\xef\xbf\xb1\xef\xbf\x84\x17\xef\xbe\xac\xef\xbf\xb1\xef\xbf\x84\x170\xef\xbf\x81\xef\xbe\x a5\x17:0 8\xef\xbf\xb2\xef\xbf\x84\x17\xef\xbf\xbc\xef\xbf\xb1\xef\xbf\x84\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 (\xef\xbf\xae\xef\xbe\x8a\x17\xef\xbf\xac\xef\xbf\xad\xef\xbe\x8a\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbf\x98\xef\xbf\xad\xef\xbf\x8b\x17\xef\xbe\x9c\xef\xbf\xad\xef\xbf\x8b\x170\xef\xbf\x81\xef\xbe\x a5\x17:0 \xef\xbe\x98\xef\xbf\xb1\xef\xbe\xb3\x17\\xef\xbf\xb1\xef\xbe\xb3\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 x\xef\xbf\xb7z\x17<\xef\xbf\xb7z\x178kk\x17:0 \xef\xbe\x88\xef\xbf\xb3\xef\xbf\x85\x17l\xef\xbf\xb3\xef\xbf\x85\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbe\xa8\xef\xbf\xb0\xef\xbf\x85\x17l\xef\xbf\xb0\xef\xbf\x85\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \xef\xbe\xb8\xef\xbf\xb5\xef\xbf\xa4\x17 \xef\xbf\xb5\xef\xbf\xa4\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x H\xef\xbf\xb4\xef\xbe\xb5\x17\x0c\xef\xbf\xb4\xef\xbe\xb5\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \x18\xef\xbf\xb4\xef\xbf\x97\x17\xef\xbf\x9c\xef\xbf\xb3\xef\xbf\x97\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xb e\x \xef\xbe\x98\xef\xbf\xb4\xef\xbe\x98\x18\\xef\xbf\xb4\xef\xbe\x98\x188kk\x17:0 (\xef\xbf\xb4\xef\xbf\x8c\x17\xef\xbf\xac\xef\xbf\xb3\xef\xbf\x8c\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 H\xef\xbf\xb1\xef\xbe\xb2\x17\x0c\xef\xbf\xb1\xef\xbe\xb2\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \x08\xef\xbf\xb2\xef\xbf\xb1\x17\xef\xbf\x8c\xef\xbf\xb1\xef\xbf\xb1\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xb e\x 8\xef\xbf\xb0\xef\xbe\x9f\x16\xef\xbf\xbc\xef\xbf\xaf\xef\xbe\x9f\x160\xef\xbf\x81\xef\xbe\xa5\x17:0 X\xef\xbf\xb5\xef\xbf\x9f\x17\x1c\xef\xbf\xb5\xef\xbf\x9f\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x 8\xef\xbf\xb2\xef\xbf\x96\x17\xef\xbf\xbc\xef\xbf\xb1\xef\xbf\x96\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x (\xef\xbf\xb6\xef\xbf\xad\x17\xef\xbf\xac\xef\xbf\xb5\xef\xbf\xad\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\xb 1\x17:0 \x08\xef\xbf\xb1\xef\xbf\x81\x17\xef\xbf\x8c\xef\xbf\xb0\xef\xbf\x81\x170\xef\xbf\x81\xef\xbe\xa5\x17: 0 x\xef\xbf\xb2g\x18<\xef\xbf\xb2g\x188kk\x17:0 \x08\xef\xbf\xb6\xef\xbf\xa1\x17\xef\xbf\x8c\xef\xbf\xb5\xef\xbf\xa1\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xb e\x 8\xef\xbf\xb2\xef\xbf\xb2\x17\xef\xbf\xbc\xef\xbf\xb1\xef\xbf\xb2\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbf\x88\xef\xbf\xafz\x17\xef\xbe\x8c\xef\xbf\xafz\x178kk\x17:0 \x08\xef\xbf\xaf\xef\xbe\xa0\x18\xef\xbf\x8c\xef\xbf\xae\xef\xbe\xa0\x188kk\x17:0 x\xef\xbf\xb7\xef\xbf\xac\x17<\xef\xbf\xb7\xef\xbf\xac\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbf\x88\xef\xbf\xb1{\x16\xef\xbe\x8c\xef\xbf\xb1{\x160\xef\xbf\x81\xef\xbe\xa5\x17:0 \xef\xbf\xa8\xef\xbf\xb3\xef\xbe\x9f\x18\xef\xbe\xac\xef\xbf\xb3\xef\xbe\x9f\x188kk\x17:0 h\xef\xbf\xb5\xef\xbf\x9f\x17,\xef\xbf\xb5\xef\xbf\x9f\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x Page 13 Date: :36:39

14 \xef\xbe\x88\xef\xbf\xb5\xef\xbf\xa9\x16l\xef\xbf\xb5\xef\xbf\xa9\x16\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbe\x98\xef\xbf\xb2\x7f\x18\\xef\xbf\xb2\x7f\x188kk\x17:0 \x18\xef\xbf\xb3\xef\xbf\xa7\x17\xef\xbf\x9c\xef\xbf\xb2\xef\xbf\xa7\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xb e\x \x08\xef\xbf\xb7\xef\xbf\x81\x17\xef\xbf\x8c\xef\xbf\xb6\xef\xbf\x81\x170\xef\xbf\x81\xef\xbe\xa5\x17: 0 \xef\xbf\x88\xef\xbf\xb5\xef\xbe\x94\x18\xef\xbe\x8c\xef\xbf\xb5\xef\xbe\x94\x188kk\x17:0 \xef\xbf\x88\xef\xbf\xb0\xef\xbf\xa6\x17\xef\xbe\x8c\xef\xbf\xb0\xef\xbf\xa6\x17\xef\xbe\xa0\xef\xbf\xa f\xef\xbe\x \xef\xbf\x98\xef\xbf\xb39\x17\xef\xbe\x9c\xef\xbf\xb39\x178kk\x17:0 \x18\xef\xbf\xb1\xef\xbf\x9d\x17\xef\xbf\x9c\xef\xbf\xb0\xef\xbf\x9d\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xb e\x \xef\xbf\xa8\xef\xbf\xb5\xef\xbf\xaa\x16\xef\xbe\xac\xef\xbf\xb5\xef\xbf\xaa\x16\xef\xbe\xa0\xef\xbf\xa f\xef\xbe\x \xef\xbe\x88\xef\xbf\xb5[\x17l\xef\xbf\xb5[\x178kk\x17:0 x\xef\xbf\xb2\xef\xbf\x82\x17<\xef\xbf\xb2\xef\xbf\x82\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x x\xef\xbf\xb2\xef\xbe\xa0\x18<\xef\xbf\xb2\xef\xbe\xa0\x188kk\x17:0 \xef\xbf\xa8\xef\xbf\xb1\xef\xbe\x8c\x17\xef\xbe\xac\xef\xbf\xb1\xef\xbe\x8c\x17\xef\xbe\xa0\xef\xbf\x af\xef\xbe\x \xef\xbe\xb8\xef\xbf\xb5\xef\xbe\xb3\x17 \xef\xbf\xb5\xef\xbe\xb3\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \xef\xbf\xb8\xef\xbf\xb58\x17\xef\xbe\xbc\xef\xbf\xb58\x178kk\x17:0 \xef\xbf\xa8\xef\xbf\xb5\xef\xbf\x9e\x17\xef\xbe\xac\xef\xbf\xb5\xef\xbf\x9e\x17\xef\xbe\xa0\xef\xbf\xa f\xef\xbe\x X\xef\xbf\xb4\xef\xbe\x8c\x18\x1c\xef\xbf\xb4\xef\xbe\x8c\x188kk\x17:0 H\xef\xbf\xb3\xef\xbe\xb0\x17\x0c\xef\xbf\xb3\xef\xbe\xb0\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \xef\xbe\xb8\xef\xbf\xb4\xef\xbe\x92\x18 \xef\xbf\xb4\xef\xbe\x92\x188kk\x17:0 \xef\xbe\xa8\xef\xbf\xb5\xef\xbf\x81\x17l\xef\xbf\xb5\xef\xbf\x81\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x X\xef\xbf\xb6\xef\xbf\xa0\x17\x1c\xef\xbf\xb6\xef\xbf\xa0\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\xb1\x17: 0 \xef\xbf\x98\xef\xbf\xb0\xef\xbf\x91\x17\xef\xbe\x9c\xef\xbf\xb0\xef\xbf\x91\x17\xef\xbe\xa0\xef\xbf\xa f\xef\xbe\x (\xef\xbf\xaf\xef\xbf\xa1\x17\xef\xbf\xac\xef\xbf\xae\xef\xbf\xa1\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\xb 1\x17:0 \xef\xbf\xa8\xef\xbf\xb4\xef\xbe\xb1\x17\xef\xbe\xac\xef\xbf\xb4\xef\xbe\xb1\x170\xef\xbf\x81\xef\xbe\ xa5\x17:0 8\xef\xbf\xb2\xef\xbf\x84\x17\xef\xbf\xbc\xef\xbf\xb1\xef\xbf\x84\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x (\xef\xbf\xaf\xef\xbe\x96\x18\xef\xbf\xac\xef\xbf\xae\xef\xbe\x96\x188kk\x17:0 \xef\xbf\xa8\xef\xbf\xb6\xef\xbe\xb3\x17\xef\xbe\xac\xef\xbf\xb6\xef\xbe\xb3\x170\xef\xbf\x81\xef\xbe\ xa5\x17:0 \x18\xef\xbf\xb38\x17\xef\xbf\x9c\xef\xbf\xb28\x178kk\x17:0 h\xef\xbf\xaf\xef\xbf\xa9\x17,\xef\xbf\xaf\xef\xbf\xa9\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x Page 14 Date: :36:39

15 \xef\xbf\xa8\xef\xbf\xb2\xef\xbf\x87\x16\xef\xbe\xac\xef\xbf\xb2\xef\xbf\x87\x16\xef\xbe\xa0\xef\xbf\xa f\xef\xbe\x x\xef\xbf\xb3\xef\xbf\xae\x17<\xef\xbf\xb3\xef\xbf\xae\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \x18\xef\xbf\xb3\xef\xbf\x9d\x17\xef\xbf\x9c\xef\xbf\xb2\xef\xbf\x9d\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xb e\x \xef\xbf\x98\xef\xbf\xb1\xef\xbe\xb2\x17\xef\xbe\x9c\xef\xbf\xb1\xef\xbe\xb2\x170\xef\xbf\x81\xef\xbe\ xa5\x17:0 \xef\xbe\x98\xef\xbf\xb2\xef\xbf\xa4\x16\\xef\xbf\xb2\xef\xbf\xa4\x160\xef\xbf\x81\xef\xbe\xa5\x17:0 h\xef\xbf\xb3\xef\xbe\x8b\x18,\xef\xbf\xb3\xef\xbe\x8b\x188kk\x17:0 \x18\xef\xbf\xb1\xef\xbf\xb8\x16\xef\xbf\x9c\xef\xbf\xb0\xef\xbf\xb8\x160\xef\xbf\x81\xef\xbe\xa5\x17: 0 \xef\xbe\x98\xef\xbf\xb5\xef\xbf\x84\x16\\xef\xbf\xb5\xef\xbf\x84\x16\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbf\xa8\xef\xbf\xb6\xef\xbf\x90\x17\xef\xbe\xac\xef\xbf\xb6\xef\xbf\x90\x170\xef\xbf\x81\xef\xbe\x a5\x17:0 \x18\xef\xbf\xb1\xef\xbf\x90\x17\xef\xbf\x9c\xef\xbf\xb0\xef\xbf\x90\x170\xef\xbf\x81\xef\xbe\xa5\x17: 0 h\xef\xbf\xb2\xef\xbe\x8c\x18,\xef\xbf\xb2\xef\xbe\x8c\x188kk\x17:0 (\xef\xbf\xb3\xef\xbf\x82\x17\xef\xbf\xac\xef\xbf\xb2\xef\xbf\x82\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \x18\xef\xbf\xb5\xef\xbe\x96\x18\xef\xbf\x9c\xef\xbf\xb4\xef\xbe\x96\x188kk\x17:0 \xef\xbe\x98\xef\xbf\xb4\xef\xbe\xb2\x17\\xef\xbf\xb4\xef\xbe\xb2\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \xef\xbf\x98\xef\xbf\xb1\xef\xbf\x9f\x17\xef\xbe\x9c\xef\xbf\xb1\xef\xbf\x9f\x17\xef\xbe\xa0\xef\xbf\xaf\ xef\xbe\x x\xef\xbf\xb2\xef\xbf\x85\x16<\xef\xbf\xb2\xef\xbf\x85\x16\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbe\x98\xef\xbf\xb4\xef\xbe\x9a\x18\\xef\xbf\xb4\xef\xbe\x9a\x188kk\x17:0 \xef\xbe\xa8\xef\xbf\xb4\xef\xbf\xaa\x16l\xef\xbf\xb4\xef\xbf\xaa\x16\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x \xef\xbe\xa8\xef\xbf\xae\xef\xbf\x89\x17l\xef\xbf\xae\xef\xbf\x89\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 X\xef\xbf\xb0\xef\xbe\x9f\x18\x1c\xef\xbf\xb0\xef\xbe\x9f\x188kk\x17:0 \x08\xef\xbf\xb0\xef\xbf\xaf\x17\xef\xbf\x8c\xef\xbf\xaf\xef\xbf\xaf\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\ x \xef\xbf\x88\xef\xbf\xb3\xef\xbe\x8b\x18\xef\xbe\x8c\xef\xbf\xb3\xef\xbe\x8b\x188kk\x17:0 X\xef\xbf\xb2\xef\xbf\x81\x17\x1c\xef\xbf\xb2\xef\xbf\x81\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\xb1\x17: 0 \xef\xbe\x88\xef\xbf\xaf\xef\xbf\xa7\x16l\xef\xbf\xaf\xef\xbf\xa7\x16\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\xb 1\x17:0 \xef\xbf\xa8\xef\xbf\xb2\xef\xbe\xb6\x03\xef\xbe\xac\xef\xbf\xb2\xef\xbe\xb6\x03\xef\xbe\xa0\xef\xbf\x af\xef\xbe\x 8\xef\xbf\xb5\xef\xbf\x8b\x17\xef\xbf\xbc\xef\xbf\xb4\xef\xbf\x8b\x170\xef\xbf\x81\xef\xbe\xa5\x17:0 \xef\xbe\x88\xef\xbf\xb5\xef\xbf\x86\x16l\xef\xbf\xb5\xef\xbf\x86\x16\xef\xbe\xa0\xef\xbf\xaf\xef\xbe\x H\xef\xbf\xb69\x17\x0c\xef\xbf\xb69\x178kk\x17:0 X\xef\xbf\xb5z\x16\x1c\xef\xbf\xb5z\x160\xef\xbf\x81\xef\xbe\xa5\x17:0 Page 15 Date: :36:39

16 \x08\xef\xbf\xb5\xef\xbf\xa4\x17\xef\xbf\x8c\xef\xbf\xb4\xef\xbf\xa4\x17\xef\xbe\xa0\xef\xbf\xaf\xef\xb e\x \xef\xbf\x88\xef\xbf\xb1\xef\xbf\xa7\x17\xef\xbe\x8c\xef\xbf\xb1\xef\xbf\xa7\x17\xef\xbe\xa0\xef\xbf\xa f\xef\xbe\x \xef\xbf\xb8\xef\xbf\xb3\xef\xbe\xab\x18\xef\xbe\xbc\xef\xbf\xb3\xef\xbe\xab\x188kk\x17:0 A process attempted to delay the analysis task. - Process: taskkill.exe tried to sleep 1560 seconds, actually delayed analysis time by 0 seconds - Process: cscript.exe tried to sleep 540 seconds, actually delayed analysis time by 0 seconds Detected script timer window indicative of sleep style evasion - Window: WSH-Timer Possible date expiration check, exits too soon after checking local time - process: java.exe, PID Host(s) detected IP Address Hostname Reverse DNS ns1648.ztomy.com. 1 Countr(y ies) detected Hosts Country 1 Turkey Page 16 Date: :36:39

Infosec Binary Analisys. dew.fgh

Infosec Binary Analisys. dew.fgh dew.fgh MalFamily: Malicious MalScore: 100 File type: File size: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive 344.03 KB (352285 bytes) Compile time: 2014-10-07