Summary. Verdict: Malware CLASSIFICATION DETECTION SECTION HIGH LEVEL BEHAVIOR DISTRIBUTION ACTIVITY OVERVIEW

Transcription

1 Page 1 Summary File Name: TealWake.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows SHA1: 5274ebb1b444f f39b c36b0 MD5: 3d677e8f6bf82f7fd0a432cd9be89fc1 MALWARE Valkyrie Final Verdict DETECTION SECTION CLASSIFICATION Backdoor(4.37%) Ransomware(0.00%) Bot(5.26%) Worm(0.31%) Trojan Password Stealer(36.86%) 38% 31% 23% 15% 8% Exploit(0.00%) Pua(0.43%) Severity: High Verdict: Malware Rootkit(0.00%) Spyware(0.00%) Trojan Generic(4.60%) Trojan Downloader(3.03%) Remote Trojan Access Dropper(38.49%) Trojan(0.00%) Virus(6.43%) Rogue(0.23%) HIGH LEVEL BEHAVIOR DISTRIBUTION 20.0% 6.6% 65.9% Hooking (8) Network (32) Process (448) Misc (12) System (1979) Crypto (14) Threading (22) Synchronization (32) Services (4) Windows (26) File System (658) Device (100) Com (41) Registry (6531) ACTIVITY OVERVIEW Persistence and Installation Behavior 3 (23.08%) Networking 2 (15.38%) Hooking and other Techniques for Hiding Protection 2 (15.38%) Malware Analysis System Evasion 2 (15.38%) Packer 1 (7.69%) Stealing of Sensitive Information 1 (7.69%) Static Anomaly 1 (7.69%) Data Obfuscation 1 (7.69%)

2 Page 2 Activity Details NETWORKING HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources Performs some HTTP requests Show sources PACKER The binary likely contains encrypted or compressed data. Show sources STEALING OF SENSITIVE INFORMATION Harvests information related to installed mail clients Show sources STATIC ANOMALY Anomalous binary characteristics Show sources HOOKING AND OTHER TECHNIQUES FOR HIDING PROTECTION Creates RWX memory Executed a process and injected code into it, probably while unpacking Show sources DATA OBFUSCATION Drops a binary and executes it Show sources PERSISTENCE AND INSTALLATION BEHAVIOR Deletes its original binary from disk Installs itself for autorun at Windows startup Show sources Creates a copy of itself Show sources

3 Page 3 MALWARE ANALYSIS SYSTEM EVASION Possible date expiration check, exits too soon after checking local time Show sources Attempts to repeatedly call a single API many times in order to delay analysis time Show sources

4 Page 4 Behavior Graph 10:21:44 10:22:17 10:22:50 PID :21:44 Create Process The malicious file created a child process as 5274ebb1b444f f39b c36b0.exe (PPID 2192) 10:21:44 GetSystemTime 10:21:44 VirtualProtectEx 10:21:44 Create Process 10:21:44 NtResumeThread PID :21:45 Create Process The malicious file created a child process as 5274ebb1b444f f39b c36b0.exe (PPID 1744) 10:21:49 MoveFileWithProgressW 10:21:53 Create Process PID :21:54 Create Process The malicious file created a child process as ParamsCreatean.exe (PPID 2772) 10:21:55 GetSystemTime 10:21:55 Create Process PID :21:56 Create Process The malicious file created a child process as ParamsCreatean.exe (PPID 3016) 10:22:25 NtTerminateProcess PID :22:26 Create Process The malicious file created a child process as exe (PPID 1600) 10:22:28 GetSystemTime 10:22:30 Create Process PID :22:34 Create Process The malicious file created a child process as exe (PPID 2984) 10:22:43 Create Process PID :22:46 Create Process The malicious file created a child process as ParamsCreatean.exe (PPID 2568) 10:22:48 GetSystemTime 10:22:49 Create Process PID :22:50 Create Process The malicious file created a child process as ParamsCreatean.exe (PPID 1960)

5 Page 5 Behavior Summary ACCESSED FILES C:\Users\user\AppData\Local\Temp\apfHQ C:\ C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChappPortrait.lnk C:\Users\user\AppData\Local\Temp C:\Users\user\AppData\Local\Temp\F34E.tmp C:\Users\user\AppData\Roaming\ChappPortrait\ChappPortrait.exe C:\Users\user\AppData\Local\Temp\FC0A.tmp C:\Users\ C:\Users\user\ C:\Users\user\AppData\ C:\Users\user\AppData\Local\ C:\Users\user\AppData\Local\ParamsCreatean\ \Device\KsecDD C:\Windows\SysWOW64\shell32.dll C:\Users\user\AppData\Local\ParamsCreatean\ParamsCreatean.exe C:\Users C:\Users\user\AppData\Local\Microsoft\Windows\Caches C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x a.db C:\Users\desktop.ini C:\Users\user C:\Users\user\AppData C:\Users\user\AppData\Local C:\Users\user\AppData\Local\ParamsCreatean C:\Users\user\AppData\Local\Temp\5274ebb1b444f f39b c36b0.exe C:\Windows\SysWOW64\propsys.dll C:\Windows\sysnative\propsys.dll C:\Users\user\AppData\Local\Temp\ \??\MountPointManager C:\Users\user\Desktop\desktop.ini C:\Users\user\Searches C:\Users\user\Searches\desktop.ini

6 Page 6 C:\Users\user\Videos C:\Users\user\Videos\desktop.ini C:\Users\user\Pictures C:\Users\user\Pictures\desktop.ini C:\Users\user\Desktop C:\Users\user\Contacts C:\Users\user\Contacts\desktop.ini C:\Users\user\Favorites C:\Users\user\Favorites\desktop.ini C:\Users\user\Music C:\Users\user\Music\desktop.ini C:\Users\user\Downloads C:\Users\user\Downloads\desktop.ini C:\Users\user\Documents C:\Users\user\Documents\desktop.ini C:\Users\user\Links C:\Users\user\Links\desktop.ini C:\Users\user\Saved Games C:\Users\user\Saved Games\desktop.ini C:\Windows\System32\shdocvw.dll C:\Windows\AppPatch\sysmain.sdb C:\Windows\System32\ C:\Windows\SysWOW64\shdocvw.dll C:\Windows C:\Windows\System32 C:\Windows\System32\*.* \??\PIPE\srvsvc C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ParamsCreatean.lnk C:\Users\user\AppData\Local\Temp\1DC9.tmp C:\Program Files (x86)\microsoft Office\Office12\OLMAPI32.DLL C:\ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk C:\ProgramData\Microsoft\Network\Connections\Pbk\*.pbk C:\Windows\System32\ras\*.pbk C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk C:\Users\user\AppData\Roaming\Microsoft\Network\Connections\Pbk\*.pbk

7 Page 7 C:\Users\user\AppData\Local\Temp\ exe C:\Users\user\AppData\Local\Temp\8EB4.tmp C:\Users\user\AppData\Local\Temp\976F.tmp C:\Users\user\AppData\Local\Temp\BD26.tmp READ REGISTRY KEYS HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\Attributes HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\CallForAttributes HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\RestrictedAttributes HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsFORDISPLAY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HideFolderVerbs HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\UseDropHandler HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsFORPARSING HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsParseDisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\QueryForOverlay HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\MapNetDriveVerbs HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\QueryForInfoTip HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HideInWebView HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HideOnDesktopPerUser HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsAliasedNotifications HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsUniversalDelegate HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\NoFileFolderJunction HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\PinToNameSpaceTree HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HasNavigationEnum

8 Page 8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D B30309D} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2400a2c5-ccb0-11e5-b7bd-806e6f6e6963}\Data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2400a2c5-ccb0-11e5-b7bd- 806e6f6e6963}\Generation HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut

9 Page 9 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\(Default) HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ F9B9-11D1-A F81FEDEE}\DisableProcessIsolation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ F9B9-11D1-A F81FEDEE}\NoOplock HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ F9B9-11D1-A F81FEDEE}\UseInProcHandlerCache HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ F9B9-11D1-A F81FEDEE}\UseOutOfProcHandlerCache HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject HKEY_CURRENT_USER\Software\Classes\Folder\DocObject HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace MODIFIED FILES C:\Users\user\AppData\Local\Temp\F34E.tmp C:\Users\user\AppData\Local\ParamsCreatean\ParamsCreatean.exe \??\PIPE\srvsvc C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ParamsCreatean.lnk C:\Users\user\AppData\Local\Temp\1DC9.tmp C:\Users\user\AppData\Local\Temp\ exe C:\Users\user\AppData\Local\Temp\8EB4.tmp C:\Users\user\AppData\Local\Temp\BD26.tmp RESOLVED APIS kernel32.dll.flsalloc kernel32.dll.flsgetvalue kernel32.dll.flssetvalue kernel32.dll.flsfree kernel32.dll.virtualprotect kernel32.dll.globalalloc user32.dll.messageboxa kernel32.dll.winexec kernel32.dll.createfilea kernel32.dll.writefile kernel32.dll.closehandle

10 Page 10 kernel32.dll.createprocessa kernel32.dll.getthreadcontext kernel32.dll.virtualalloc kernel32.dll.virtualallocex kernel32.dll.virtualfree kernel32.dll.readprocessmemory kernel32.dll.writeprocessmemory kernel32.dll.setthreadcontext kernel32.dll.resumethread kernel32.dll.waitforsingleobject kernel32.dll.getmodulefilenamea kernel32.dll.getcommandlinea ntdll.dll.ntunmapviewofsection ntdll.dll.ntwritevirtualmemory user32.dll.registerclassexa user32.dll.createwindowexa user32.dll.postmessagea user32.dll.getmessagea user32.dll.defwindowproca kernel32.dll.getfileattributesa uxtheme.dll.themeinitapihook user32.dll.isprocessdpiaware dwmapi.dll.dwmiscompositionenabled kernel32.dll.initializecriticalsectionex kernel32.dll.createeventexw kernel32.dll.createsemaphoreexw kernel32.dll.setthreadstackguarantee kernel32.dll.createthreadpooltimer kernel32.dll.setthreadpooltimer kernel32.dll.waitforthreadpooltimercallbacks kernel32.dll.closethreadpooltimer kernel32.dll.createthreadpoolwait kernel32.dll.setthreadpoolwait kernel32.dll.closethreadpoolwait

11 Page 11 kernel32.dll.flushprocesswritebuffers kernel32.dll.freelibrarywhencallbackreturns kernel32.dll.getcurrentprocessornumber kernel32.dll.getlogicalprocessorinformation kernel32.dll.createsymboliclinkw kernel32.dll.enumsystemlocalesex kernel32.dll.comparestringex kernel32.dll.getdateformatex kernel32.dll.getlocaleinfoex kernel32.dll.gettimeformatex kernel32.dll.getuserdefaultlocalename kernel32.dll.isvalidlocalename kernel32.dll.lcmapstringex kernel32.dll.gettickcount64 oleaut32.dll.#200 ole32.dll.coinitializeex cryptbase.dll.systemfunction036 comctl32.dll.#385 comctl32.dll.#320 comctl32.dll.#324 comctl32.dll.#323 ole32.dll.createbindctx ole32.dll.cotaskmemalloc ole32.dll.cogetapartmenttype ole32.dll.coregisterinitializespy ole32.dll.cotaskmemfree comctl32.dll.#236 oleaut32.dll.#6 ole32.dll.cogetmalloc comctl32.dll.#328 comctl32.dll.#334 DELETED FILES C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChappPortrait.lnk C:\Users\user\AppData\Roaming\ChappPortrait\ChappPortrait.exe

12 Page 12 C:\Users\user\AppData\Local\Temp\5274ebb1b444f f39b c36b0.exe C:\Users\user\AppData\Local\Temp\ exe REGISTRY KEYS HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NoFileFolderConnection HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\5274ebb1b444f f39b c36b0.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\Attributes HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\CallForAttributes HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\RestrictedAttributes HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsFORDISPLAY HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HideFolderVerbs HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\UseDropHandler HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsFORPARSING HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsParseDisplayName HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\QueryForOverlay HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\MapNetDriveVerbs HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\QueryForInfoTip

13 Page 13 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HideInWebView HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HideOnDesktopPerUser HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsAliasedNotifications HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\WantsUniversalDelegate HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\NoFileFolderJunction HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\PinToNameSpaceTree HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder\HasNavigationEnum HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D B30309D}\ShellFolder HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D B30309D} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2400a2c5-ccb0-11e5-b7bd-806e6f6e6963}\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2400a2c5-ccb0-11e5-b7bd-806e6f6e6963}\Data HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{2400a2c5-ccb0-11e5-b7bd- 806e6f6e6963}\Generation HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip

14 Page 14 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay HKEY_CLASSES_ROOT\.exe EXECUTED COMMANDS "C:\Users\user\AppData\Local\Temp\5274ebb1b444f f39b c36b0.exe" C:\Users\user\AppData\Local\ParamsCreatean\ParamsCreatean.exe -U C:\Users\user\AppData\Local\Temp\ exe "C:\Users\user\AppData\Local\Temp\ exe" C:\Users\user\AppData\Local\ParamsCreatean\ParamsCreatean.exe -U READ FILES C:\Users\user\AppData\Local\Temp\F34E.tmp C:\Users\user\AppData\Local\Temp\FC0A.tmp \Device\KsecDD C:\Windows\SysWOW64\shell32.dll C:\ C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x a.db C:\Users\desktop.ini C:\Users C:\Users\user C:\Users\user\AppData C:\Users\user\AppData\Local C:\Users\user\AppData\Local\Temp C:\Users\user\AppData\Local\ParamsCreatean C:\Users\user\Desktop\desktop.ini C:\Users\user\Searches\desktop.ini

15 Page 15 C:\Users\user\Videos\desktop.ini C:\Users\user\Pictures\desktop.ini C:\Users\user\Contacts\desktop.ini C:\Users\user\Favorites\desktop.ini C:\Users\user\Music\desktop.ini C:\Users\user\Downloads\desktop.ini C:\Users\user\Documents\desktop.ini C:\Users\user\Links\desktop.ini C:\Users\user\Saved Games\desktop.ini C:\Windows\System32\shdocvw.dll C:\Windows\AppPatch\sysmain.sdb C:\Windows\System32\ \??\PIPE\srvsvc C:\Users\user\AppData\Local\ParamsCreatean\ParamsCreatean.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ParamsCreatean.lnk C:\Users\user\AppData\Local\Temp\1DC9.tmp C:\Program Files (x86)\microsoft Office\Office12\OLMAPI32.DLL C:\Users\user\AppData\Local\Temp\8EB4.tmp C:\Users\user\AppData\Local\Temp\976F.tmp C:\Users\user\AppData\Local\Temp\BD26.tmp MODIFIED REGISTRY KEYS HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA A8A2D5F46E6B}\WpadDecisionReason HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA A8A2D5F46E6B}\WpadDecisionTime HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA A8A2D5F46E6B}\WpadDecision HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2D0CA A8A2D5F46E6B}\WpadNetworkName HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a \WpadDecisionReason HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a \WpadDecisionTime HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a \WpadDecision HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork

16 Page 16 Network Behavior CONTACTED IPS NETWORK PORT DISTRIBUTION 9.1% 9.1% 9.1% 36.4% 443 (TCP) 36.36% 3702 (UDP) 9.09% 5355 (UDP) 36.36% 138 (UDP) 9.09% 137 (UDP) 9.09% 36.4% Name IP Country ASN ASN Name Trigger Process Type Germany Not known Malware Process HTTP PACKETS Host Port Method Version User Agent Count Call Time During Execution(Sec) : GET 1.1 Mozilla/5.0 (compatible; MSIE Path: / URI: : GET 1.1 Mozilla/5.0 (compatible; MSIE Path: / URI: TCP PACKETS Call Time During Execution(sec) Source IP Dest IP Dest Port Sandbox Sandbox

17 Page 17 UDP PACKETS Call Time During Execution(sec) Source IP Dest IP Dest Port Sandbox Sandbox Sandbox Sandbox Sandbox Sandbox Sandbox

18 Page 18 DETAILED FILE INFO CREATED / DROPPED FILES FILE PATH C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start up\paramscreatean.lnk C:\Users\User\AppData\Local\ParamsCreatean\ParamsCreatean.Exe TYPE AND HASHES Type : MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=mon May 8 04:22: , mtime=mon May 8 04:22: , atime=mon May 8 04:22: , length=187904, window=hide MD5 : 2720a3f95b162c81b8d2ff0ef SHA-1 : 2fd1bccedb208995f2de4adb21bc5ed125aadd30 SHA-256 : d1ca0214a c46adb36fd073a8788fee SHA-512 : b55a059c676c3ace74024aa379b0f88c7ddf04fefb Size : Kilobytes. Type : PE32 executable (GUI) Intel 80386, for MS Windows MD5 : 3d677e8f6bf82f7fd0a432cd9be89fc1 SHA-1 : 5274ebb1b444f f39b c36b0 SHA-256 : 61f4a7f1abd ca49369c91d69872ff38cc9 SHA-512 : 039de052793da15095d439f4188a17ff188f734a9 Size : Kilobytes. MATCH YARA RULES MATCH RULES STATIC FILE INFO File Name: File Type: SHA1: MD5: TealWake.exe PE32 executable (GUI) Intel 80386, for MS Windows 5274ebb1b444f f39b c36b0 3d677e8f6bf82f7fd0a432cd9be89fc1 First Seen Date: :37: ( about a year ago ) Number Of Clients Seen: 2 Last Analysis Date: :37: ( about a year ago ) Human Expert Analysis Date: :20: ( about a year ago ) Human Expert Analysis Result: Malware

19 Page 19 DETAILED FILE INFO ADDITIONAL FILE INFORMATION PE Headers PROPERTY VALUE Number Of Sections 4 Compilation Time Stamp Entry Point Machine Type 0x590E56B9 [Sat May 6 23:05: UTC] 0x (.text) Intel 386 or later - 32Bit File Size Sha256 Mime Type 61f4a7f1abd ca49369c91d69872ff38cc95a7de7e0df58c43b4fb193 application/x-dosexec PE Sections NAME VIRTUAL ADDRESS VIRTUAL SIZE RAW SIZE ENTROPY MD5.text 0x1000 0x8db4 0x8e rdata 0xa000 0x2008 0x data 0xd000 0x32dc 0x rsrc 0x x218fa 0x21a [SUSPICIOUS] - PE Imports KERNEL32.dll GetProcAddress lstrlena GetSystemTime lstrcpya VirtualFree LocalCompact AddVectoredExceptionHandler LoadLibraryW RemoveVectoredExceptionHandler HeapAlloc GetCommandLineA GetStartupInfoA DeleteCriticalSection LeaveCriticalSection EnterCriticalSection HeapFree VirtualAlloc HeapReAlloc HeapCreate GetModuleHandleW Sleep ExitProcess WriteFile GetStdHandle GetModuleFileNameA TerminateProcess GetCurrentProcess UnhandledExceptionFilter SetUnhandledExceptionFilter IsDebuggerPresent

20 Page 20 FreeEnvironmentStringsA GetEnvironmentStrings FreeEnvironmentStringsW WideCharToMultiByte GetLastError GetEnvironmentStringsW SetHandleCount GetFileType TlsGetValue TlsAlloc TlsSetValue TlsFree InterlockedIncrement SetLastError GetCurrentThreadId InterlockedDecrement QueryPerformanceCounter GetTickCount GetCurrentProcessId GetSystemTimeAsFileTime InitializeCriticalSectionAndSpinCount RtlUnwind LoadLibraryA SetFilePointer GetConsoleCP GetConsoleMode GetCPInfo GetACP GetOEMCP IsValidCodePage HeapSize GetLocaleInfoA SetStdHandle WriteConsoleA GetConsoleOutputCP WriteConsoleW MultiByteToWideChar LCMapStringA LCMapStringW GetStringTypeA GetStringTypeW CreateFileA CloseHandle FlushFileBuffers GDI32.dll GetGraphicsMode AddFontResourceExW GetSystemPaletteUse GetEnhMetaFileHeader PE Resources RT_BITMAP RT_ICON RT_STRING RT_GROUP_ICON CERTIFICATE VALIDATION - Certificate Validation is not Applicable SCREENSHOTS

21 Page 21

22 Page 22

23 Page 23