ID: Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/2018 Version:

ID: 42417 Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/201 Version: 20.0.0

Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview Networking: System Summary: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets Code Manipulations Statistics System Behavior Analysis Process: wget.exe PID: 3064 Parent PID: 640 General File Activities Disassembly Copyright Joe Security LLC 201 Page 2 of 14 2 4 4 4 4 4 5 5 6 6 6 7 7 7 7 7 7 9 9 10 10 10 10 10 10 10 11 12 12 12 12 12 13 13 13 13 13 14 14

Code Analysis 14 Copyright Joe Security LLC 201 Page 3 of 14

Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 42417 Start time: 23:23:00 Joe Sandbox Product: CloudBasic Start date: 11.01.201 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 1m 35s false light urldownload.jbs http://xtrapath3.izatcloud.net/xtra3grc.bin Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java.0.1440.1) Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean0.win@1/1@2/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Stop behavior analysis, all processes terminated Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Detection Strategy Score Range Reporting Detection Threshold 0 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of 14

Strategy Score Range Further Analysis Required? Threshold 5 0-5 false Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Copyright Joe Security LLC 201 Page 5 of 14

Networking System Summary Click to jump to signature section Networking: Downloads files from webservers via HTTP Performs DNS lookups Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Behavior Graph Copyright Joe Security LLC 201 Page 6 of 14

Hide Legend ID: 42417 Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped URL: http://xtrapath3.izatcloud.net/xtra3grc.bin Startdate: 11/01/201 Architecture: WINDOWS Score: 0 started Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language wget.exe Is malicious 1 xtrapath3.izatcloud.net 52.222.250.127, 49165, 0 AMAZON-02-AmazoncomIncUS United States Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains Source Detection Cloud Link xtrapath3.izatcloud.net 0% virustotal Browse Copyright Joe Security LLC 201 Page 7 of 14

Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 201 Page of 14

Startup System is w7 wget.exe (PID: 3064 cmdline: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://xtrapath3.izatcloud.net/xtra3grc.bin' MD5: 34C709455BFEFB9B0E976BAD13AF4) cleanup Created / dropped Files C:\Users\user\Desktop\download\xtra3grc.bin File Type: data Size (bytes): 31743 Entropy (bit): 7.504134443219 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: false EB2D3EAFD270C233556AF4B03CADA21 E55AC03210C9566CD3693441CA47A723F2941B 6361070F4EBDC3CCA7B7FF47ED7E3254365F4F1C733E72E4D5A174C16221 91DFE0F40F659F7DB7036E963BF2307F6D5A916A02B666E947AD359A37A331C756F5E733EF46162CE91E9B AD6BA755AAEBC674C12D2A1A200B5DBACA4 false low Copyright Joe Security LLC 201 Page 9 of 14

Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection xtrapath3.izatcloud.net 52.222.250.127 true false 0%, virustotal, Browse Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious 52.222.250.127 United States 16509 AMAZON-02-AmazoncomIncUS false Static File Info No static file info Network Behavior Network Port Distribution Total Packets: 22 0 (HTTP) 53 (DNS) Copyright Joe Security LLC 201 Page 10 of 14

TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Jan 11, 201 23:23:42.406904936 CET 6161 53 192.16.2.2... Jan 11, 201 23:23:43.40650100 CET 6161 53 192.16.2.2... Jan 11, 201 23:23:43.422097921 CET 53 6161... 192.16.2.2 Jan 11, 201 23:23:43.430176973 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:23:43.43022101 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:23:43.430340052 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:23:43.4315 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:23:43.431617975 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:23:45.15510606 CET 53 6161... 192.16.2.2 Jan 11, 201 23:24:01.4472990 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:01.43530045 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:01.4356907 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.0639340 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.063956976 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.063966990 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.064121962 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.15236210 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.1523197 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.152390003 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.152640104 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.2552100 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.357906103 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.357933044 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.35129025 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.351409 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.564039946 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.564074993 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.60099291 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.601125002 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.601140976 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.6737014 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.674155951 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.6741404 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.73577594 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.73597902 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.736016035 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.7941999 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.796527 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.79677921 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.62462997 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.62663031 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.6264965 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.914906 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.914935112 CET 0 49165 52.222.250.127 192.16.2.2 Copyright Joe Security LLC 201 Page 11 of 14

Timestamp Source Port Dest Port Source IP Dest IP Jan 11, 201 23:24:02.915167093 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.9151949 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.96950411 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.969521046 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:02.969739914 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:02.96976047 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:03.027971029 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:03.02000116 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:03.02173923 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:03.02203964 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:03.235109091 CET 49165 0 192.16.2.2 52.222.250.127 Jan 11, 201 23:24:03.235124111 CET 0 49165 52.222.250.127 192.16.2.2 Jan 11, 201 23:24:03.260324001 CET 49165 0 192.16.2.2 52.222.250.127 UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Jan 11, 201 23:23:42.406904936 CET 6161 53 192.16.2.2... Jan 11, 201 23:23:43.40650100 CET 6161 53 192.16.2.2... Jan 11, 201 23:23:43.422097921 CET 53 6161... 192.16.2.2 Jan 11, 201 23:23:45.15510606 CET 53 6161... 192.16.2.2 DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 11, 201 23:23:42.406904936 CET 192.16.2.2... 0x1eda Standard query (0) xtrapath3. izatcloud.net A (IP address) IN (0x0001) Jan 11, 201 23:23:43.40650100 CET 192.16.2.2... 0x1eda Standard query (0) xtrapath3. izatcloud.net A (IP address) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Jan 11, 201... 192.16.2.2 0x1eda No error (0) xtrapath3. 23:23:43.422097921 izatcloud.net CET Jan 11, 201... 192.16.2.2 0x1eda No error (0) xtrapath3. 23:23:45.15510606 izatcloud.net CET 52.222.250.127 A (IP address) IN (0x0001) 52.222.250.127 A (IP address) IN (0x0001) HTTP Request Dependency Graph xtrapath3.izatcloud.net HTTP Packets Session ID Source IP Source Port Destination IP Destination Port Process 0 192.16.2.2 49165 52.222.250.127 0 C:\Windows\System32\wget.exe Timestamp Jan 11, 201 23:23:43.4315 CET Jan 11, 201 23:24:01.4472990 CET kbytes transferred Direction Data 0 OUT HEAD /xtra3grc.bin HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: */* Host: xtrapath3.izatcloud.net Connection: Keep-Alive 1 IN HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 31743 Connection: keep-alive Date: Thu, 11 Jan 201 21:53:15 GMT Last-Modified: Thu, 11 Jan 201 21:43:09 GMT ETag: "eb2d3eafd270c233556af4b03cada21" Cache-Control: max-age=900 x-amz-meta-source: WS0.YYZ Accept-Ranges: bytes Server: AmazonS3 Age: 47 X-Cache: Hit from cloudfront Via: 1.1 f1afacded5dbe063f3cfe6da61fdea64.cloudfront.net (CloudFront) X-Amz-Cf-Id: 6qgMBeoIxQLhZKglWex9AkiPry1gQr_xgedMDjMOqD2OUjXjmEAHIg== Copyright Joe Security LLC 201 Page 12 of 14

Timestamp Jan 11, 201 23:24:01.43530045 CET Jan 11, 201 23:24:02.0639340 CET kbytes transferred Direction Data 1 OUT GET /xtra3grc.bin HTTP/1.0 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko Accept: */* Host: xtrapath3.izatcloud.net Connection: Keep-Alive 3 IN HTTP/1.1 200 OK Content-Type: application/octet-stream Content-Length: 31743 Connection: keep-alive Date: Thu, 11 Jan 201 21:53:15 GMT Last-Modified: Thu, 11 Jan 201 21:43:09 GMT ETag: "eb2d3eafd270c233556af4b03cada21" Cache-Control: max-age=900 x-amz-meta-source: WS0.YYZ Accept-Ranges: bytes Server: AmazonS3 Age: 47 X-Cache: Hit from cloudfront Via: 1.1 f1afacded5dbe063f3cfe6da61fdea64.cloudfront.net (CloudFront) X-Amz-Cf-Id: JlwABkArkPbzYkf23zYmOK6GWE0rw6pmjASAWRC4FdyXveRLL_DFw== Data Raw: 01 32 07 05 00 17 03 6a a 9 06 00 50 56 bb 73 5 00 00 00 2d 00 00 34 fd 00 00 34 b 07 bf 19 42 4f bf 07 bf 19 1b 00 0 06 1c 01 0 01 03 00 47 2 4 c0 16 00 93 1f a2 1f a2 1f f5 ed 04 00 a2 1f a2 1f a2 1f f5 ed 04 00 04 00 a2 20 a2 20 a2 1f a2 1f f5 ed ba ba c2 54 06 06 0 12 0 09 0b 17 05 05 05 0a 03 03 04 16 0 09 0f 19 10 10 11 19 10 10 1d 1d 04 05 05 09 03 04 04 05 03 03 04 06 05 06 07 0 05 06 06 07 02 02 02 03 02 02 02 03 05 05 06 06 05 04 04 06 04 03 04 05 0a 64 1 11 09 02 02 02 00 01 a2 22 a2 1f f5 ed 00 0 a2 1f a2 1f a2 20 f5 ed 00 40 00 40 a2 1f a2 1f a2 1f a2 1f f5 ed ba bb c2 57 03 03 c2 1f 01 00 3b 45 90 12 11 fd 67 00 a1 0d 14 ff f6 02 cd 00 19 3f bc 00 5 15 e3 ff e 00 00 07 bf 02 00 90 7 90 04 60 fd 59 00 a1 0c ea ff f3 a2 fd ff b2 09 b4 00 6 a0 29 00 f0 ff fd 07 bf 03 00 09 9a 90 0b c7 fd 50 00 a1 0c 2a 00 20 7a 1e 00 16 e5 ec 00 2e d5 d7 ff f5 00 02 07 bf 05 00 2b 42 90 03 40 fd 42 00 a1 0c 0 00 1f a9 92 00 19 c1 4 ff d0 9a dd ff ee 00 00 07 bf 06 00 0 07 90 11 e5 fd 69 00 a1 0c 19 ff f5 ab e3 ff cb 97 57 00 63 c b4 01 b3 00 00 07 bf 07 00 5b 00 90 0b 9 fd 60 00 a1 0d 40 00 76 91 e6 ff 9 4f 00 00 3c f a1 01 0 ff ff 07 bf 0 00 1a 15 90 10 c fd 3f 00 a1 0 d 96 ff ca a5 c1 ff e7 bb d7 ff c3 bc 43 ff a4 00 00 07 bf 09 00 09 3 90 06 5 fd 4a 00 a1 0d 1f 00 4a a4 ca 00 46 77 79 ff bb cb cd 02 05 00 01 07 bf 0a 00 19 eb 90 0b db fd 51 00 a1 0c e0 00 20 55 2 ff b 37 42 00 06 71 63 00 99 00 02 07 bf 0b 00 9 5f 90 e6 d6 fd 27 00 a1 0d f ff e4 fb 7f 00 46 9c 1a 00 3c 17 37 fc ff 00 00 07 bf 0c 00 37 ab 90 1d b fd 4f 00 a1 0c ef ff a2 f1 9 00 25 22 41 00 24 e0 d1 01 75 ff ff 07 bf 0d 00 1e 55 90 10 e4 fd 59 00 a1 0c d6 00 4f ed fa 00 42 b0 c6 00 75 5f ec ff 9c 00 00 07 bf 0e 00 4b e 90 0c 03 fd 52 00 a1 0d 5f 00 4e 42 2d ff b0 59 72 ff a3 d 66 ff 9f 00 00 07 bf 0f 00 53 03 90 f6 97 fd 30 00 a1 0c da 00 47 e5 b2 00 1a de 4a ff e 7c 67 fe 9 00 00 07 bf 10 00 4f 3 90 1d d3 fd 4e 00 a1 0c 2f ff a3 b6 92 00 12 c ad ff d6 6a ca 00 24 00 00 07 bf 11 00 65 39 90 19 2 fd 50 00 a1 0d 9a ff cd 1f 1e ff b6 72 49 ff ae 1 23 ff 77 00 01 07 bf 12 00 96 5c 90 f5 9 fd 35 00 a1 0c a 00 1e 46 ab ff b 4a 16 ff ee ab f2 02 9 00 00 07 bf 13 00 4f b5 90 17 d6 fd 4e 00 a1 0d 33 ff cf 0c a2 00 2d 53 6b 00 29 07 10 fe 1a 00 01 07 bf 14 00 25 6a 90 f6 7e fd 35 00 a1 0d ab 00 1c 32 a0 00 47 fa 15 ff 3 53 70 02 0a 00 00 07 bf 15 00 c6 d 90 00 21 fd 52 00 a1 0d e3 ff f3 f4 33 ff be 79 26 00 12 cf 9d fe 30 00 01 07 bf 16 00 3a ec 90 f4 51 fd 2f 00 a1 0c 6a 00 1e 40 9e ff bd 94 12 ff 96 47 72 fe f4 ff fc 07 bf 17 00 61 77 90 00 d fd 40 00 a1 0c 67 00 4a a1 01 ff 9e 0 57 00 79 ee 32 ff 1a 00 00 07 bf 1 00 36 ac 90 00 75 fd 54 00 a1 0c e9 00 74 3b 3d 00 14 9 3c 00 62 e9 43 ff d1 00 00 07 bf 19 00 39 3 90 15 93 fd 46 00 a1 0d 3a ff a0 93 73 00 20 bc 1c 00 12 e 53 fd dd ff fe 07 bf 1a Data Ascii: 2jPVsX-44BOG Td" @@W;Eg?X`Yh)P* z.+b@bhiwc[`@vo<?cjjfwyq U(7Bqc_'F<77O%"A$uUY OBu_KR_NB-YrfS0GJ gon/j$e9pri#w\5fjon3-sk)%j~52gsp!r3y&0:q/j@graw@gjwy26utt;=<bc9f:s S Code Manipulations Statistics System Behavior Analysis Process: wget.exe PID: 3064 Parent PID: 640 General Start time: 23:23:1 Start date: 11/01/201 Path: Wow64 process (32bit): Commandline: C:\Windows\System32\wget.exe false wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --useragent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://xt rapath3.izatcloud.net/xtra3grc.bin' Copyright Joe Security LLC 201 Page 13 of 14

Imagebase: File size: MD5 hash: Programmed in: Reputation: 0x755c0000 2636 bytes 34C709455BFEFB9B0E976BAD13AF4 C, C++ or other language low File Activities File Path Access Attributes Options Completion Count Source Address Symbol File Path Offset Length Value Ascii Completion Count Source Address Symbol Disassembly Code Analysis Copyright Joe Security LLC 201 Page 14 of 14