ID: Sample Name: filedata Cookbook: default.jbs Time: 03:13:04 Date: 23/01/2018 Version:

ID: 4347 Sample Name: filedata Cookbook: default.jbs Time: 03:13:04 Date: 23/01/201 Version: 20.0.0

Table of Contents Analysis Report Overview Information Detection Confidence Classification Signature Overview AV Detection: System Summary: Anti Debugging: Malware Analysis System Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static PE Info Entrypoint Preview Data Directories Sections Resources Imports Exports Version Infos Possible Origin Network Behavior Code Manipulations Statistics Behavior Table of Contents Copyright Joe Security LLC 201 Page 2 of 16 2 4 4 4 4 4 5 5 6 6 6 6 6 7 7 7 7 7 7 9 9 10 10 10 10 10 10 10 10 11 11 12 12 12 12 12 13 13 13 13 13

System Behavior Analysis Process: loaddll32.exe PID: 310 Parent PID: 252 File Activities File Written Analysis Process: PID: 3116 Parent PID: 310 Analysis Process: PID: 3124 Parent PID: 310 Analysis Process: PID: 3132 Parent PID: 310 Analysis Process: PID: 3140 Parent PID: 310 Analysis Process: PID: 3152 Parent PID: 310 Analysis Process: PID: 3160 Parent PID: 310 Analysis Process: PID: 316 Parent PID: 310 Disassembly Code Analysis 13 14 14 14 14 14 14 15 15 15 15 15 15 15 15 16 16 16 16 16 16 Copyright Joe Security LLC 201 Page 3 of 16

Analysis Report Overview Information Joe Sandbox Version: 20.0.0 Analysis ID: 4347 Start time: 03:13:04 Joe Sandbox Product: CloudBasic Start date: 23.01.201 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 1m 30s light filedata (renamed file extension from none to dll) default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java.0.1440.1) Number of analysed new started processes analysed: 9 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal4.windll@15/1@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Stop behavior analysis, all processes terminated Show All Exclude process from analysis (whitelisted): dllhost.exe Detection Strategy Score Range Reporting Detection Threshold 4 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of 16

Strategy Score Range Further Analysis Required? Threshold 5 0-5 Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Copyright Joe Security LLC 201 Page 5 of 16

AV Detection System Summary Anti Debugging Malware Analysis System Evasion Click to jump to signature section AV Detection: Antivirus detection for submitted file System Summary: PE file contains a mix of data directories often seen in goodware Contains modern PE file flags such as dynamic base (ASLR) or NX PE file contains a debug data directory Binary contains paths to debug symbols PE file contains a valid data directory to section mapping Classification label PE file has an executable.text section and no other executable section Reads software policies Runs a DLL by calling functions Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Sample file is different than original file name gathered from version info Anti Debugging: Program does not show much activity (idle) Malware Analysis System Evasion: Program does not show much activity (idle) Behavior Graph Copyright Joe Security LLC 201 Page 6 of 16

Hide Legend Behavior Graph ID: 4347 Sample: filedata Startdate: 23/01/201 Architecture: WINDOWS Score: 4 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Antivirus detection for submitted file started Visual Basic Delphi Java.Net C# or VB.NET Is malicious loaddll32.exe started started started 4 other processes Simulations Behavior and APIs Time Type Description 03:13:19 API Interceptor 7x Sleep call for process: loaddll32.exe modified from: 3000ms to: 100ms Antivirus Detection Initial Sample Source Detection Cloud Link filedata.dll 56% virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 201 Page 7 of 16

Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 201 Page of 16

Startup System is w7 loaddll32.exe (PID: 310 cmdline: loaddll32.exe 'C:\Users\user\Desktop\filedata.dll' MD5: D2792A55032CFE25F07DCD4BEC5F40F) (PID: 3116 cmdline: C:\Users\user\Desktop\filedata.dll,Identify_Apply MD5: C64901695E275CF2AD04B67A6CE2) (PID: 3124 cmdline: C:\Users\user\Desktop\filedata.dll,Identify_Check MD5: C64901695E275CF2AD04B67A6CE2) (PID: 3132 cmdline: C:\Users\user\Desktop\filedata.dll,Identify_Edit MD5: C64901695E275CF2AD04B67A6CE2) (PID: 3140 cmdline: C:\Users\user\Desktop\filedata.dll,Identify_Fini MD5: C64901695E275CF2AD04B67A6CE2) (PID: 3152 cmdline: C:\Users\user\Desktop\filedata.dll,Identify_Init MD5: C64901695E275CF2AD04B67A6CE2) (PID: 3160 cmdline: C:\Users\user\Desktop\filedata.dll,Identify_Item MD5: C64901695E275CF2AD04B67A6CE2) (PID: 316 cmdline: C:\Users\user\Desktop\filedata.dll,Identify_Read MD5: C64901695E275CF2AD04B67A6CE2) cleanup Created / dropped Files unknown File Type: ASCII text, with CRLF line terminators Size (bytes): 760 Entropy (bit): 4.0135667791742 Encrypted: MD5: 9AFAA449D5D165A5634903097DA4997 SHA1: 121B2030FA12FB50AD216A5E3021E0C76266EFC0 SHA-256: 596AADFA23C97BD424E75470D5010C294F9116BD01D47D5239FE4D2470DD56 SHA-512: 9060E2BE4C0C2F94F61E57ACC1101633F5BC9C50C3B51AF0C6EE0003A2C93D106B7CFECF52DE1CD9 C250973419ABC9571F90F69DC0FCFA164F93612 Copyright Joe Security LLC 201 Page 9 of 16

unknown Malicious: Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info File type: Entropy (bit): 5.799936613359946 PE32 executable (DLL) (GUI) Intel 036, for MS Wi ndows TrID: Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: File size: 3320 MD5: SHA1: SHA256: SHA512: File Content Preview: filedata.dll 1a0170635722127efd4f7564c2d210 f13952f6cc56f9ce46076f40effc02def07976 652abb07c0b5d0962b647cf6f007c57339412b72a0e 7553136f30f09b2 70b37ddda7b77add17730c4fcc426a451ad92fd157a57e 9c95e71eabb3557507ac516407f464bda70f55feb7 d3db596a03fcacf4b1f904b93d29cf25 MZ...@...!..L.!Th is program cannot be run in DOS mode...$...i=.y.\.*.\. *.\.*...*.\.*.$.*.\.*.$.*.\.*.$.*.\.**..*.\.*.$.*.\.*.\.*s\.*.$.*.\.*.$.*. \.*...*.\.*.$.*.\.*Rich.\.*... File Icon Static PE Info Entrypoint: 0x10004d79 Entrypoint Section:.text Digitally signed: 0x10000000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL DLL Characteristics: DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x591D1059 [Thu May 1 03:09:13 2017 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Copyright Joe Security LLC 201 Page 10 of 16

Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: 30290ca042662fc3cc3da27b44452ab Entrypoint Preview Instruction mov edi, edi push ebp mov ebp, esp cmp dword ptr [ebp+0ch], 01h jne 00007FEB552ACAC7h call 00007FEB552ACF16h push dword ptr [ebp+0h] mov ecx, dword ptr [ebp+10h] mov edx, dword ptr [ebp+0ch] call 00007FEB552AC991h pop ecx pop ebp retn 000Ch mov edi, edi push ebp mov ebp, esp sub esp, 0000032h mov dword ptr [100025h], eax mov dword ptr [1000254h], ecx mov dword ptr [1000250h], edx mov dword ptr [100024Ch], ebx mov dword ptr [100024h], esi mov dword ptr [1000244h], edi mov word ptr [1000270h], ss mov word ptr [1000264h], cs mov word ptr [1000240h], ds mov word ptr [100023Ch], es mov word ptr [100023h], fs mov word ptr [1000234h], gs pushfd pop dword ptr [100026h] mov eax, dword ptr [ebp+00h] mov dword ptr [100025Ch], eax mov eax, dword ptr [ebp+04h] mov dword ptr [1000260h], eax lea eax, dword ptr [ebp+0h] mov dword ptr [100026Ch], eax mov eax, dword ptr [ebp-00000320h] mov dword ptr [10001Ah], 00010001h mov eax, dword ptr [1000260h] mov dword ptr [100015Ch], eax mov dword ptr [1000150h], C0000409h Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x7d10 0xdf.rdata IMAGE_DIRECTORY_ENTRY_IMPORT 0x71ac 0xc.rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x9000 0x654.rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0xa000 0x5b.reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x6170 0x1c.rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x6b00 0x40.rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 Copyright Joe Security LLC 201 Page 11 of 16

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_IAT 0x6000 0x154.rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x1000 0x46b 0x400 False 0.51133975694 data 6.123319971 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ.rdata 0x6000 0x1def 0x1e00 False 0.332291666667 data 4.46407671 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ.data 0x000 0x5c4 0x200 False 0.400390625 data 3.24393669701 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ.rsrc 0x9000 0x654 0x00 False 0.36572265625 data 4.2643716709 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_READ.reloc 0xa000 0xde6 0xe00 False 0.364955357143 data 3.5379793349 IMAGE_SCN_CNT_INITIALIZED_DA TA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ Resources Name RVA Size Type Language Country RT_VERSION 0x90a0 0x35c data Chinese China RT_MANIFEST 0x93fc 0x256 ASCII text, with CRLF line terminators English United States Imports DLL LIBEAY32.dll ADVAPI32.dll Import CryptGenRandom, RegCloseKey, RegOpenKeyExA, CryptAcquireContextA, RegCreateKeyExA, CryptReleaseContext, RegQueryValueExA, RegSetValueExA MSVCP90.dll??4?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV01@ABV01@@Z,??0? $basic_string@du?$char_traits@d@std@@v?$allocator@d@2@@std@@qae@abv01@@z,??0? $basic_string@du?$char_traits@d@std@@v?$allocator@d@2@@std@@qae@xz,??0?$basic_string@du? $char_traits@d@std@@v?$allocator@d@2@@std@@qae@pbd@z,??$?mdu?$char_traits@d@std@@v? $allocator@d@1@@std@@ya_nabv?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@0@0@z,?compare@?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qbehpbd@z,?compare@?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qbehabv12@@z,??4?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qaeaav01@pbd@z,?end@?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qae?av?$_string_iterator@du?$char_traits@d@std@@v? $allocator@d@2@@2@xz,?begin@?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qae?av?$_string_iterator@du?$char_traits@d@std@@v? $allocator@d@2@@2@xz,?clear@?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qaexxz,?append@?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qaeaav12@pbd@z,?append@?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qaeaav12@abv12@@z,??1?$basic_string@du?$char_traits@d@std@@v? $allocator@d@2@@std@@qae@xz MSVCR90.dll WS2_32.dll KERNEL32.dll _unlock, dllonexit, _encode_pointer, _lock, _onexit, _decode_pointer, _malloc_crt, free, _encoded_null, _initterm, _initterm_e, _amsg_exit, _adjust_fdiv, CppXcptFilter, _crt_debugger_hook, _except_handler4_common,? terminate@@yaxxz,?_type_info_dtor_internal_method@type_info@@qaexxz, clean_type_info_names_internal, CxxFrameHandler3, memset, memcpy,??2@yapaxi@z,??3@yaxpax@z, _invalid_parameter_noinfo, strncpy,?? 0exception@std@@QAE@ABV01@@Z,??0exception@std@@QAE@XZ,??1exception@std@@UAE@XZ, sprintf, toer, _CxxThrowException ntohs, htons DisableThreadLibraryCalls, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, InterlockedCompareExchange, Sleep, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, InterlockedExchange Exports Name Ordinal Address Identify_Apply 1 0x10001090 Identify_Check 2 0x100010b0 Identify_Edit 3 0x10001140 Identify_Fini 4 0x1000100 Identify_Init 5 0x10001070 Identify_Item 6 0x100010e0 Identify_Read 7 0x10001160 Version Infos Copyright Joe Security LLC 201 Page 12 of 16

Description LegalCopyright InternalName FileVersion CompanyName ProductName ProductVersion FileDescription OriginalFilename Translation Data Copyright (C) 2017 HIKVISION 1.0.0.0.3333 build2017051 HIKVISION Identify Dynamic Link Library 1.0.0.0.3333 build2017051 Identify Dynamic Link Library Identify.dll 0x004 0x04b0 Possible Origin Language of compilation system Country where language is spoken Map Chinese China English United States Network Behavior No network behavior found Code Manipulations Statistics Behavior loaddll32.exe Click to jump to process System Behavior Copyright Joe Security LLC 201 Page 13 of 16

Analysis Process: loaddll32.exe PID: 310 Parent PID: 252 Start time: 03:13:16 Start date: 23/01/201 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\filedata.dll' 0x774a0000 112640 bytes D2792A55032CFE25F07DCD4BEC5F40F File Activities File Written File Path Offset Length Value Ascii Completion Count Source Address Symbol unknown unknown 760 46 6f 75 6e 64 3a 20 31 Found: 14 exports, success or wait 1 E4A7D2 WriteFile 34 20 65 7 70 6f 72 74 calling..call exports 73 2c 20 63 61 6c 6c 69 7..Successfully called cmd 6e 67 0d 0a 43 61 6c line C:\U 6c 20 65 7 70 6f 72 74 sers\user\desktop\filedata. 73 20 37 0d 0a 53 75 dll 63 63 65 73 73 66 75,Identify_Apply..Successful 6c 6c 79 20 63 61 6c ly called cmd line 6c 65 64 20 63 6d 64 C 20 6c 69 6e 65 20 72 :\Users\user\Desktop\fileda 75 6e 64 6c 6c 33 32 ta. 2e 65 7 65 20 43 3a dll,identify_check..succe 5c 55 73 65 72 73 5c 4 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 44 65 73 6b 74 6f 70 5c 66 69 6c 65 64 61 74 61 2e 64 6c 6c 2c 49 64 65 6e 74 69 66 79 5f 41 70 70 6c 79 0d 0a 53 75 63 63 65 73 73 66 75 6c 6c 79 20 63 61 6c 6c 65 64 20 63 6d 64 20 6c 69 6e 65 20 72 75 6e 64 6c 6c 33 32 2e 65 7 65 20 43 3a 5c 55 73 65 72 73 5c 4 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 44 65 73 6b 74 6f 70 5c 66 69 6c 65 64 61 74 61 2e 64 6c 6c 2c 49 64 65 6e 74 69 66 79 5f 43 6 65 63 6b 0d 0a 53 75 63 63 65 Analysis Process: PID: 3116 Parent PID: 310 Start time: 03:13:1 Start date: 23/01/201 Path: C:\Windows\System32\ Wow64 process (32bit): Commandline: C:\Users\user\Desktop\filedata.dll,Identify_Apply 0x75a90000 File size: 45056 bytes MD5 hash: C64901695E275CF2AD04B67A6CE2 Programmed in: Copyright Joe Security LLC 201 Page 14 of 16

Analysis Process: PID: 3124 Parent PID: 310 Start time: 03:13:19 Start date: 23/01/201 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\System32\ C:\Users\user\Desktop\filedata.dll,Identify_Check 0x75a90000 45056 bytes C64901695E275CF2AD04B67A6CE2 Analysis Process: PID: 3132 Parent PID: 310 Start time: 03:13:19 Start date: 23/01/201 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\System32\ C:\Users\user\Desktop\filedata.dll,Identify_Edit 0x75a90000 45056 bytes C64901695E275CF2AD04B67A6CE2 Analysis Process: PID: 3140 Parent PID: 310 Start time: 03:13:20 Start date: 23/01/201 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\System32\ C:\Users\user\Desktop\filedata.dll,Identify_Fini 0x774a0000 45056 bytes C64901695E275CF2AD04B67A6CE2 Analysis Process: PID: 3152 Parent PID: 310 Start time: 03:13:20 Start date: 23/01/201 Path: Wow64 process (32bit): Commandline: C:\Windows\System32\ C:\Users\user\Desktop\filedata.dll,Identify_Init 0x75a90000 Copyright Joe Security LLC 201 Page 15 of 16

File size: MD5 hash: Programmed in: 45056 bytes C64901695E275CF2AD04B67A6CE2 Analysis Process: PID: 3160 Parent PID: 310 Start time: 03:13:20 Start date: 23/01/201 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\System32\ C:\Users\user\Desktop\filedata.dll,Identify_Item 0x774a0000 45056 bytes C64901695E275CF2AD04B67A6CE2 Analysis Process: PID: 316 Parent PID: 310 Start time: 03:13:20 Start date: 23/01/201 Path: Wow64 process (32bit): Commandline: File size: MD5 hash: Programmed in: C:\Windows\System32\ C:\Users\user\Desktop\filedata.dll,Identify_Read 0x75a90000 45056 bytes C64901695E275CF2AD04B67A6CE2 Disassembly Code Analysis Copyright Joe Security LLC 201 Page 16 of 16