ID: Cookbook: urldownload.jbs Time: 23:15:42 Date: 15/01/2018 Version:

ID: 42733 Cookbook: urldownload.jbs Time: 23:15:42 Date: 15/01/201 Version: 20.0.0

Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: HIPS / PFW / Operating System Protection Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTPS Packets Code Manipulations Statistics System Behavior Analysis Process: wget.exe PID: 300 Parent PID: 512 General File Activities Copyright Joe Security LLC 201 Page 2 of 14 2 4 4 4 4 4 5 5 5 6 6 6 6 7 7 7 7 7 7 9 9 9 9 9 10 10 10 10 10 11 11 11 11 13 13 13 14 14 14

Disassembly Code Analysis 14 14 Copyright Joe Security LLC 201 Page 3 of 14

Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 42733 Start time: 23:15:42 Joe Sandbox Product: CloudBasic Start date: 15.01.201 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 1m 7s false light urldownload.jbs https://ie9cuking-ofweb.net/64103350596736/1516042967561401/flashpla yer.jse Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java.0.1440.1) Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: HCA enabled EGA enabled HDC enabled CLEAN clean0.win@1/0@2/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Unable to download file Show All Exclude process from analysis (whitelisted): conhost.exe, dllhost.exe Detection Strategy Score Range Reporting Detection Threshold 0 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of 14

Strategy Score Range Further Analysis Required? Threshold 4 0-5 false Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Signature Overview Copyright Joe Security LLC 201 Page 5 of 14

Networking System Summary HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Networking: Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label HIPS / PFW / Operating System Protection Evasion: Very long cmdline option found, this is very uncommon (may be encrypted or packed) Behavior Graph Copyright Joe Security LLC 201 Page 6 of 14

Hide Legend ID: 42733 Behavior Graph Legend: Process Signature Created File DNS/IP Info Is Dropped URL: https://ie9cuking-of-web.net/64103350596736/1516042967561... Startdate: 15/01/201 Architecture: WINDOWS Score: 0 started Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Java.Net C# or VB.NET C, C++ or other language wget.exe Is malicious ie9cuking-of-web.net 209.126.113.204, 443, 49164 SERVER4YOU-server4youIncUS United States Simulations Behavior and APIs No simulations Antivirus Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Domains Source Detection Cloud Link ie9cuking-of-web.net 2% virustotal Browse Copyright Joe Security LLC 201 Page 7 of 14

Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 201 Page of 14

Startup System is w7 wget.exe (PID: 300 cmdline: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://ie9cuking-of-web.net/64103350596736/1516042967561401/flashplayer.jse' MD5: 34C709455BFEFB9B0E976BAD13AF4) cleanup Created / dropped Files No created / dropped files found Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection ie9cuking-of-web.net 209.126.113.204 true false 2%, virustotal, Browse Contacted IPs Copyright Joe Security LLC 201 Page 9 of 14

No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious 209.126.113.204 United States 3003 SERVER4YOU-server4youIncUS false Static File Info No static file info Network Behavior Network Port Distribution Total Packets: 11 443 (HTTPS) 53 (DNS) TCP Packets Timestamp Source Port Dest Port Source IP Dest IP Jan 15, 201 23:16:22.294075966 CET 6161 53 192.16.2.2... Jan 15, 201 23:16:23.293977022 CET 6161 53 192.16.2.2... Copyright Joe Security LLC 201 Page 10 of 14

Timestamp Source Port Dest Port Source IP Dest IP Jan 15, 201 23:16:23.565135002 CET 53 6161... 192.16.2.2 Jan 15, 201 23:16:23.57269056 CET 49164 443 192.16.2.2 209.126.113.204 Jan 15, 201 23:16:23.572736025 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:23.57255949 CET 49164 443 192.16.2.2 209.126.113.204 Jan 15, 201 23:16:23.574232101 CET 49164 443 192.16.2.2 209.126.113.204 Jan 15, 201 23:16:23.574259996 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:24.440459967 CET 53 6161... 192.16.2.2 Jan 15, 201 23:16:24.663453102 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:24.66347094 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:24.663475990 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:24.663641930 CET 49164 443 192.16.2.2 209.126.113.204 Jan 15, 201 23:16:24.6907999 CET 49164 443 192.16.2.2 209.126.113.204 Jan 15, 201 23:16:24.6902693 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:25.279164076 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:25.2753033 CET 49164 443 192.16.2.2 209.126.113.204 Jan 15, 201 23:16:25.2779020 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:25.910079956 CET 443 49164 209.126.113.204 192.16.2.2 Jan 15, 201 23:16:25.913397074 CET 49164 443 192.16.2.2 209.126.113.204 UDP Packets Timestamp Source Port Dest Port Source IP Dest IP Jan 15, 201 23:16:22.294075966 CET 6161 53 192.16.2.2... Jan 15, 201 23:16:23.293977022 CET 6161 53 192.16.2.2... Jan 15, 201 23:16:23.565135002 CET 53 6161... 192.16.2.2 Jan 15, 201 23:16:24.440459967 CET 53 6161... 192.16.2.2 DNS Queries Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Jan 15, 201 23:16:22.294075966 CET 192.16.2.2... 0xacad Standard query (0) ie9cuking-ofweb.net A (IP address) IN (0x0001) Jan 15, 201 23:16:23.293977022 CET 192.16.2.2... 0xacad Standard query (0) ie9cuking-ofweb.net A (IP address) IN (0x0001) DNS Answers Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Jan 15, 201... 192.16.2.2 0xacad No error (0) ie9cuking-ofweb.net 23:16:23.565135002 CET Jan 15, 201... 192.16.2.2 0xacad No error (0) ie9cuking-ofweb.net 23:16:24.440459967 CET 209.126.113.204 A (IP address) IN (0x0001) 209.126.113.204 A (IP address) IN (0x0001) HTTPS Packets Timestamp Source Port Dest Port Source IP Dest IP Subject Issuer Not Before Not After Raw Copyright Joe Security LLC 201 Page 11 of 14

Timestamp Source Port Dest Port Source IP Dest IP Subject Issuer Jan 15, 201 443 49164 209.126.113.204 192.16.2.2 CN=ie9cukingof-web.net 23:16:24.66347094 CET CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US Not Before Mon Jan 15 04:40:25 CET 201 Not After Sun Apr 15 05:40:25 CEST 201 Raw [[ Version: V3 Subject: CN=ie9cuking-of-web.net Signature Algorithm: SHA256withRSA, OID = 1.2.40.113549.1.1.11 Key: Sun RSA public key, 204 bits modulus: 2344215037071526334457759546151354273647624393 919519150429790737130309230490511049362614 30555616107971767666112950199672710171050719602 1420160365477260903790669445054576693474445147037 30630941953695233117222210654560635576492041900 00751603425206701275594993795742242401213340 3914900266571600044475597997050323005319792963703 54143290463202651040411142159924047160947753301 0792990190422677933341314261115379126467031640 16142456532900015670219177052351054461603912544 2022137461297136642951796292231422570497652206612 44244229730107923047563610537 public exponent: 65537 Validity: [From: Mon Jan 15 04:40:25 CET 201, To: Sun Apr 15 05:40:25 CEST 201] Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US SerialNumber: [ 03f296c4 0b1322c 70591eb c35962e 27d9]Certificate Extensions: [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessmethod: ocsp accesslocation: URIName: http://ocsp.int-x3.letsencrypt.org, accessmethod: caissuers accesslocation: URIName: http://cert.int-x3.letsencrypt.org/]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: A 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF.Jjc...9..Ee.0010: F3 A EC A1...]] [3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1] [PolicyQualifierInfo: [ qualifierid: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1A 6 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74..http://cps.let0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org], PolicyQualifierInfo: [ qualifierid: 1.3.6.1.5.5.7.2.2 qualifier: 0000: 30 1 9E 0C 1 9B 54 6 69 73 20 43 65 72 74 69 0...This Certi0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only 0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 6 20 74 6 cordance with th0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 6 74 licy found at ht000: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository00a0: 2F /]] ]][5]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverauth clientauth] [6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][7]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: ie9cukingof-web.net][]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 76 24 B A9 C2 A1 FE AF 43 4 E5 2 BF 17 9A 5F v$...ch. (..._0010: 9F EE 50 47..PG]]] Algorithm: [SHA256withRSA] Signature:0000: 3A B6 A9 E7 0C F2 7C 30 4 41 A4 1C 27 BB B9 FF :...0.A..'...0010: E7 73 44 C1 D1 A7 07 5B 7A 9 2F AB 36 40 5B A.sD... [z./.6@[.0020: DB 5D 49 1F 4C C 77 F6 BC 7E FA 5E 9C A9 D9 DF.]I.L.w...^...0030: 45 67 1 C0 E 9 73 06 AB 77 AA 39 3F 34 C7 0F Eg...s..w.9?4..0040: BD 3D E E 07 93 72 7E AD 0 0D A 1C 4D 5D A5.=...r...M].0050: DB 1E 14 C3 C4 71 63 23 25 6 F4 56 62 92 5B F2...qc#%h.Vb.[.0060: 7A 9F F4 D0 0F 0B 0C EC DA CC 9A 75 5C 50 0D 61 z...u\p.a0070: A3 6E F9 56 54 40 07 17 52 CE 49 0A CF 05 66 69.n.VT@..R.I...fi000: 16 3B C0 AE 29 AE AE 14 1B 27 C E5 A0 F7 0F 60.;..)...'...`0090: 04 2 A F1 A9 5B F5 0 AB E0 1B A6 4 34 4F 0F.(...[...H4O.00A0: F 94 79 60 BD 22 9E 67 4D F5 3D 26 92 3 93 3F..y`.".gM.=&...?00B0: 14 1F 44 70 20 07 C0 21 21 BA 5C 1D 06 A3 2 17..Dp..!!.\...00C0: 2 A1 93 9A 74 BC F9 AE F0 5F E1 56 A2 17 F2 C9...t..._.V...00D0: 32 E7 DA 4 92 32 D6 6C 5A 6C B7 EA 29 4 C6 B5 2...2.lZl..)H..00E0: 50 3 E0 9E 24 3E D0 73 4B 60 E3 7D 21 A9 1B F1 P...$>.sK`..!...00F0: 14 31 67 62 3A 0B 2 3 14 06 5B 6C 23 15 3F 41.1gb:.(...[l#.?A] Copyright Joe Security LLC 201 Page 12 of 14

Timestamp Source Port Dest Port Source IP Dest IP Subject Issuer Jan 15, 201 23:16:24.66347094 CET 443 49164 209.126.113.204 192.16.2.2 CN=Let's Encrypt Authority X3, CN=DST Root CA X3, O=Digital O=Let's Encrypt, Signature C=US Trust Co. Not Before Thu Mar 17 17:40:46 CET 2016 Not After Wed Mar 17 17:40:46 CET 2021 Raw [[ Version: V3 Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.40.113549.1.1.11 Key: Sun RSA public key, 204 bits modulus: 19797244760754376235552246492227129250252099452 646396330625727216232771743476096960751529944131 7923720725223762675794695355022374325656059351 42114277991142639449923212173590221774214131939 556391436336270214266656447169277009714164432626 225056277176131014397557521964497229064149949 764635239045420102735919602756474201435937004123 010607726112345534572152635201721555903595976 9370929022966413402097129575055650945326467065766 5631113629602046431369790909776599950040576022 706934154346074750370579266906040612022114413169 7415301631965711690655204764499 public exponent: 65537 Validity: [From: Thu Mar 17 17:40:46 CET 2016, To: Wed Mar 17 17:40:46 CET 2021] Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co. SerialNumber: [ 0a014142 00000153 5736a0b 5eca70]Certificate Extensions: 7[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessmethod: ocsp accesslocation: URIName: http://isrg.trustid.ocsp.identrust.com, accessmethod: caissuers accesslocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15...,q...K.u...0010: 60 5 9 10 `...]] [3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.identrust.com/dstrootcax3crl.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.23.140.1.2.1][] ] [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1][PolicyQualifierInfo: [ qualifierid: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 22 6 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F."http://cps.roo0010: 74 2D 7 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt0020: 2E 6F 72 67.org]] ]][6]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][7]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: A 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF.Jjc...9..Ee.0010: F3 A EC A1...]]] Algorithm: [SHA256withRSA] Signature:0000: DD 33 D7 11 F3 63 5 3 DD 1 15 FB 09 55 BE 76.3...cX...U.v0010: 56 B9 70 4 A5 69 47 27 7B C2 24 0 92 F1 5A 1F V.pH.iG'..$...Z.0020: 4A 12 29 37 24 74 51 1C 62 6 B CD 95 70 67 E5 J.)7$tQ.bh...pg.0030: F7 A4 BC 4E 2 51 CD 9B E AE 7 9D EA D BA 5A...N(Q...Z0040: A1 01 9A DC F0 DD 6A 1D 6A D 3E 57 23 9E A6 1E...j.j.>W#...0050: 04 62 9A FF D7 05 CA B7 1F 3F C0 0A 4 BC 94 B0.b...?..H...0060: B6 65 62 E0 C1 54 E5 A3 2A AD 20 C4 E9 E6 BB DC.eb..T..*....0070: C F6 B5 C3 32 A3 9 CC 77 A E6 79 65 07 2B CB...2...w..ye.+.000: 2 FE 3A 16 52 1 CE 52 0C 2E 5F 3 E D5 06 33 (.:.R..R.._...30090: FB 77 6C CE 40 EA 32 9E 1F 92 5C 41 C1 74 6C 5B.wl.@.2...\A.tl[00A0: 5D 0A 5F 33 CC 4D 9F AC 3 F0 2F 7B 2C 62 9D D9 ]._3.M.../.,b..00B0: A3 91 6F 25 1B 2F 90 B1 19 46 3D F6 7E 1B A6 7A..o%./...F=...z00C0: 7 B9 A3 7A 6D 1 FA 25 A5 91 7 15 E0 F2 16 2F...zm..%.../00D0: 5 B0 06 2F 2C 6 26 C6 4B 9 CD DA 9F 0C F9 7F X../,h&.K...00E0: 90 ED 43 4A 12 44 4E 6F 73 7A 2 EA A4 AA 6E 7B..CJ.DNosz(...n.00F0: 4C 7D 7 DD E0 C9 02 44 A7 7 AF C3 34 5B B4 42 L...D...4[.B] Code Manipulations Statistics System Behavior Copyright Joe Security LLC 201 Page 13 of 14

Analysis Process: wget.exe PID: 300 Parent PID: 512 General Start time: 23:16:16 Start date: 15/01/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\wget.exe false wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --useragent='mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://i e9cuking-of-web.net/64103350596736/1516042967561401/flashplayer.jse' 0x755c0000 2636 bytes 34C709455BFEFB9B0E976BAD13AF4 C, C++ or other language low File Activities File Path Offset Length Value Ascii Completion Count Source Address Symbol Disassembly Code Analysis Copyright Joe Security LLC 201 Page 14 of 14