ID: Cookbook: browseurl.jbs Time: 03:38:04 Date: 30/04/2018 Version:

Size: px

Start display at page:

Download "ID: Cookbook: browseurl.jbs Time: 03:38:04 Date: 30/04/2018 Version:"

Joel Shields
5 years ago
Views:

1 ID: Cookbook: browseurl.jbs Time: 03:38:04 Date: 30/04/2018 Version:

2 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature Overview Networking: System Summary: Hooking and other Techniques for Hiding and Protection: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Unpacked PE Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshots Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info No static file info Network Behavior Network Port Distribution TCP Packets UDP Packets DNS Queries DNS Answers HTTP Request Dependency Graph HTTP Packets HTTPS Packets Code Manipulations Statistics Behavior Table of Contents Copyright Joe Security LLC 2018 Page 2 of

3 System Behavior Analysis iexplore.exe PID: 3380 Parent PID: 548 General File Activities Registry Activities Analysis iexplore.exe PID: 3436 Parent PID: 3380 General File Activities Registry Activities Analysis ssvagent.exe PID: 3496 Parent PID: 3436 General Registry Activities Disassembly Code Analysis Copyright Joe Security LLC 2018 Page 3 of 40

4 Analysis Report Overview General Information Joe Sandbox Version: Analysis ID: Start time: 03:38:04 Joe Sandbox Product: CloudBasic Start date: Overall analysis duration: Hypervisor based Inspection enabled: Report type: Cookbook file name: Sample URL: 0h 5m 6s light browseurl.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java ) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Analysis stop reason: Detection: Classification: HCA enabled EGA enabled HDC enabled Timeout CLEAN clean1.win@5/39@6/3 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Adjust boot time Correcting counters for adjusted boot time Show All Exclude process from analysis (whitelisted): dllhost.exe Execution Graph export aborted for target iexplore.exe, PID 3436 because there are no executed function Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Copyright Joe Security LLC 2018 Page 4 of 40

Strategy Score Range Reporting Detection Threshold 1

5 Strategy Score Range Reporting Detection Threshold Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Threshold true Classification Copyright Joe Security LLC 2018 Page 5 of 40

Ransomware Miner Spreading malicious malicious malicious Evader

Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI,

automation may extend behavior Uses HTTPS for network communication,

further analysis Signature Overview Networking Summary System Hooking

6 Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted ' cookbook for further analysis Signature Overview Networking Summary System Hooking and other Techniques for Hiding and Protection Copyright Joe Security LLC 2018 Page 6 of 40

7 Click to jump to signature section Networking: Social media urls found in memory Downloads files Downloads files from webservers via HTTP Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary Uses HTTPS System Summary: Searches the installation path of Mozilla Firefox Classification label Creates files inside the user directory Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Found graphical window changes (likely an installer) Uses new MSVCR Dlls Binary contains paths to debug symbols Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 7 of 40

Behavior Graph ID: 57282 URL: http://202.74.140.

8 Behavior Graph ID: URL: Startdate: 30/04/2018 Architecture: WINDOWS Score: 1 started Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Hide Legend iexplore.exe Number of created Registry Values Number of created Files Visual Basic Delphi Java , 49408, 50323, GOOGLE-GoogleIncUS United States crl.godaddy.com started.net C# or VB.NET C, C++ or other language Is malicious iexplore.exe , 443, 49164, ESSENTIALENERGY-AS-APESSENTIALENERGYAU Australia crl.godaddy.com , 49175, 49178, AS GO-DADDY-COM-LLC-GoDaddycomLLCUS Netherlands started ssvagent.exe 6 Simulations Behavior and APIs Time Type Description 03:38:47 API Interceptor 1761x Sleep call for process: iexplore.exe modified 03:38:48 API Interceptor 1x Sleep call for process: ssvagent.exe modified Antivirus Detection Initial Sample Detection Scanner Label Link 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Detection Scanner Label Link crl.godaddy.com 0% virustotal Browse Copyright Joe Security LLC 2018 Page 8 of 40

9 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshots Copyright Joe Security LLC 2018 Page 9 of 40

$exe (PID: 3436 cmdline: '' SCODEF:3380 CREDAT:275457 /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3496 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.$

10 Startup System is w7 cleanup iexplore.exe (PID: 3380 cmdline: '' -Embedding CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 3436 cmdline: '' SCODEF:3380 CREDAT: /prefetch:2 CA1F703CD665867E8132D2946FB55750) ssvagent.exe (PID: 3496 cmdline: 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new 0953A FD1E655B75B63B9083B7) Created / dropped Files C:\Users\HERBBL~1\AppData\Local\Temp\JavaDeployReg.log Size (bytes): 89 ASCII text, with CRLF line terminators Entropy (8bit): DC93439CF59FA3ABE1ACD41F28CE E9FC8A047485BDB95B6B3F551B11AFFF E7726C5BD5B50C01B26E9A3EB48A A66A481F5FC A5121 7A85183D2E75F24D997E968D0C B53CA1BFF E8DFE15E8AD57B6E1645FEE8DDC1D149F66806E B517F99B7B6AC5D9044A414F5F11F BC Copyright Joe Security LLC 2018 Page 10 of 40

11 C:\Users\HERBBL~1\AppData\Local\Temp\~DF08F0DD47394B9E63.TMP FoxPro FPT, blocks size 258, next free block index Size (bytes): Entropy (8bit): B0FDAA C5D40C478D4D990D9 B90A5BBEEEA6E964B6D08D8A78CB5C E2 34B43CE10D411A3233D0A0CDFA3E7EAF7952B745331B5ACC6625DA4F548CBD53 9EAE018E01174DE28BE4E5AE38D3050B96DB9EBAC130CBBC1AEECED452FD98AE67F7A62AA38DFD9E415EB BCBB4A86D96493F3FB7FDD8CA96E676BD315 C:\Users\HERBBL~1\AppData\Local\Temp\~DF5686D6C74AC510A5.TMP Size (bytes): Entropy (8bit): E1566A282A9E6B3FA338A9BA9DB8ABCB E4D1198DB7D64825BCFB3DF89FAC7503D96B5D5C A23DA534CDEB E1142DA2B305E04D45D8C68FD1B7161CE E 650E790157AFF91AB00FFE3BE94FC8DA8DC67B4A77FC440CBA3DD2871F635A1BC2CE4A0A6BD08168F93E91F08 8A5D8374F0DD8AFF6532C528AAEE0BC8B5D4235 C:\Users\HERBBL~1\AppData\Local\Temp\~DFD41C8312EA71BE1D.TMP Size (bytes): Entropy (8bit): E1D74CC111D216CC02A2AE4E2A6DFEB 59E9D6A8510DCC5ADC4383D3FAE76F4909FE1643 CC8F430CF45E446E3CEC370BD90CAB37672C95958A90A0EC22DF77BA6CEB2A15 305B6DC60610FD468CDEB8FC836DECEAEFB05A50AB182F7532A78A722994A3DFE9839E6E438AB040D73B36B E02AC08A9A9CCA479FCDD75AB62 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B177 1 Size (bytes): 1730 Entropy (8bit): C427ECFE3239C751255A57486C49879E 6DA45E49A2F8D54DCA58380CCB34C356756ACD1B DC4937AF1303FC00690C7021CCE86991CFA7DA02957AAA17E5E1864AB 9024C36D9D949E31EDEE4B4C3C4364A9D9C229906D042EDC71CC1F84D DB5A64D5B F1B3C B450B82AA7BEC839385FFC1B8455B175C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Microsoft Cabinet archive, 6509 bytes, 1 file Size (bytes): 6509 Entropy (8bit): B39E2A516EF730A8FA922894F0FBD5 03D455583DDA59215D945AF76AF6293B202F586F 9446E8F2056FEA3AC1365A809ADA C396F72FFE42FD1B781C24CBA Copyright Joe Security LLC 2018 Page 11 of 40

12 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD AA13B43EB96294B0F84E E06FB79F4AF4F35D020ED0ADD9D8D1B42FE7EC2C6340AC8E08B 182F83469D813087C321C878F96970C C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\67F6625BC22310D5C99DDE12020DBD90 Size (bytes): 462 Entropy (8bit): A68A2AE020719B8942F12700C2AA7326 8B382EF2E4FE11578EB042012F49DA87F2CC56E9 D605EF4CA0057C59A4E90EB65A86BFFCA2A76509F5D67A2B7C6FCB66DA48B95F E9E343A249A7E304703D C17A870C4245A84755B2592A6736A70CD921D0B249A14A7EA4E3C9674CED206B E0D D A722A7495CE672BAE C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E0 4 Size (bytes): 471 Entropy (8bit): F0210FCA CC216A E2 D10B86C6F353C30D98B55BFCAADD40E7D493397C 397AD878DB2D20AFD65BA634252E B089E1C9526BD D1221F9 C5CA0CE0D36CB0716ECC6E37F96C261EF4E992C6C6B03D7EF703252D5494DE7AAFB222089C8BEC0A52ECD39D CF B994898E994C7D29C8C513BB690DA C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F Size (bytes): 4267 Entropy (8bit): F8216FD354CA2C606769D95731D45B19 950CA8F6EE3A EB8BD1CF170C259D80 68B74DD2A491A8490A6DCF99AF4AC4F E712F92545DF678962EF2D903D 2E19E49E10747CCB526591CDFB4BBD7F0F55B8BB34F1C11509D130710EDCEE87E4FB313BC74164D4F1F1E1F91A F6ECF30ADB8A AC072D EC5 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AA EAEF011FC9E8317E _3B624A83E42510D810A545A57D1217A9 Size (bytes): 1776 Entropy (8bit): A8A51F16F9F1ED4FF4FEBD744 61D7BA508D5B7BF ABD8176E3665ED3D7 EA6D2449B A5C8747BA237B B1C075F92609DCD3EA28E5DF59 FA9D36AED75C61A7E97E734E ED877DEA52B9AC67BD4F0D5BB6F461D749155E2D478A2F D5 F6B5150ED52C34F0EC670FAD80B25E36330F53 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5FD5BF0CE6372B1CAFE381FD0BC969C Size (bytes): 429 Copyright Joe Security LLC 2018 Page 12 of 40

13 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5FD5BF0CE6372B1CAFE381FD0BC969C Entropy (8bit): EC298C64E5AACBC4DBD62633AA53A80B 5A5CA27645EBCE6B9AEAFC9A803C39FD3E2C8B5E CC4BEAAB8386E2700C8CED0C4556B2C24DBA47B6FE9F0BD4D9AB2B408C9355A9 874F02B0FCB2A7A00C79A E92B8E45A8BC6FF34B90E079578F3E4C A26659B737B2BB10CB662 9CF95F06BAC0F6D4240FCEA2675DB472AABF1 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C6D8D1AEC0F5BF411CC9D27E9BFE3C04 Size (bytes): Entropy (8bit): DDC54BF93DC46E5A40D9BECF46 4D8B16C4B4DB07740F56A492B B31725A FF3E790E8A770B3497B E53E0964C6BAC9C51AD73250B480C9DE2FE6B DDECD6664F664EBFA1591FAB2B40E4F84DAA8D1DFB66C012A26CF4F2A897401C0C2BF4E441A5F23BF0C1 61EBD0A6EBA393C51C6EC0BAB92E1160A C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A A396_D76DB901EE986B889F30D8CC06229E2 D Size (bytes): 1697 Entropy (8bit): D6BC1F709C7535E286D80E4F7FB24A 5AB3C155FE4F8FEDC51013C6721C97FA5F45DE03 2D01DA652C0FAAD1F4B30A8E75E12114E247FC6F9BC18E091D4FB281C1A5B7C8 874F0BD1541FAF2CEB1A2F04404C274359DFCD070307FC317AF30ACFCEE96C9F12AD1E5D375C4F D26C A F4349C09535EBE16CD0E2EEEF112 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE A660ED7C9DD9E7_EFF9B9BA98DEAA773F26 1FA85A0B1771 Size (bytes): 450 Entropy (8bit): A80FE4741DFF138BDEC4A3DA E00AF753F0DA771E005BBEB2AFE49BC77B0EC6F A9F50B2748FDA4B5B525DF8557BC4677B42F0E82D713EBBEF8EB476F1BD921E0 34A81F4CB525BD1B594088F7978FE3B9AFB1FE1138E6C D2C58BF1B2E43FB208367F8068DAABD C4F435A975D28210B1719D2C526D3F07 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 Size (bytes): 342 Entropy (8bit): ACFB013A6823F6A20224C445B0 CD57B31C1D8448F82533BF23ACE1EF77667C D4CC27A0D759BB0E97ADE2E E33522C38D90A634B46B4FDC7A3 67D2EC1E02E60E77533B36679C01F711FB1E32EEB8D3CCCA503F13BFF9492BD87F4055CA3A76C134A47C57D23C 4C70755AE47B A6E2203FBF A3 Copyright Joe Security LLC 2018 Page 13 of 40

14 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\67F6625BC22310D5C99DDE12020DBD90 Size (bytes): 230 Entropy (8bit): B263D42E76B34670DCC0EAD CB1970FD33DD25FF538A9E ABB2B36 782B8C137912E706C691A38D85E0D185ACF2E7A1EA9EB07972DA90AB96DC71E1 6887DD6DEC E B73570CE2E7A E2C4C41A1090E101BD AC17F84322ACB3C297A EC1E395FEC3C40F0C39D5A6727A2A545E284 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF B E04 Size (bytes): 868 Entropy (8bit): E15570B001535A9C5250 F9BB33CA3E1371E35BE6B2261A EDCF 8AF49D BAB02ECED5A8A31C69B7AD6A933C64B58E1DAD25786AD6CC9C 261F34ACDF3F05A2D10267BFE1088B7F7C3D75A7F30E597C41DB27A663BD13EE1AE184292C38FFD88B7BBFF9B 43C850547E733F275805C7F4CA57C82F6EDED18 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F Size (bytes): 448 Entropy (8bit): F276CBE674A461F9D8A9138E67AF7E AD80CC BB8B83C621D ECAA8232 7D902F7EA46E D0E21195BE56C89D359FEDF291CE815F1160BBD2E3B95 C19341A948C6DEFFCC97437A3EA32AF6522DA01FD61FA07C709AFC1A223D0412AC7C5264A307F36AB3B653D83E 63AB2FA82C8620CFB87374CD4EF0F18E7304CD C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AA EAEF011FC9E8317E _3B624A83E42510D810A545A57D1217 A9 Size (bytes): 458 Entropy (8bit): D5E1412EE8880B6194FF08F0E898DD0D B57C59E68B13EF1044F9E756C79F8BE3DD7957D2 9AC837AE39C036BEE0905D762C9DBD671AC798C884796B9E20DED649A75E62AE 0FF94E13F72980D1F7EE4EBADDA215DCBE33976E5D8022F0D64C9D8E1CF0D7ABDEBF8FDBCE95FDD326B0F1C 4B63F31D887C1D102B8F88A269AE6E9CE0533BEFB C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5FD5BF0CE6372B1CAFE381FD0BC969C Size (bytes): 224 Entropy (8bit): Copyright Joe Security LLC 2018 Page 14 of 40

15 C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5FD5BF0CE6372B1CAFE381FD0BC969C 97B C5CAFF79678A5D6B46E 1E1B636D7C62A46E AAAAF94EAC65CD 0C682A5CE4E CB0AC487E37784F7C9BC F5F B55D63D 3B0ADC24C A09ECC D3411C A690FB27FEEDFD87F174A4A02CE6C663EAF899D2E0C88C0 533F8A4F34E0E1A5F740FEFB158552E76E004F C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6D8D1AEC0F5BF411CC9D27E9BFE3C04 Size (bytes): 238 Entropy (8bit): F700503C7E8EB2A9B42211F9B94F0E25 D2922FD553546F5B7951C3A924A23A5E550F2857 1DB EF8BE61B6A2A2DC7413BAFB7C00D0B9AB7C52BFFD6E057EC B6253EF6AB5DC0DC7DE99B469187B4B3DD261EF359FE7836CBB443E1ECDD66C34F7D0D675FD0BAC82D7BF9D5 D5BE46EB40845EB15A7C463FABEA1AF23C9A1B6E C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A A396_D76DB901EE986B889F30D8CC06229E 2D Size (bytes): 458 Entropy (8bit): CE0C9CAE3426AA2E20466A23312D2A2 EB2F47D1C833F1872A52D2A7F9A0ED6D5CB00B02 EE35F026A016D254A2FAE25E1325F4C5D960DF0691C498B9CAB F46E7 C1ABD93AE B BE71FC5FA195B3BBB972C B1E1AF1AB6E109DA23BF82CC021C4B11FE BB3EBAFDD479F1A7C EA2B02FC0DFBC5 C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D f-A0FF-E1416B8B2E3A}.ico Size (bytes): 237 Entropy (8bit): PNG image, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 09B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE Copyright Joe Security LLC 2018 Page 15 of 40

16 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompat.xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 41B359B77895C21C3ABB E66A1 6FB1E19BCCAC371EF16CDFA7D6B E5CE8C C04DA787E2D9EF9F2F76C796AA7425A27B31489A4CB8890D0B06C0C97DF38C5C 3D2B9AA084F8241AF2DA92B1B2441C89DDC8433BBD2E0B4E7A031CA5ED8F62C19D77C6816B226E4CCC49A424E F ED11D28909A4DB F C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{39429FC1-4C17-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): B0C7D36CC55B4766A64D09A44CCDBDB8 F3ABF49B7F00C0F1BBA368057C6D58D74A75844C 6A7111EEA6DE3A14205C5F8B0BAD0742D542D3017EAFFEF310B CE55AB A4D7B8B6DA6A9834DACAF341EC040CADA38389F72971C51CB07EF0A3755A50655AA6BC70 D7490B01D2DC4ACA12E B FF2 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{39429FC3-4C17-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): ABBEC170688AD4896E6F4A5E9E993 A4403F4E8F75F EE4AEDA53B20399A5CF 23C49D23E449A1C5737B145C86A57550EFC1616CD230587DCFB79D905A1739A0 DA1D416F2A63F63ADACB E406CD0D04740F01775B83089CEB091588E90B462DD232F50101E8BC41B296D7 3986C1B8BDF5DDAD987962CC62C51BD13FA08 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{42F2B110-4C17-11E8-B7AC-B2C276BF9C88}.dat Size (bytes): Microsoft Word Document Entropy (8bit): A9D2B6FF8FFA56105B26D2736C9 B34710E1CEDF F47B11585C7B7BD6A 144A0F78383C000F2C7EEB877EDA221A1FA75564D48BC56FF195F1C8E663380E 88ED25BFC751C FC34DA21D3F04E07FDDFF43C BDFA72574CB161AD86C377FC182E068EE173 BA574B942ABED512B55B8C7482AA21A2FCF3A C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF17A.tmp Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 095C72688DE7D90E6526DC0D8878F3F6 A1CAE182FB7E86C74FB5467C0014B2A27472BE DA E9B4B0D245C5B7E1FAC1242A087DED44EAF3B792E4A231E AB7FD229A6F532AE11E4CCEB01F823810B33D5C740BC9F290C79646C422AFFC27DDB8476C931D6E4A9686EED97 0E219B6CEBBF68F9A12B6C629B6816CDE1615C Copyright Joe Security LLC 2018 Page 16 of 40

17 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF17A.tmp C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\dnserror[1] Size (bytes): 1857 Entropy (8bit): HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 73C70B34B5F8F158D38A94B9D E9EAA065BD6585A1B176E13615FD7E6EF96230A9 3EBD34328A4386B4EBA1F3D5F1252E7BD13744A B4689C13FCF4 927DCD4A8CFDEB0F970CB4EE3F059168B37E1E4E04733ED3356F77CA0448D2145E1ABDD4F7CE1C6CA23C1E B17987CC56C84C78E73F60E08FC0D C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\iecompatviewlist[1].xml Size (bytes): Entropy (8bit): XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators 021B677623B5092A2049AEB828A9B0BA CE5DC9C5D8C065B D9BA0674F DC83EA97F10C5CE73FD1E2D4D32F BC58841EAF1185A13B977698B B5D1967C90442EE6F7AD77DB5D0FF4338E6A16C6EBCD18B447CC69A EB226F A7A705E B7ACA51F152CCF32A6E13D7688C240F C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\suggestions[1].en-US Size (bytes): Entropy (8bit): A34CB996293FDE2CB7A4AC A 3C96C D1A77873CD62BC639B3A10653F C6A5377CBC07EECE33790CFC70572E12C7A48AD8296BE25C0CC805A1F384DBAD E1B7D F E70F68B1BE6FD0CA65DCCF4FF D44278D3A77F704AEDFF59D2DBC0D56A6 9B2590C8EC0DD6BC48AB30F1DAD0C07A0A3EE C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\NewErrorPageTemplate[1] Size (bytes): 1310 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators CDF81E591D9CBFB47A7F97A2BCDB70B9 8F12010DFAACDECAD77B70A3E781C707CF D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD 977DCC2C6488ACAF0E5970CEF1A7A72C9F9DC6BB82DA54F057E0853C8E939E4AB01B163EB7A5058E093A8BC44 ECAD9D06880FDC883E67E28AC67FEE4D070A4CC C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin Size (bytes): 16 Entropy (8bit): FA518E3DFAE8CA3A0E495460FD60C791 Copyright Joe Security LLC 2018 Page 17 of 40

18 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0TZNT9WD\urlblockindex[1].bin E4F30E D37267C0162FD4A C C4B4E5F883F9FD5A278E61C471B3EE B6D129499AA7 D21667F3FB081D39B579178E74E9BB1B6E9A97F C165729A58F1787DC0ADADD980CD026C7A601D416665A 81AC13A69E49A6A2FE2FDD AA645C07 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DT\errorPageStrings[1] Size (bytes): 3470 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 6B26ECFA58E37D4B5EC861FCDD3F04FA B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA 7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB A 1676D43B977C07A3F6A5473F12FD16E A1CB9771D0F189B EE79480C33A010F08DC521E57332EC4 C4D888D693C6A2323C97750E C3F4 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\favicon[1].ico Size (bytes): 237 Entropy (8bit): PNG image, 16 x 16, 4-bit colormap, non-interlaced 9FB559A E77D F6541 EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31 6D8A01DC7647BC218D003B58FE04049E24A B7E0CEBAE76EDF85B8B914 0E CD123BE8A20B87D9A3AAF5CB05249DE7F8286FF99D3FA35FC7AF7A9D9797DD6EFB6D1E722147DCF B74437DE D0009D452FB96A8ECE236B C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DEWWYACU\httpErrorPagesScripts[1] Size (bytes): 8714 Entropy (8bit): UTF-8 Unicode (with BOM) text, with CRLF line terminators 3F57B781CB3EF114DD0B B7B CE6A63F996DF3A1CCCB81720E21204B825E0238C 46E019FA34465F4ED096A9665D1827B AD82E98BE01EDB1DDBC94D3AD 8CBF4EF582332AE7EA605F910AD6F8A4BC FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5B A16B5A64A23AF0C11EEFBF69625B8F9F90C8FA Contacted Domains/Contacted IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation crl.godaddy.com true 0%, virustotal, Browse high Contacted IPs Copyright Joe Security LLC 2018 Page 18 of 40

19 No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs IP Country Flag ASN ASN Name Malicious United States GOOGLE-GoogleIncUS Netherlands AS GO-DADDY-COM-LLC- GoDaddycomLLCUS Australia 9463 ESSENTIALENERGY-AS- APESSENTIALENERGYAU Static File Info No static file info Network Behavior Network Port Distribution Total Packets: (HTTPS) 53 (DNS) 80 (HTTP) TCP Packets Copyright Joe Security LLC 2018 Page 19 of 40

20 Timestamp Port Dest Port IP Dest IP Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Copyright Joe Security LLC 2018 Page 20 of 40

21 Timestamp Port Dest Port IP Dest IP Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Copyright Joe Security LLC 2018 Page 21 of 40

22 Timestamp Port Dest Port IP Dest IP Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Copyright Joe Security LLC 2018 Page 22 of 40

23 Timestamp Port Dest Port IP Dest IP Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Copyright Joe Security LLC 2018 Page 23 of 40

24 Timestamp Port Dest Port IP Dest IP Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: Apr 30, :39: UDP Packets Timestamp Port Dest Port IP Dest IP Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Copyright Joe Security LLC 2018 Page 24 of 40

25 Timestamp Port Dest Port IP Dest IP Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :38: Apr 30, :39: Apr 30, :39: Copyright Joe Security LLC 2018 Page 25 of 40

ID: Cookbook: browseurl.jbs Time: 15:40:31 Date: 11/04/2018 Version:

ID: Cookbook: browseurl.jbs Time: 15:40:31 Date: 11/04/2018 Version: ID: 54174 Cookbook: browseurl.jbs Time: 15:40:31 Date: 11/04/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis