ID: 34190 Cookbook: urldownload.jbs Time: 20:07:04 Date: 13/10/2017 Version: 20.0.0
2444445556666666
7
77
7778
888888
888899
1010111111
1111
1111121212121313
1414
Table of Contents
Table of ContentsAnalysis Report
OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceSignature Overview
AV Detection:Networking:System Summary:HIPS / PFW / Operating System Protection Evasion:Malware Analysis System Evasion:Hooking and other Techniques for Hiding and Protection:Language, Device and Operating System Detection:
Behavior Graph
SimulationsBehavior and APIs
Antivirus DetectionInitial SampleDropped FilesDomains
Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs
Joe Sandbox View / ContextIPsDomainsASNDropped FilesScreenshot
StartupCreated / dropped FilesContacted Domains/Contacted IPs
Contacted DomainsContacted IPs
Static File InfoNo static file info
Network BehaviorNetwork Port DistributionTCP PacketsUDP PacketsDNS QueriesDNS AnswersHTTP Request Dependency GraphHTTP Packets
Code ManipulationsStatistics
Copyright Joe Security LLC 2017 Page 2 of 16
15
15151515
15151616
1616
Behavior
System BehaviorAnalysis Process: wget.exe PID: 3040 Parent PID: 1728
GeneralFile Activities
Analysis Process: explorer.exe PID: 3140 Parent PID: 548GeneralFile ActivitiesRegistry Activities
DisassemblyCode Analysis
Copyright Joe Security LLC 2017 Page 3 of 16
Analysis Report
Overview
General Information
Joe Sandbox Version: 20.0.0
Analysis ID: 34190
Start time: 20:07:04
Joe Sandbox Product: CloudBasic
Start date: 13.10.2017
Overall analysis duration: 0h 3m 27s
Hypervisor based Inspection enabled: false
Report type: light
Cookbook file name: urldownload.jbs
Sample URL: http://pivottrading.co.in/googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip
Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed: 6
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies HCA enabledEGA enabledHDC enabled
Detection: MAL
Classification: mal48.win@2/2@3/1
HCA Information: Successful, ratio: 100%Number of executed functions: 0Number of non-executed functions: 0
EGA Information: Failed
HDC Information: Failed
Warnings:
Detection
Strategy Score Range Reporting Detection
Threshold 48 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exeReport size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtQueryValueKey calls found.
Show All
Copyright Joe Security LLC 2017 Page 4 of 16
Threshold 5 0 - 5 false
Strategy Score Range Further Analysis Required? Confidence
Analysis Advice
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Signature Overview
Ransomware
Spreading
Phishing
Banker
Trojan / BotAdware
Spyware
Exploiter
Evader
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
Classification
Copyright Joe Security LLC 2017 Page 5 of 16
• AV Detection
• Networking
• System Summary
• HIPS / PFW / Operating System Protection Evasion
• Malware Analysis System Evasion
• Hooking and other Techniques for Hiding and Protection
• Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Antivirus detection for domain / URL
Networking:
Downloads compressed data via HTTP
Downloads files from webservers via HTTP
Performs DNS lookups
Urls found in memory or binary data
Uses a known web browser user agent for HTTP communication
System Summary:
Uses Rich Edit Controls
Found graphical window changes (likely an installer)
Classification label
Creates files inside the user directory
Launches a second explorer.exe instance
Reads ini files
Reads software policies
Spawns processes
Uses an in-process (OLE) Automation server
Reads the hosts file
HIPS / PFW / Operating System Protection Evasion:
May try to detect the Windows Explorer process (often used for injection)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Malware Analysis System Evasion:
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
May sleep (evasive loops) to hinder dynamic analysis
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Language, Device and Operating System Detection:
Copyright Joe Security LLC 2017 Page 6 of 16
Queries the cryptographic machine GUID
Behavior Graph
ID: 34190
Sample:
Startdate: 13/10/2017
Architecture: WINDOWS
Score: 48
wget.exe
1
started
explorer.exe
3 4
started
pivottrading.co.in
162.144.72.132, 80
UNIFIEDLAYER-AS-1-UnifiedLayerUS
United States
3 similar packets combined: pivottrading.co.in
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Time Type Description
20:07:21 API Interceptor 4x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms
No Antivirus matches
No Antivirus matches
Behavior Graph
Simulations
Behavior and APIs
Antivirus Detection
Initial Sample
Dropped Files
Copyright Joe Security LLC 2017 Page 7 of 16
Source Detection Cloud Link
pivottrading.co.in 6% virustotal Browse
No yara matches
No yara matches
No yara matches
No yara matches
No yara matches
No context
No context
MatchAssociated Sample Name /URL SHA 256 Detection Link Context
UNIFIEDLAYER-AS-1-UnifiedLayerUS 3transcrip.exe a995bae77a7621466172bbacb719ccc287c4c7745106efa68b6469f7cb254dd1
malicious Browse 192.254.190.168
81fil.exe 67a5c532f2680b80df3692faf75b240469264a7dd12acbcca706f306f95cdeb5
malicious Browse 192.254.190.168
.exe 15c56eb1dd33ee600a86eecb2de6c73c61b0b9c3ba3ed7a5ca7334986e210b6f
malicious Browse 192.254.190.168
21gjj.exe 1f6a51b1f854974b68c3b1f913f7e1d6d1dc52ae4555e4d53144dcaba36ff8e2
malicious Browse 192.254.190.168
65readm.exe 4879e150697d7fd7aa7b073ba7e1a5521524c75b28e4d168255f3024dbc5d017
malicious Browse 192.254.190.168
49youtube.exe 9fc52b06f79046f3b0d2f22dbbb0df3a603f83ae6260b791e63cc5ee044d15f0
malicious Browse 192.254.190.168
53lette.exe 927450af7ad7f12dac92643f15a1751cf65304e8ed3e281fca5cce3523d111a6
malicious Browse 192.254.190.168
Domains
Yara Overview
Initial Sample
PCAP (Network Traffic)
Dropped Files
Memory Dumps
Unpacked PEs
Joe Sandbox View / Context
IPs
Domains
ASN
Copyright Joe Security LLC 2017 Page 8 of 16
11.html .exe
3113b878f3c6c44c39ca8a8117f6f2922ad6130337a9c52fc7340f569a705cee
malicious Browse 192.254.190.168
65Fil.exe 1d16d13887917df11398e81e88a2ef619a70e05b4beb2d31c061ebc673943363
malicious Browse 192.254.190.168
52Fil.exe 78c7e52b486ca13ae3a373640168fe79122ce54da32c5de3b7fd6fa469e2e23c
malicious Browse 192.254.190.168
.exe 086e132b327fcbf28b5e8a86e8f235333ad606a18037c1d00d58e5e6a0658cca
malicious Browse 192.254.190.168
1pjmdd.exe 5b7f86425827330fccfda2ea66c34ca565e00f0739e8d85494f88a60b7e9f2d1
malicious Browse 192.254.190.168
49QOQAsYEJoB.exe 2f9919f720e08b4afbc3385f03052c8a5b8a18d4a79a88a3c3cef9abca77c3d4
malicious Browse 192.254.190.168
90eqohxP24pE.exe 526372b3d733173746015478e1d4b790ff783465f3b69e007de114d8dc7835b0
malicious Browse 192.254.190.168
New invoice #174943553_JQV#SBT_2017 (26 Sep 17).doc
5bb5975dd0b781d5fab3721ae66463e64825fccfdcf876bcb8899c2571ed04f4
malicious Browse 192.185.225.86
18.doc .exe
3d2709b60273830bc1a3eafe07c125cfe375a94b3a9faeb2dd4434b4a38f5be6
malicious Browse 192.254.190.168
.exe 8d478cbcf1302658a9083a6f3ec333e643f2041b68a529662fbc3abb1760eda7
malicious Browse 192.254.190.168
[email protected] a139757b0f8385b2880d1e8d488dcfe42db9439cabeb0993ac671864070a14fa
malicious Browse 192.254.190.168
27message.exe 57cb490fd7736e520d7bfd3029d2b92733a9448232ce1be13e6b11e39b4372dd
malicious Browse 192.254.190.168
.exe 13bd2b7cd562993772349b3bbf13ad041e24900e5144d8aab25b22ad460fe462
malicious Browse 192.254.190.168
MatchAssociated Sample Name /URL SHA 256 Detection Link Context
No context
Dropped Files
Screenshot
Copyright Joe Security LLC 2017 Page 9 of 16
System is w7
wget.exe (PID: 3040 cmdline: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://pivottrading.co.in/googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip' MD5: 834C709455BFEFB9B0E8976BAD13A8F4)
explorer.exe (PID: 3140 cmdline: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding MD5: 6DDCA324434FFA506CF7DC4E51DB7935)cleanup
C:\Users\user\Desktop\download\Emissao-de-2-via-de-Boleto.zip
File Type: Zip archive data, at least v2.0 to extract
MD5: 0B1660D813DFC59F9B3901B59F8CB09B
SHA1: 13E8D8E3C7BBCC1545ED9F2E94BDF9E8EE2D4DF5
SHA-256: D865E585158DC7F901CBBAF038CEDD9FA7873637EE460D6CA159796282302B51
SHA-512: D9B27D81682B9202797DC70D2DEDCC0B2EF77D208B606C4D3164A2D234823A2F1888C521F5E64AD9FC058265FF1A74DC29455EB43BF19E070F77A4FF86936161
Malicious: false
\samr
File Type: Hitachi SH big-endian COFF object, not stripped
MD5: 080E701E8B8E2E9C68203C150AC7C6B7
SHA1: 4EF041621388B805758AE1D3B122F9D364705223
SHA-256: FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D
Startup
Created / dropped Files
Copyright Joe Security LLC 2017 Page 10 of 16
Static File Info
No static file info
Network Behavior
Network Port Distribution
SHA-512: C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719D892B4C0D22BB67BE0D57EAB368BA1BC057E79
Malicious: false
\samr
Name IP Active Malicious Antivirus Detection
pivottrading.co.in 162.144.72.132 true false 6%, virustotal, Browse
IP Country Flag ASN ASN Name Malicious
162.144.72.132 United States 46606 UNIFIEDLAYER-AS-1-UnifiedLayerUS
false
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
Contacted Domains/Contacted IPs
Contacted Domains
Contacted IPs
Copyright Joe Security LLC 2017 Page 11 of 16
Total Packets: 11
• 80 (HTTP)
• 53 (DNS)
Timestamp Source Port Dest Port Source IP Dest IP
Oct 13, 2017 20:07:42.177211046 CEST 61861 53 192.168.2.2 8.8.8.8
Oct 13, 2017 20:07:43.177118063 CEST 61861 53 192.168.2.2 8.8.8.8
Oct 13, 2017 20:07:44.178329945 CEST 61861 53 192.168.2.2 8.8.8.8
Oct 13, 2017 20:07:44.371997118 CEST 53 61861 8.8.8.8 192.168.2.2
Oct 13, 2017 20:07:44.470227003 CEST 53 61861 8.8.8.8 192.168.2.2
Oct 13, 2017 20:07:44.470273018 CEST 53 61861 8.8.8.8 192.168.2.2
Oct 13, 2017 20:07:44.492281914 CEST 49165 80 192.168.2.2 162.144.72.132
Oct 13, 2017 20:07:44.492304087 CEST 80 49165 162.144.72.132 192.168.2.2
Oct 13, 2017 20:07:44.492357016 CEST 49165 80 192.168.2.2 162.144.72.132
Oct 13, 2017 20:07:44.520412922 CEST 49165 80 192.168.2.2 162.144.72.132
Oct 13, 2017 20:07:44.520423889 CEST 80 49165 162.144.72.132 192.168.2.2
Oct 13, 2017 20:07:45.042565107 CEST 80 49165 162.144.72.132 192.168.2.2
Oct 13, 2017 20:07:45.049324989 CEST 49165 80 192.168.2.2 162.144.72.132
Oct 13, 2017 20:07:45.049340010 CEST 80 49165 162.144.72.132 192.168.2.2
Oct 13, 2017 20:07:45.543484926 CEST 80 49165 162.144.72.132 192.168.2.2
Oct 13, 2017 20:07:45.554275036 CEST 49165 80 192.168.2.2 162.144.72.132
Timestamp Source Port Dest Port Source IP Dest IP
Oct 13, 2017 20:07:42.177211046 CEST 61861 53 192.168.2.2 8.8.8.8
Oct 13, 2017 20:07:43.177118063 CEST 61861 53 192.168.2.2 8.8.8.8
Oct 13, 2017 20:07:44.178329945 CEST 61861 53 192.168.2.2 8.8.8.8
Oct 13, 2017 20:07:44.371997118 CEST 53 61861 8.8.8.8 192.168.2.2
Oct 13, 2017 20:07:44.470227003 CEST 53 61861 8.8.8.8 192.168.2.2
Oct 13, 2017 20:07:44.470273018 CEST 53 61861 8.8.8.8 192.168.2.2
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Oct 13, 2017 20:07:42.177211046 CEST 192.168.2.2 8.8.8.8 0xcd54 Standard query (0)
pivottrading.co.in A (IP address) IN (0x0001)
Oct 13, 2017 20:07:43.177118063 CEST 192.168.2.2 8.8.8.8 0xcd54 Standard query (0)
pivottrading.co.in A (IP address) IN (0x0001)
Oct 13, 2017 20:07:44.178329945 CEST 192.168.2.2 8.8.8.8 0xcd54 Standard query (0)
pivottrading.co.in A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
Oct 13, 2017 20:07:44.371997118 CEST
8.8.8.8 192.168.2.2 0xcd54 No error (0) pivottrading.co.in 162.144.72.132 A (IP address) IN (0x0001)
Oct 13, 2017 20:07:44.470227003 CEST
8.8.8.8 192.168.2.2 0xcd54 No error (0) pivottrading.co.in 162.144.72.132 A (IP address) IN (0x0001)
TCP Packets
UDP Packets
DNS Queries
DNS Answers
Copyright Joe Security LLC 2017 Page 12 of 16
Oct 13, 2017 20:07:44.470273018 CEST
8.8.8.8 192.168.2.2 0xcd54 No error (0) pivottrading.co.in 162.144.72.132 A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class
pivottrading.co.in
TimestampSourcePort
DestPort Source IP Dest IP Header
TotalBytesTransfered(KB)
Oct 13, 2017 20:07:44.520412922 CEST 49165 80 192.168.2.2 162.144.72.132 HEAD /googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Host: pivottrading.co.inConnection: Keep-Alive
1
Oct 13, 2017 20:07:45.042565107 CEST 80 49165 162.144.72.132 192.168.2.2 HTTP/1.1 200 OKDate: Fri, 13 Oct 2017 18:05:11 GMTServer: ApacheLast-Modified: Wed, 31 May 2017 15:24:49 GMTAccept-Ranges: bytesContent-Length: 1089Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/zip
1
Oct 13, 2017 20:07:45.049324989 CEST 49165 80 192.168.2.2 162.144.72.132 GET /googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Host: pivottrading.co.inConnection: Keep-Alive
1
HTTP Request Dependency Graph
HTTP Packets
Copyright Joe Security LLC 2017 Page 13 of 16
Code Manipulations
Statistics
Oct 13, 2017 20:07:45.543484926 CEST 80 49165 162.144.72.132 192.168.2.2 HTTP/1.1 200 OKDate: Fri, 13 Oct 2017 18:05:12 GMTServer: ApacheLast-Modified: Wed, 31 May 2017 15:24:49 GMTAccept-Ranges: bytesContent-Length: 1089Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: application/zipData Raw: 50 4b 03 04 14 00 00 00 08 00 fb 49 bf 4a e0 86 6d 02 77 03 00 00 82 04 00 00 22 00 00 00 45 6d 69 73 73 61 6f 2d 64 65 2d 32 2d 76 69 61 2d 64 65 2d 42 6f 6c 65 74 6f 2e 7a 69 70 2e 76 62 65 3d 54 61 73 aa 38 14 dd af fe 0b 1c a7 95 36 14 c4 32 5d ab f3 c6 22 e1 e9 d3 02 79 76 01 d3 ba 6c 0b be ca 4a 12 47 70 95 fa 66 93 bf be e0 bc ee 97 24 13 ee bd 27 f7 dc 73 68 3d f0 e8 ed fb 77 d3 34 bf 7c 91 ef 50 23 a3 ce ee 08 e7 27 75 db ec 33 1d 6a 52 21 ca 6d df 68 3f a3 d9 5f cc 7f 68 3d 5c 0e c5 8c 87 bd 8b 6c cf 82 a8 a4 0e b0 3c 91 1b 17 4c 9f 25 53 df 10 41 91 c4 6f c7 20 a6 d4 cb 66 a5 dd aa 33 c6 3d 77 68 99 45 90 0c f7 a2 28 c0 02 e8 b6 07 6c 33 a3 6a f6 e6 cd c5 1d b3 47 cf 7b 35 e9 26 f1 cb d3 46 87 79 8a 93 21 75 b2 14 75 9a 41 a1 d3 3e 6b 0f f6 df 0e ef c9 f5 cb 54 19 58 34 e7 f9 f4 69 aa 0e 1a 64 35 1d ed 6a 80 6e b1 11 f5 be 61 10 8d 0d b7 b1 df 6d 04 fc 3d a3 02 fd e4 8e c0 77 86 0b 22 ef 30 4d 63 bf ff 47 1f 67 e4 78 93 dc 38 e1 18 1f a3 b8 7f 23 e5 f1 b9 2d e6 29 34 2c 26 02 5f b9 b4 0b 81 9a a1 9f 28 94 1f 77 cb 9d 0f d4 65 4c 99 64 de 01 fd 5f 5b c0 c5 c1 de 80 08 e8 98 ff e0 a1 13 a6 68 97 97 5d 89 56 a9 e9 58 ed c4 2f e4 cd 13 50 9b 95 77 d9 b6 09 cf 3c f0 d4 00 2a 53 76 cc f4 89 1c 80 fb 12 7d 7b ed e6 67 72 a6 63 9d 78 e0 6e 10 c4 5a 69 1b 18 77 c9 f4 e4 67 7a 10 91 41 36 a7 2e 4c e8 2c 9d 37 c9 e5 31 22 a7 22 d6 70 26 1d 8d e3 f4 b6 c9 f0 ab 66 c2 e5 e4 6a 72 ea b3 4e b0 d5 2f 9f bf b6 4c 27 de d4 45 47 7c 42 57 3a 51 29 ba 27 28 b3 e5 39 14 2e ab 3f 68 9e ea db 46 83 e1 3d d1 3a bc 44 27 e8 90 d3 ab 0d c8 b5 24 91 c5 fc e3 7a 21 3d 4f 5b fc 90 d9 16 ca 06 b2 a7 0a 57 20 54 67 da 8f 04 02 93 4c ea f3 b9 12 76 9a d5 4d 4a 4f 4b 00 61 4c 79 9b 5f 39 d0 5a 1c 76 ad cf 10 db 2d 57 fc 0d b2 8e 50 45 19 c5 24 42 40 71 1b 2b 44 03 0f 38 a5 e5 c5 cb f0 5c 09 c2 f7 f5 86 b7 95 b8 ce 4f ec 9e 02 e6 9e 3e ff 48 a4 77 32 e5 76 27 b9 90 92 e4 3a 6f 71 fb 7d 3d 44 29 14 21 70 80 4f 63 52 70 81 46 e3 c9 50 89 03 c8 d4 92 e2 78 39 fe c4 2e c6 50 b9 25 fa 9e 8f e5 47 9d 79 27 d7 3a 42 e6 a0 bc 81 f4 30 58 03 58 0d f9 58 bd 42 ab 63 15 84 14 0e 1c d8 6d 58 bd a0 d2 4c a5 a1 8b 5f 3a c0 02 4a b7 0d 62 14 cc c7 16 8e a3 83 e6 39 bb 34 76 ef a1 58 69 23 b4 c2 ce 70 d0 6b 00 bc b7 b4 ce b9 6f ce 91 82 04 54 9d ca 16 a9 b5 c8 aa b6 2a b3 ac 01 be 7a 39 03 4a 3e f0 82 33 6f 8b 2c a9 3a af 39 34 ad 09 47 99 07 03 82 85 69 2d 8a 8a cf 9c 9e 45 89 aa 6a 3c 94 1f 27 0c c6 ae 55 ab 72 ee 33 f8 3e f1 87 02 2e 05 f4 19 71 a8 91 3b 2e 53 95 6a 1e f7 fa d9 a0 7f f3 7a 5d 83 05 fe 24 a3 c2 44 01 23 50 4e 8b 5e fb f9 4f 46 31 cb e5 0b 41 2b 4f ec 87 f2 fe e9 43 aa 96 7f 66 7d 66 9f 51 1d d3 c2 db 7e d0 93 c6 47 b3 cc 9d db 99 fd b4 0a 23 52 0d b2 19 e4 ab 51 87 14 2b b3 8e db 8a ab be 9c 46 5f 13 0d 34 dc c3 2f 17 cd 14 87 59 50 ee 47 bb f6 3a 9c 19 b9 bf ad ef cd f2 05 c9 e1 ff ef d1 3b a3 fa 87 13 b5 f8 c3 6f ff 01 50 4b 01 02 1f 00 14 00 00 00 08 00 fb 49 bf 4a e0 86 6d 02 77 03 00 00 82 04 00 00 22 00 24 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 45 6d 69 73 73 61 6f 2d 64 65 2d 32 2d 76 69 61 2d 64 65 2d 42 6f 6c 65 74 6f 2e 7a 69 70 2e 76 62 65 0a 00 20 00 00 00 00 00 01 00 18 00 00 f9 7c a6 07 da d2 01 b4 ed 2f 30 09 da d2 01 b4 ed 2f 30 09 da d2 01 50 4b 05 06 00 00 00 00 01 00 01 00 74 00 00 00 b7 03 00 00 00 00 Data Ascii: PKIJmw"Emissao-de-2-via-de-Boleto.zip.vbe=Tas862]"yvlJGpf$'sh=w4|P#'u3jR!mh?_h=\l<L%SAo f3=whE(l3jG{5&Fy!uuA>kTX4id5jnam=w"0McGgx8#-)4,&_(weLd_[h]VX/Pw<*Sv}{grcxnZiwgzA6.L,71""p&fjrN/L'EG|BW:Q)'(9.?hF=:D'$z!=O[W TgLvMJOKaLy_9Zv-WPE$B@q+D8\O>Hw2v':oq}=D)!pOcRpFPx9.P%Gy':B0XXXBcmXL_:Jb94vXi#pkoT*z9J>3o,:94Gi-Ej<'Ur3>.q;.Sjz]$D#PN^OF1A+OCf}fQ~G#RQ+F_4/YPG:;oPKIJmw"$ Emissao-de-2-via-de-Boleto.zip.vbe |/0/0PKt
3
TimestampSourcePort
DestPort Source IP Dest IP Header
TotalBytesTransfered(KB)
Copyright Joe Security LLC 2017 Page 14 of 16
Behavior
• wget.exe
• explorer.exe
Click to jump to process
System Behavior
File ActivitiesFile Activities
Start time: 20:07:15
Start date: 13/10/2017
Path: C:\Windows\System32\wget.exe
Wow64 process (32bit): false
Commandline: wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://pivottrading.co.in/googleapi/src/service/Funtinal/Emissao-de-2-via-de-Boleto/Emissao-de-2-via-de-Boleto.zip'
Imagebase: 0x755c0000
File size: 826368 bytes
MD5 hash: 834C709455BFEFB9B0E8976BAD13A8F4
Programmed in: C, C++ or other language
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Start time: 20:07:20
Start date: 13/10/2017
Path: C:\Windows\explorer.exe
Wow64 process (32bit): false
Commandline: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
Imagebase: 0x774a0000
File size: 2972672 bytes
MD5 hash: 6DDCA324434FFA506CF7DC4E51DB7935
Programmed in: C, C++ or other language
Analysis Process: wget.exe PID: 3040 Parent PID: 1728Analysis Process: wget.exe PID: 3040 Parent PID: 1728
General
Analysis Process: explorer.exe PID: 3140 Parent PID: 548Analysis Process: explorer.exe PID: 3140 Parent PID: 548
General
Copyright Joe Security LLC 2017 Page 15 of 16
Disassembly
Code Analysis
File ActivitiesFile Activities
Registry ActivitiesRegistry Activities
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Key Path Name Type Data Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2017 Page 16 of 16