ID: Sample Name: Trojan- Banker.Win32.Generic_002.malware Cookbook: default.jbs Time: 14:04:33 Date: 17/01/2018 Version: 20.0.

Similar documents
ID: Sample Name: Trojan- Banker.Win32.Generic_003.malware Cookbook: default.jbs Time: 14:06:48 Date: 17/01/2018 Version: 20.0.

ID: Sample Name: pafish.exe Cookbook: default.jbs Time: 15:08:33 Date: 25/02/2018 Version:

The KWallet Handbook. George Staikos Lauri Watts Developer: George Staikos

Overview. Label Gallery SDK User Guide

Wallet Cryptography 101. Steve Swing Substratum

BeagleBone. Created by lady ada. Last updated on :46:10 PM UTC

Adobe InDesign. Figure 1 Apply fill and stroke color to text by using the Swatches panel

Desktop MQTT Client for Adafruit.io

Adafruit MMA8451 Accelerometer Breakout

STYLOPEDIA. Team 4 Kiran Viswanathan Vanitha Venkatanarayanan Prasad Kodre Prathamesh Bhurke 5/13/2014

Using BodyPaint 3D with LightWave

Sword & Wand Prop Effects with Circuit Playground

Adafruit Color Sensors

BITCOIN TRANSACTION MALLEABILITY THEORY IN PRACTICE

Adafruit MMA8451 Accelerometer Breakout

Adafruit MCP9808 Precision I2C Temperature Sensor Guide

OLED 2864 Display module (SKU:TOY0007)

Adafruit MMA8451 Accelerometer Breakout

Circuit Playground Digital Input

Advanced Embedded Development in Linux

Apparel, Textiles & Merchandising. Business of Fashion. Bachelor of Science

the complete picture MEN S HAIRDRESSER/ BARBER OF THE YEAR Hairstylist: Jason Fassbender, Photographer: Andrew O Toole

Adafruit APDS9960 breakout

Category definition for the Awards period of February 2016 March 2017.

Adafruit IO Basics: Temperature & Humidity

PVC Documentation. Release Marin Atanasov Nikolov

For- Credit Courses and Certificate Programs in Apparel Merchandising & Management for Industry Professionals

Grove - LED Bar. Introduction. Features

Machine Learning. What is Machine Learning?

Color Swatch Add-on User Guide

Monochrome OLED Breakouts

Power Spectral Density (PSD) Measurements with the HP 35670A Dynamic Signal Analyzer. Written by Patrick Barry 08/20/ :20 hr

Android GBoard Morse Code Control with Circuit Playground Express

Clare Video Doorbell Version 2 User Manual

Adafruit CCS811 Air Quality Sensor

Adafruit VL53L0X Time of Flight Micro-LIDAR Distance Sensor Breakout

Adafruit I2C FRAM Breakout

OBIS Scientific Remote

1. Charging. 2. In-app Setup. 3. Physical Installation. 4. Features. 5. Troubleshooting. Home Security Begins at the Front Door.

Datalogging Hat with FLORA BLE

Bill Redirect Send BluePrint fingerprint Symcod reader numbers directly in your existing application software

Adabot Operation Game

Crickit Carnival Bumper Bot

Adafruit AM2320 Sensor

How to check the printing process

Adafruit 1.27" and 1.5" Color OLED Breakout Board

Adafruit IO Basics: Feeds

Using IFTTT with Adafruit IO to Make an IoT Door Detector

Adafruit DRV2605 Haptic Controller Breakout

Feather Weather Lamp. Created by Ruiz Brothers. Last updated on :54:26 PM UTC

This unit is an optional unit included in the framework of the SQA Advanced Certificate /Diploma in Retail Management.

Regulatory Genomics Lab

Patient Collection Breakthrough: Don t Negotiate. Collaborate.

Sino:bit with Arduino

Adafruit ATWINC1500 WiFi Breakout

Resident evil 7 biohazard 2 dlc multi13 fitgirl repack. Resident evil 7 biohazard 2 dlc multi13 fitgirl repack.zip

Adafruit GPS Hat in Windows IoT Core

Adafruit eink Display Breakouts

Adafruit AS channel Visible Light Sensor

Global Cosmetics Market with Focus on Premium Cosmetics ( ) November 2016

Sewable NeoPixels. Created by Becky Stern. Last updated on :50:14 PM EDT

APPAREL, MERCHANDISING AND DESIGN (A M D)

Adafruit AMG8833 8x8 Thermal Camera Sensor

Crawling Baby Sea Turtle Robot

OpenSesame EyeLink tutorial

Guide to the Las Vegas Rotary Club Records

Trinket-Powered Conference Room Occupancy Display

EL DORADO UNION HIGH SCHOOL DISTRICT EDUCATIONAL SERVICES Course of Study Information Page. History English

DEMONSTRATING THE APPLICABILITY OF DESI IMAGING COUPLED WITH ION MOBILITY FOR MAPPING COSMETIC INGREDIENTS ON TAPE STRIPPED SKIN SAMPLES

Clockwork Goggles. Created by John Park. Last updated on :03:10 PM UTC

TrichoScan Smart Version 1.0

HAZARD COMMUNICATION PROGRAM

Guide to the Las Vegas Contemporary Arts Center Records

Coffee Detonator: The TNT Plunger Grinder

PyPortal NeoPixel Color Picker Created by Kattni Rembor. Last updated on :42:41 PM UTC

C. J. Schwarz Department of Statistics and Actuarial Science, Simon Fraser University December 27, 2013.

Global Fast Fashion Market with Focus on The United States: Size, Trends & Forecast ( ) June 2016

a creative lifestyle newsletter from pink paislee

Classic Hairstyles For Men - An Illustrated Guide To Men's Hair Style, Hair Care & Hair Products epubs

Joy Featherwing. Created by Dean Miller. Last updated on :03:07 PM UTC

How to Create Your Cryptocurrency Wallet and Add PumaPay Tokens

Continuous Documentation with UI-Tests

Using Graphics in the Math Classroom GRADE DRAFT 1

SOLIDWORKS Apps for Kids New Designs

The secrets of Search

Consultation Document. Cosmetic piercing of young people. A consultation to get views on how to make cosmetic piercing safer for young people

INCIDENT INFORMATION

United States Hair Mousse Industry 2015 Market Research Report

14-Segment Alpha-numeric LED FeatherWing

Data Logging with Feather and CircuitPython

Fashion Merchandising and Design 20

Introducing Adafruit Trellis

Ring Doorbell is 4.98 x 2.43 x 0.87 inches, x 6.17 x 2.21 cm.

Application of Composite Load Models in

MEDIA ANALYSIS ESSAY #2 Chevalier 1

school of fashion design SPRING 2015 SCHEDULE: JANUARY 12 th MAY 9 th

No, it's not a user guide... it's the EU product label!

Explore technological developments within the hair, beauty and associated areas Unit 332 1

An Introduction to Modern Object Detection. Gang Yu

NeoPixie Dust Bag with Circuit Playground Express

Transcription:

ID: 4299 Sample Name: Trojan- Banker.Win32.Generic_002.malware Cookbook: default.jbs Time: 14:04:33 Date: 17/01/201 Version: 20.0.0

Table of Contents Analysis Report Overview Information Detection Confidence Classification Signature Overview AV Detection: Networking: Data Obfuscation: System Summary: Anti Debugging: Malware Analysis System Evasion: Behavior Graph Simulations Behavior and APIs Antivirus Detection Initial Sample Dropped Files Domains Yara Overview Initial Sample PCAP (Network Traffic) Dropped Files Memory Dumps Unpacked PEs Joe Sandbox View / Context IPs Domains ASN Dropped Files Screenshot Startup Created / dropped Files Contacted Domains/Contacted IPs Contacted Domains Contacted IPs Static File Info File Icon Static PE Info Entrypoint Preview Data Directories Sections Imports Exports Network Behavior Code Manipulations Statistics Behavior System Behavior Table of Contents Copyright Joe Security LLC 201 Page 2 of 19 2 4 4 4 4 4 5 5 6 6 6 6 6 6 6 7 7 7 7 7 7 9 9 10 10 10 10 10 10 10 10 11 12 12 16 16 16 16 16 16 17

Analysis Process: loaddll32.exe PID: 310 Parent PID: 24 File Activities File Written Analysis Process: rundll32.exe PID: 3116 Parent PID: 310 Analysis Process: rundll32.exe PID: 3124 Parent PID: 310 Analysis Process: rundll32.exe PID: 3132 Parent PID: 310 Disassembly Code Analysis 17 17 17 17 1 1 1 1 19 19 19 19 Copyright Joe Security LLC 201 Page 3 of 19

Analysis Report Overview Information Joe Sandbox Version: 20.0.0 Analysis ID: 4299 Start time: 14:04:33 Joe Sandbox Product: CloudBasic Start date: 17.01.201 Overall analysis duration: Hypervisor based Inspection enabled: Report type: Sample file name: Cookbook file name: 0h 1m 24s false light Trojan-Banker.Win32.Generic_002.malware (renamed file extension from malware to dll) default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2 IE 11 FF 54 Chrome 60 Acrobat Reader DC 17 Flash 26 Java.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies Detection: Classification: MAL HCA enabled EGA enabled HDC enabled mal60.evad.windll@7/1@0/0 HCA Information: Successful ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: HDC Information: Cookbook Comments: Warnings: Failed Failed Stop behavior analysis all processes terminated Show All Exclude process from analysis (whitelisted): dllhost.exe Detection Strategy Score Range Reporting Detection Threshold 60 0-100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 201 Page 4 of 19

Strategy Score Range Further Analysis Required? Threshold 5 0-5 false Confidence Classification Ransomware Miner Spreading malicious malicious malicious Evader Phishing suspicious suspicious suspicious clean clean clean Exploiter Banker Spyware Trojan / Bot Adware Signature Overview Copyright Joe Security LLC 201 Page 5 of 19

AV Detection Networking Data Obfuscation System Summary Anti Debugging Malware Analysis System Evasion Click to jump to signature section AV Detection: Antivirus detection for submitted file Networking: Urls found in memory or binary data Data Obfuscation: Entry point lies outside standard sections PE file contains sections with non-standard names Binary contains a suspicious time stamp System Summary: PE file has a high image base often used for DLLs Submission file is bigger than most known malware samples PE file has a big raw section Classification label Reads software policies Runs a DLL by calling functions Sample is known by Antivirus (Virustotal or Metascan) Spawns processes PE file contains more sections than normal Anti Debugging: Program does not show much activity (idle) Malware Analysis System Evasion: Program does not show much activity (idle) Tries to detect sandboxes and other dynamic analysis tools (process name) Behavior Graph Copyright Joe Security LLC 201 Page 6 of 19

Hide Legend Behavior Graph ID: 4299 Sample: Trojan-Banker.Win32.Generic_002.malware Startdate: 17/01/201 Architecture: WINDOWS Score: 60 Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Number of created Registry Values Number of created Files Visual Basic Delphi Antivirus detection for submitted file PE file contains more sections than normal Tries to detect sandboxes and other dynamic analysis tools (process name) Binary contains a suspicious time stamp Java started.net C# or VB.NET C C++ or other language Is malicious loaddll32.exe started started started rundll32.exe rundll32.exe rundll32.exe Simulations Behavior and APIs Time Type Description 14:05:14 API Interceptor 3x Sleep call for process: loaddll32.exe modified from: 3000ms to: 100ms Antivirus Detection Initial Sample Source Detection Cloud Link Trojan-Banker.Win32.Generic_00.dll 69% virustotal Browse Dropped Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 201 Page 7 of 19

Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Dropped Files No context Screenshot Copyright Joe Security LLC 201 Page of 19

Startup System is w7 cleanup loaddll32.exe (PID: 310 cmdline: loaddll32.exe 'C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dll' MD5: D2792A55032CFE25F07DCD4BEC5F40F) rundll32.exe (PID: 3116 cmdline: rundll32.exe C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dllCryptUIWizExport MD5: C64901695E275CF2AD04B67A6CE2) rundll32.exe (PID: 3124 cmdline: rundll32.exe C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dllDllMain@12 MD5: C64901695E275CF2AD04B67A6CE2) rundll32.exe (PID: 3132 cmdline: rundll32.exe C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dllGetName MD5: C64901695E275CF2AD04B67A6CE2) Created / dropped Files unknown File Type: Size (bytes): 412 ASCII text with CRLF line terminators Entropy (bit): 5.0434540032492565 Encrypted: MD5: SHA1: SHA-256: SHA-512: Malicious: Reputation: false A7DAC900BF25DE2CCBBFB699657A47E 0A7DD0413CDAB35DF77C2BED66E4C50945494 4464A2FD2CABE4FBFC0D77EB04D6563EB150D96BAAA4034E7B9CFC9F 404FD95BF2DB3CADF6F7214C2FCB43674B3A1AA449D145F9002BD4BCE9E9D17CDEC99147EBF5B69C949 B4ED240FB44F37290C47BF696596EB4C661AD false low Copyright Joe Security LLC 201 Page 9 of 19

Contacted Domains/Contacted IPs Contacted Domains No contacted domains info Contacted IPs No contacted IP infos Static File Info File type: Entropy (bit): 7.794364772777 PE32 executable (DLL) (console) Intel 036 (stripped to external PDB) for MS Windows TrID: Win32 Dynamic Link Library (generic) (1002004/3) 99.45% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Java Script embedded in Visual Basic Script (1500/0) 0.15% VXD Driver (31/22) 0.00% File name: File size: 3210240 MD5: SHA1: SHA256: SHA512: File Content Preview: Trojan-Banker.Win32.Generic_00.dll 73d702311bc94d7cdbfb99d07bf7405c 392edadc7cc722b565cdc5953ea42c45a33 d7db3daada125199effeb6421316aa4e6e15fb0d1c1f94 46e46d0d12ce43136 a1fa63ee37e4e31163701b04f5fca70ed29cff3a099ca44 75f93f45c0fed50fa1edb15606da6f75470dc29ff7b46be 7d59136c3db30723f29740636c5ae MZ...@...!..L.!Th is program cannot be run in DOS mode...$...pe..l... un...#...6...t1...0...$h...1......1......p..u.. File Icon Static PE Info Entrypoint: Entrypoint Section: Digitally signed: Imagebase: Subsystem: Image File Characteristics: DLL Characteristics: Time Stamp: TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 0 File Version Major: 5 File Version Minor: 0 Subsystem Version Major: 5 Subsystem Version Minor: 0 Import Hash: 0x6555402.aea1 false 0x6240000 windows cui LOCAL_SYMS_STRIPPED 32BIT_MACHINE EXECUTABLE_IMAGE DLL DEBUG_STRIPPED LINE_NUMS_STRIPPED 0x6E755F5F [Thu Sep 21 21:51:27 202 UTC] 0x65492b2 0x624160 0x624110 f49f2167f2d462ea27ca05930d46 Copyright Joe Security LLC 201 Page 10 of 19

Entrypoint Preview Instruction jmp 00007FD52105B5AAh clc mov eax dword ptr [0000002Dh] jmp 00007FD52104E61Bh Copyright Joe Security LLC 201 Page 11 of 19

Instruction Data Directories Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x7000 0x75.edata IMAGE_DIRECTORY_ENTRY_IMPORT 0x306500 0xb4.aea1 IMAGE_DIRECTORY_ENTRY_RESOURCE 0x0 0x0 IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x316000 0x1e5c.reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x3106b0 0x2.aea1 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x305000 0x.aea1 IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0 Sections Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics Copyright Joe Security LLC 201 Page 12 of 19

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.text 0x1000 0x15a4 0x1600 False 0.599431112 data 6.14539490241 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_1BYTES IMAGE_SCN_MEM_EXECUTE D_DATA IMAGE_SCN_ALIGN_204BYT ES ES IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_BYTES IMAGE_SCN_CNT_CODE IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ.data 0x3000 0x1c 0x200 False 0.064453125 AIX core file fulldump 32-bit 64- bit 0.3020214397 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_MEM_WRITE IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ.rdata 0x4000 0x5f0 0x600 False 0.2109375 data 5.202317766 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ Copyright Joe Security LLC 201 Page 13 of 19

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.eh_fram 0x5000 0x7d0 0x00 False 0.411132125 data 4.5911733721 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ.bss 0x6000 0x3c 0x0 False 0 empty 0.0 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_204BYT ES ES IMAGE_SCN_MEM_WRITE IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_CNT_UNINITIALI ZED_DATA IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ.edata 0x7000 0x75 0x200 False 0.1992175 data 1.2197462497 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ Copyright Joe Security LLC 201 Page 14 of 19

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.idata 0x000 0x4e0 0x600 False 0.729166666667 data 6.2279015317 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_MEM_WRITE IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ.CRT 0x9000 0x2c 0x200 False 0.054675 data 0.19763312135 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_MEM_WRITE IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ.tls 0xa000 0x20 0x200 False 0.0559375 data 0.27015607312 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_MEM_WRITE IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES ES IMAGE_SCN_MEM_READ.aea0 0xb000 0x2c4fa3 0x2c5000 unknown unknown unknown unknown IMAGE_SCN_MEM_EXECUTE D_DATA IMAGE_SCN_CNT_CODE IMAGE_SCN_MEM_READ.aea1 0x2d0000 0x45420 0x45600 False 0.70463541667 data 6.71694637253 IMAGE_SCN_MEM_EXECUTE D_DATA IMAGE_SCN_CNT_CODE IMAGE_SCN_MEM_READ Copyright Joe Security LLC 201 Page 15 of 19

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics.reloc 0x316000 0x1e5c 0x2000 False 0.640625 data 5.66522210345 IMAGE_SCN_ALIGN_MASK IMAGE_SCN_ALIGN_256BYTE S IMAGE_SCN_ALIGN_2BYTES IMAGE_SCN_ALIGN_1BYTES D_DATA ES IMAGE_SCN_ALIGN_512BYTE S IMAGE_SCN_ALIGN_4BYTES IMAGE_SCN_ALIGN_192BYT ES IMAGE_SCN_MEM_DISCARD ABLE ES IMAGE_SCN_MEM_READ Imports DLL KERNEL32.dll msvcrt.dll WTSAPI32.dll KERNEL32.dll USER32.dll ADVAPI32.dll KERNEL32.dll ADVAPI32.dll Import DeleteCriticalSection dllonexit WTSSendMessageW LoadLibraryA CharUpperBuffW RegQueryValueExA LocalAlloc GetCurrentProcess GetCurrentThread LocalFree GetModuleFileNameW GetProcessAffinityMask SetProcessAffinityMask SetThreadAffinityMask Sleep ExitProcess GetLastError FreeLibrary LoadLibraryA GetModuleHandleA GetProcAddress OpenSCManagerW EnumServicesStatusExW OpenServiceW QueryServiceConfigW CloseServiceHandle Exports Name Ordinal Address CryptUIWizExport 1 0x62415e0 DllMain@12 2 0x6241700 GetName 3 0x62415d0 Network Behavior No network behavior found Code Manipulations Statistics Behavior loaddll32.exe rundll32.exe Copyright Joe Security LLC 201 Page 16 of 19

rundll32.exe rundll32.exe Click to jump to process System Behavior Analysis Process: loaddll32.exe PID: 310 Parent PID: 24 Start time: 14:05:14 Start date: 17/01/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\loaddll32.exe false loaddll32.exe 'C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dll' 0x774a0000 112640 bytes D2792A55032CFE25F07DCD4BEC5F40F C C++ or other language moderate File Activities File Written File Path Offset Length Value Ascii Completion Count Source Address Symbol Copyright Joe Security LLC 201 Page 17 of 19

File Path Offset Length Value Ascii Completion Count Source Address unknown unknown 412 46 6f 75 6e 64 3a 20 36 Found: 6 exports success or wait 1 12DA7D2 WriteFile 20 65 7 70 6f 72 74 73 calling..call exports 2c 20 63 61 6c 6c 69 3..Successfully called cmd 6e 67 0d 0a 43 61 6c line rundll32.exe C:\Us 6c 20 65 7 70 6f 72 74 ers\user\desktop\trojan- 73 20 33 0d 0a 53 75 Banker 63 63 65 73 73 66 75.Win32.Generic_002.dllCr 6c 6c 79 20 63 61 6c 6c yptui 65 64 20 63 6d 64 20 WizExport..Successfully 6c 69 6e 65 20 72 75 called cmd line 6e 64 6c 6c 33 32 2e rundll32.exe C:\User 65 7 65 20 43 3a 5c s\user\desktop\trojan-ban 55 73 65 72 73 5c 4 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 44 65 73 6b 74 6f 70 5c 54 72 6f 6a 61 6e 2d 42 61 6e 6b 65 72 2e 57 69 6e 33 32 2e 47 65 6e 65 72 69 63 5f 30 30 32 2e 64 6c 6c 2c 43 72 79 70 74 55 49 57 69 7a 45 7 70 6f 72 74 0d 0a 53 75 63 63 65 73 73 66 75 6c 6c 79 20 63 61 6c 6c 65 64 20 63 6d 64 20 6c 69 6e 65 20 72 75 6e 64 6c 6c 33 32 2e 65 7 65 20 43 3a 5c 55 73 65 72 73 5c 4 65 72 62 20 42 6c 61 63 6b 62 75 72 6e 5c 44 65 73 6b 74 6f 70 5c 54 72 6f 6a 61 6e 2d 42 61 6e Symbol Analysis Process: rundll32.exe PID: 3116 Parent PID: 310 Start time: 14:05:14 Start date: 17/01/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\rundll32.exe false rundll32.exe C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dllCryptUIWizExport 0x774a0000 45056 bytes C64901695E275CF2AD04B67A6CE2 C C++ or other language moderate Analysis Process: rundll32.exe PID: 3124 Parent PID: 310 Start time: 14:05:15 Start date: 17/01/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\rundll32.exe false rundll32.exe C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dllDllMain@12 0x774a0000 45056 bytes C64901695E275CF2AD04B67A6CE2 C C++ or other language moderate Copyright Joe Security LLC 201 Page 1 of 19

Analysis Process: rundll32.exe PID: 3132 Parent PID: 310 Start time: 14:05:16 Start date: 17/01/201 Path: Wow64 process (32bit): Commandline: Imagebase: File size: MD5 hash: Programmed in: Reputation: C:\Windows\System32\rundll32.exe false rundll32.exe C:\Users\user\Desktop\Trojan-Banker.Win32.Generic_002.dllGetName 0x75a90000 45056 bytes C64901695E275CF2AD04B67A6CE2 C C++ or other language moderate Disassembly Code Analysis Copyright Joe Security LLC 201 Page 19 of 19

2024 © fashiondocbox.com Privacy Policy | Terms of Service | Feedback