Exes_d6658152db170fbc7ba35a6593c4748d_jpg_2019-08-16_00_30.txt

1.  
2. * MalFamily: ""
3.  
4. * MalScore: 10.0
5.  
6. * File Name: "Exes_d6658152db170fbc7ba35a6593c4748d.jpg"
7. * File Size: 1088688
8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. * SHA256: "7a171d59361ec314502b10f1ef43845ee2a4900476e9ddcdc55332b11e162d1f"
10. * MD5: "d6658152db170fbc7ba35a6593c4748d"
11. * SHA1: "308d2c819b370b55d03992351e52ceb56fca59b5"
12. * SHA512: "429bd4dbb47b4010c4426d32414718d8e4ef9c0446f5d406a7bf110922fd85f46e40d73f8263c2f50aac38d836fe847e6b28ab5f1dfd1460ecfda9c4202281ce"
13. * CRC32: "A371EA71"
14. * SSDEEP: "24576:5/7TbYcDa6BSSEkmfSRmjNr0HmO0g9miDnP9GAK61MU8Hf:N7TajSENNO79FDPzp+b"
15.  
16. * Process Execution:
17. "Exes_d6658152db170fbc7ba35a6593c4748d.jpg"
18.  
19.  
20. * Executed Commands:
21.  
22. * Signatures Detected:
23.  
24. "Description": "Creates RWX memory",
25. "Details":
26.  
27.  
28. "Description": "A process attempted to delay the analysis task.",
29. "Details":
30.  
31. "Process": "Exes_d6658152db170fbc7ba35a6593c4748d.jpg tried to sleep 461 seconds, actually delayed analysis time by 0 seconds"
32.  
33.  
34.  
35.  
36. "Description": "Attempts to connect to a dead IP:Port (6 unique times)",
37. "Details":
38.  
39. "IP": "50.7.74.174:443"
40.  
41.  
42. "IP": "193.23.244.244:443"
43.  
44.  
45. "IP": "128.31.0.39:9101"
46.  
47.  
48. "IP": "23.239.113.101:443"
49.  
50.  
51. "IP": "154.35.32.5:443"
52.  
53.  
54. "IP": "45.66.32.45:443"
55.  
56.  
57.  
58.  
59. "Description": "Starts servers listening on 127.0.0.1:59954",
60. "Details":
61.  
62.  
63. "Description": "Reads data out of its own binary image",
64. "Details":
65.  
66. "self_read": "process: Exes_d6658152db170fbc7ba35a6593c4748d.jpg, pid: 2800, offset: 0x00000000, length: 0x00109cb0"
67.  
68.  
69.  
70.  
71. "Description": "The binary likely contains encrypted or compressed data.",
72. "Details":
73.  
74. "section": "name: .rdata, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000d8800, virtual_size: 0x000d8794"
75.  
76.  
77. "section": "name: .rsrc, entropy: 7.04, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00023000, virtual_size: 0x0011fea8"
78.  
79.  
80.  
81.  
82. "Description": "Installs Tor on the infected machine",
83. "Details":
84.  
85.  
86. "Description": "Installs itself for autorun at Windows startup",
87. "Details":
88.  
89. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem"
90.  
91.  
92. "data": "\"C:\\ProgramData\\Windows\\csrss.exe\""
93.  
94.  
95.  
96.  
97. "Description": "Collects information about installed applications",
98. "Details":
99.  
100. "Program": "Google Update Helper"
101.  
102.  
103.  
104.  
105. "Program": "Microsoft Excel MUI 2013"
106.  
107.  
108. "Program": "Microsoft Outlook MUI 2013"
109.  
110.  
111.  
112.  
113. "Program": "Google Chrome"
114.  
115.  
116. "Program": "Adobe Flash Player 29 NPAPI"
117.  
118.  
119. "Program": "Adobe Flash Player 29 ActiveX"
120.  
121.  
122. "Program": "Microsoft DCF MUI 2013"
123.  
124.  
125. "Program": "Microsoft Access MUI 2013"
126.  
127.  
128. "Program": "Microsoft Office Proofing Tools 2013 - English"
129.  
130.  
131. "Program": "Adobe Acrobat Reader DC"
132.  
133.  
134. "Program": "Microsoft Publisher MUI 2013"
135.  
136.  
137. "Program": "Microsoft Office Shared MUI 2013"
138.  
139.  
140. "Program": "Microsoft Office OSM MUI 2013"
141.  
142.  
143. "Program": "Microsoft InfoPath MUI 2013"
144.  
145.  
146. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
147.  
148.  
149. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
150.  
151.  
152. "Program": "Microsoft Word MUI 2013"
153.  
154.  
155. "Program": "Microsoft OneDrive"
156.  
157.  
158. "Program": "Microsoft Groove MUI 2013"
159.  
160.  
161. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
162.  
163.  
164.  
165.  
166. "Program": "Microsoft Access Setup Metadata MUI 2013"
167.  
168.  
169. "Program": "Microsoft Office OSM UX MUI 2013"
170.  
171.  
172. "Program": "Java Auto Updater"
173.  
174.  
175. "Program": "Microsoft PowerPoint MUI 2013"
176.  
177.  
178. "Program": "Microsoft Office Professional Plus 2013"
179.  
180.  
181. "Program": "Adobe Refresh Manager"
182.  
183.  
184. "Program": "Microsoft Office Proofing 2013"
185.  
186.  
187. "Program": "Microsoft Lync MUI 2013"
188.  
189.  
190.  
191.  
192. "Program": "Microsoft OneNote MUI 2013"
193.  
194.  
195.  
196.  
197. "Description": "Creates a hidden or system file",
198. "Details":
199.  
200. "file": "C:\\ProgramData\\Windows\\"
201.  
202.  
203.  
204.  
205. "Description": "Creates a copy of itself",
206. "Details":
207.  
208. "copy": "C:\\ProgramData\\Windows\\csrss.exe"
209.  
210.  
211.  
212.  
213. "Description": "Harvests information related to installed mail clients",
214. "Details":
215.  
216. "file": "C:\\Users\\user\\Documents\\Outlook Files\\Outlook.pst"
217.  
218.  
219.  
220.  
221. "Description": "Anomalous binary characteristics",
222. "Details":
223.  
224. "anomaly": "Actual checksum does not match that reported in PE header"
225.  
226.  
227.  
228.  
229. "Description": "Created network traffic indicative of malicious activity",
230. "Details":
231.  
232. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501"
233.  
234.  
235. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285"
236.  
237.  
238. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 477"
239.  
240.  
241. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375"
242.  
243.  
244.  
245.  
246.  
247. * Started Service:
248.  
249. * Mutexes:
250.  
251. * Modified Files:
252. "\\??\\PIPE\\wkssvc",
253. "C:\\ProgramData\\Windows\\csrss.exe",
254. "\\??\\PIPE\\srvsvc",
255. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\lock",
256. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
257. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state",
258. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
259. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
260. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
261. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs",
262. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp",
263. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus",
264. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdescs.new"
265.  
266.  
267. * Deleted Files:
268. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
269. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
270. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
271. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
272. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp"
273.  
274.  
275. * Modified Registry Keys:
276. "HKEY_LOCAL_MACHINE\\SOFTWARE\\System32\\Configuration\\",
277. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xi",
278. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
279. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion"
280.  
281.  
282. * Deleted Registry Keys:
283.  
284. * DNS Communications:
285.  
286. * Domains:
287.  
288. * Network Communication - ICMP:
289.  
290. * Network Communication - HTTP:
291.  
292. * Network Communication - SMTP:
293.  
294. * Network Communication - Hosts:
295.  
296. * Network Communication - IRC: