Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: ""
- * MalScore: 10.0
- * File Name: "Exes_d6658152db170fbc7ba35a6593c4748d.jpg"
- * File Size: 1088688
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "7a171d59361ec314502b10f1ef43845ee2a4900476e9ddcdc55332b11e162d1f"
- * MD5: "d6658152db170fbc7ba35a6593c4748d"
- * SHA1: "308d2c819b370b55d03992351e52ceb56fca59b5"
- * SHA512: "429bd4dbb47b4010c4426d32414718d8e4ef9c0446f5d406a7bf110922fd85f46e40d73f8263c2f50aac38d836fe847e6b28ab5f1dfd1460ecfda9c4202281ce"
- * CRC32: "A371EA71"
- * SSDEEP: "24576:5/7TbYcDa6BSSEkmfSRmjNr0HmO0g9miDnP9GAK61MU8Hf:N7TajSENNO79FDPzp+b"
- * Process Execution:
- "Exes_d6658152db170fbc7ba35a6593c4748d.jpg"
- * Executed Commands:
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "Exes_d6658152db170fbc7ba35a6593c4748d.jpg tried to sleep 461 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Attempts to connect to a dead IP:Port (6 unique times)",
- "Details":
- "IP": "50.7.74.174:443"
- "IP": "193.23.244.244:443"
- "IP": "128.31.0.39:9101"
- "IP": "23.239.113.101:443"
- "IP": "154.35.32.5:443"
- "IP": "45.66.32.45:443"
- "Description": "Starts servers listening on 127.0.0.1:59954",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: Exes_d6658152db170fbc7ba35a6593c4748d.jpg, pid: 2800, offset: 0x00000000, length: 0x00109cb0"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rdata, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000d8800, virtual_size: 0x000d8794"
- "section": "name: .rsrc, entropy: 7.04, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00023000, virtual_size: 0x0011fea8"
- "Description": "Installs Tor on the infected machine",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem"
- "data": "\"C:\\ProgramData\\Windows\\csrss.exe\""
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft OneDrive"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\ProgramData\\Windows\\"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\Windows\\csrss.exe"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "file": "C:\\Users\\user\\Documents\\Outlook Files\\Outlook.pst"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 501"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 285"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 477"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 375"
- * Started Service:
- * Mutexes:
- * Modified Files:
- "\\??\\PIPE\\wkssvc",
- "C:\\ProgramData\\Windows\\csrss.exe",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\lock",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdescs.new"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\System32\\Configuration\\",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xi",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement