Threat Analysis Report

Summary

Threat Malicious Level File Name resume.js MD5 Hash 3823D4BFB62D6D25A2D1101B23129B5A Identifier SHA-1 Hash BF981E3F4D820F7A9C0767DCC09241A301E813B6 Identifier SHA-256 Hash EE2CBF07FA62C05DF732CBD6E53A3E86602EE510EFD01670979008FE61F9A078 Identifier File Size 1163 bytes File Type ASCII text File 2015-11-06 09:25:54 Submitted Duration 43 seconds Sandbox 28 seconds Replication

Engine Analysis

Engine Threat Name Severity GTI File Reputation --- Unverified Gateway Anti-Malware --- Unverified Anti-Malware --- Unverified YARA Custom Rules Sandbox Malware.Dynamic Very High

Final Very High

Sample is malicious: f inal severit y level 5

Behavior Classif icat ion

Networking Very High

Exploiting, Shellcode High Spreading Informational

Persistence, Installation Boot Survival Unverified Hiding, Camouflage, Stealthiness, Detection and Removal Unverified Protection Security Solution / Mechanism bypass, termination and removal, Unverified Anti Debugging, VM Detection

Data spying, Sniffing, Keylogging, Ebanking Fraud Unverified Dynamic Analysis

Action Severity Malware behavior: networking activities from non-executable file Very High ATTENTION: connection made to a malicious website (see Web/URL Very High reputation for details) Detected suspicious Java Script content High Attempted to download an active content from the internet High Connected to a specific service provider Low Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that Low WinInet attempts to resolve and connect to a host Cracks a URL into its component parts Informational Read data from a handle opened on previous URL's request Informational

GTI Web/URL Reput at ion

Connected Sites: 2 URL Port Reputation Category Name Risk Group Functional Group 46.30.43.183 80 Clean ------Hig h Malicious 46.30.43.183/SYRIA.EXE 80 Security Risk/Fraud/Crime Risk Sites

Processes Analyzed

Name Reason Severity resume.js loaded by MATD Analyzer Very High resume.js

Run-T ime Dlls: 2 advapi32.dll kernel32.dll

File Operations: 6

Files Opened

File Name Access Mode File Attributes C:\Prog ram Files\...\T emp\96000c70-e2cb-4da2- Read 8000000 8c2f-1e872172121c.js

Files Read

C:\Prog ram Files\...\T emp\96000c70-e2cb-4da2-8c2f-1e872172121c.js Reads data from a handle opened by the InternetOpenUrl, FtpOpenFile, or HttpOpenRequest function

Memory Mapped Files

Created a file that can be used for memory mapping

Other

Obtained the path of the Windows system directory Retrieved the full path for the module

Reg istry Operations: 17

Reg istry Created

HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s

Reg istry Opened

HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s

Reg istry Read

HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKCU\Software\Microsoft\Windows Script Host\Setting s T imeout HKLM\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKLM\Software\Microsoft\Windows Script Host\Setting s Enabled HKLM\Software\Microsoft\Windows Script Host\Setting s Ig noreUserSetting s HKLM\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKLM\Software\Microsoft\Windows Script Host\Setting s T imeout HKLM\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKLM\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER

Process Operations: 11

Process Created Process Name Module {00000323-0000-0000-C000-000000000046} {0000032A-0000-0000-C000-000000000046} {06290BD1-48AA-11D2-8432-006008C3FBFC} {1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} {6C736DB1-BD94-11D0-8A23-00AA00B58E10} {7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} {A47979D2-C419-11D9-A5B4-001185AD2B89} {C39EE728-D419-4BD4-A3EF-EDA059DBD935} {DCB00C01-570F-4A9B-8D69-199FDBA5723B} {F414C260-6AC0-11CF-B6D1-00AA00BBBB58}

T hread Created

392f25

Network Operations: 24

Other

Cracked the URL into its component parts: HT T P://46.30.43.183/SYRIA.EXE Headers: , HeaderLeng th: 0, Optional: , OptionalLeng th: 0 Initialized the WinINet functions, Ag ent name: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/7.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e), Access type: PRECONFIG Flag s: PORT _NUMBER Opened a HT T P or FT P session for a g iven site: 46.30.43.183 Retrieved header information associated with the HT T P request Set an Internet option: 2 Set an Internet option: 2d Set an Internet option: 3a Set an Internet option: 3e Set an Internet option: 41 Set an Internet option: 44 Set an Internet option: 5 Set an Internet option: 56 Set an Internet option: 58 Set an Internet option: 6 Set an Internet option: 64 Set an Internet option: 65 Set an Internet option: 66 Set an Internet option: 6c Set an Internet option: 7a Set an Internet option: 7b Set an Internet option: 8c Set an Internet option: 9b Verb: g et, ObjectName: /syria.exe, Version: , Referer: , Flag s: 400000, Context: 5e2ec8

Analysis Environment

Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601, version 6.1.7601), 64-bit Internet Explorer version: 9 Microsoft Office version: 2013 PDF Reader version: 9.0 No Flash player installed Flash player plugin version: 13.0.0.231 Platform Version 3.4.8.96.50610

Copyright © 2015 McAfee, Inc., 2821 Mission College Blvd, Santa Clara, CA 95054, www.intelsecurity.com