DOCSLIB.ORG

Automated Malware Analysis Report for Oldnewexplorercfg.Exe

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Malware Analysis Report for Oldnewexplorercfg.Exe ID: 152305 Sample Name: OldNewExplorerCfg.exe Cookbook: default.jbs Time: 03:48:12 Date: 15/07/2019 Version: 26.0.0 Aquamarine Table of Contents Table of Contents 2 Analysis Report OldNewExplorerCfg.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 DDoS: 8 System Summary: 8 Data Obfuscation: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus and Machine Learning Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 9 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 11 Startup 11 Created / dropped Files 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Static PE Info 13 General 13 Entrypoint Preview 13 Data Directories 14 Sections 14 Copyright Joe Security LLC 2019 Page 2 of 27 Resources 14 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process: OldNewExplorerCfg.exe PID: 3760 Parent PID: 4364 18 General 18 File Activities 18 Analysis Process: regsvr32.exe PID: 2884 Parent PID: 3760 18 General 18 Analysis Process: regsvr32.exe PID: 4220 Parent PID: 3760 18 General 18 Analysis Process: regsvr32.exe PID: 1708 Parent PID: 3760 18 General 19 Analysis Process: regsvr32.exe PID: 4572 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 4588 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 1832 Parent PID: 3760 19 General 19 Analysis Process: regsvr32.exe PID: 5056 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 4428 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 2888 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 4464 Parent PID: 3760 20 General 20 Analysis Process: regsvr32.exe PID: 1596 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 2808 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 3752 Parent PID: 3760 21 General 21 Analysis Process: regsvr32.exe PID: 3016 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 4460 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 2500 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 228 Parent PID: 3760 22 General 22 Analysis Process: regsvr32.exe PID: 2440 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 4288 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 1876 Parent PID: 3760 23 General 23 Analysis Process: regsvr32.exe PID: 2128 Parent PID: 3760 23 General 24 Analysis Process: regsvr32.exe PID: 4716 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 2212 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 5060 Parent PID: 3760 24 General 24 Analysis Process: regsvr32.exe PID: 2720 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 3536 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 3828 Parent PID: 3760 25 General 25 Analysis Process: regsvr32.exe PID: 4648 Parent PID: 3760 25 Copyright Joe Security LLC 2019 Page 3 of 27 General 25 Analysis Process: regsvr32.exe PID: 4500 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 3736 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 2772 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 3460 Parent PID: 3760 26 General 26 Analysis Process: regsvr32.exe PID: 2600 Parent PID: 3760 27 General 27 Disassembly 27 Code Analysis 27 Copyright Joe Security LLC 2019 Page 4 of 27 Analysis Report OldNewExplorerCfg.exe Overview General Information Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 152305 Start date: 15.07.2019 Start time: 03:48:12 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 11s Hypervisor based Inspection enabled: false Report type: light Sample file name: OldNewExplorerCfg.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 41 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.winEXE@96/0@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 99.7% (good quality ratio 87%) Quality average: 75.2% Quality standard deviation: 34.2% HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Whitelisted Detection Threshold 48 0 - 100 false Copyright Joe Security LLC 2019 Page 5 of 27 Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Copyright Joe Security LLC 2019 Page 6 of 27 Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Accounts Windows New Exploitation for Software Packing 1 Input System Time Application Screen Data Standard Remote Service 1 Privilege Capture 1 1 Discovery 1 Deployment Capture 1 Encrypted 1 Cryptographic Management Escalation 1 Software Protocol 1 Replication Service Port Monitors Process Process Injection 1 Network Process Remote Input Exfiltration Fallback Through Execution Injection 1 Sniffing Discovery 1 Services Capture 1 1 Over Other Channels Removable Network Media Medium Drive-by Windows Accessibility New Service 1 Deobfuscate/Decode Input Capture Application Windows Data from Automated Custom Compromise Management Features Files or Window Remote Network Exfiltration Cryptographic Instrumentation Information 1 Discovery 1 Management Shared Drive Protocol Exploit Public- Scheduled Task System DLL Search Obfuscated Files or Credentials in Security Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Information 2 Files Software Communication Application Discovery 1 1 Spearphishing Command-Line Shortcut File System DLL Side- Account File and Shared Data Staged Scheduled Standard Link Interface Modification Permissions Loading 1 Manipulation Directory Webroot Transfer Cryptographic Weakness Discovery 2 Protocol Spearphishing Graphical User Modify New Service DLL Search Order Brute Force System Third-party Screen Data Transfer Commonly Attachment Interface Existing Hijacking Information Software Capture Size Limits Used Port Service Discovery 2 4 Signature Overview • AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • DDoS • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus or Machine Learning detection for unpacked file Spreading: Contains functionality to enumerate / list files inside a directory Networking: Urls found in memory or binary data Key, Mouse, Clipboard, Microphone and Screen Capturing: Copyright Joe Security LLC 2019 Page 7 of 27 Contains functionality to record screenshots Contains functionality to retrieve information about pressed keystrokes DDoS: Too many similar processes found System Summary: Detected potential crypto function Found potential string decryption / allocating functions PE file contains strange resources Sample file is different than original file name gathered from version info Tries to load missing DLLs Classification label Contains functionality for error logging Contains functionality to check free disk space Contains functionality to load and extract PE file embedded resources Parts of this applications are using Borland Delphi (Probably coded in Delphi) Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Executable
Load more

Recommended publications
  • Powerview Command Reference
    PowerView Command Reference TRACE32 Online Help TRACE32 Directory TRACE32 Index TRACE32 Documents ...................................................................................................................... PowerView User Interface ............................................................................................................ PowerView Command Reference .............................................................................................1 History ...................................................................................................................................... 12 ABORT ...................................................................................................................................... 13 ABORT Abort driver program 13 AREA ........................................................................................................................................ 14 AREA Message windows 14 AREA.CLEAR Clear area 15 AREA.CLOSE Close output file 15 AREA.Create Create or modify message area 16 AREA.Delete Delete message area 17 AREA.List Display a detailed list off all message areas 18 AREA.OPEN Open output file 20 AREA.PIPE Redirect area to stdout 21 AREA.RESet Reset areas 21 AREA.SAVE Save AREA window contents to file 21 AREA.Select Select area 22 AREA.STDERR Redirect area to stderr 23 AREA.STDOUT Redirect area to stdout 23 AREA.view Display message area in AREA window 24 AutoSTOre ..............................................................................................................................
    [Show full text]
  • Blue Coat SGOS Command Line Interface Reference, Version 4.2.3
    Blue Coat® Systems ProxySG™ Command Line Interface Reference Version SGOS 4.2.3 Blue Coat ProxySG Command Line Interface Reference Contact Information Blue Coat Systems Inc. 420 North Mary Ave Sunnyvale, CA 94085-4121 http://www.bluecoat.com/support/contact.html [email protected] http://www.bluecoat.com For concerns or feedback about the documentation: [email protected] Copyright© 1999-2006 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of Blue Coat Systems, Inc. All right, title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems, Inc. and its licensors. ProxySG™, ProxyAV™, CacheOS™, SGOS™, Spyware Interceptor™, Scope™, RA Connector™, RA Manager™, Remote Access™ are trademarks of Blue Coat Systems, Inc. and CacheFlow®, Blue Coat®, Accelerating The Internet®, WinProxy®, AccessNow®, Ositis®, Powering Internet Management®, The Ultimate Internet Sharing Solution®, Permeo®, Permeo Technologies, Inc.®, and the Permeo logo are registered trademarks of Blue Coat Systems, Inc. All other trademarks contained in this document and in the Software are the property of their respective owners. BLUE COAT SYSTEMS, INC. DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL BLUE COAT SYSTEMS, INC., ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS, INC.
    [Show full text]
  • Your Guide to Installing and Using Coastal Explorer EXPLORING COASTAL EXPLORER Version 4
    EXPLORING COASTAL EXPLORER Your guide to installing and using Coastal Explorer EXPLORING COASTAL EXPLORER Version 4 Your guide to installing and using Coastal Explorer Copyright © 2017 Rose Point Navigation Systems. All rights reserved. Rose Point Navigation Systems, Coastal Explorer, and Coastal Explorer Network are trademarks of Rose Point Navigation Systems. The names of any other companies and/or products mentioned herein may be the trademarks of their respective owners. WARNINGS: Use Coastal Explorer at your own risk. Be sure to carefully read and understand the user's manual and practice operation prior to actual use. Coastal Explorer depends on information from the Global Position System (GPS) and digital charts, both of which may contain errors. Navigators should be aware that GPS- derived positions are often of higher accuracy than the positions of charted data. Rose Point Navigation Systems does not warrant the accuracy of any information presented by Coastal Explorer. Coastal Explorer is intended to be used as a supplementary aid to navigation and must not be considered a replacement for official government charts, notices to mariners, tide and current tables, and/or other reference materials. The captain of a vessel is ultimately responsible for its safe navigation and the prudent mariner does not rely on any single source of information. The information in this manual is subject to change without notice. Rose Point Navigation Systems 18005 NE 68th Street Suite A100 Redmond, WA 98052 Phone: 425-605-0985 Fax: 425-605-1285 e-mail: [email protected] www.rosepoint.com Welcome to Coastal Explorer Thank you for choosing Coastal Explorer! If you are new to navigation software, but use a computer for anything else, you will find that Coastal Explorer works just like many other Windows applications: you create documents, edit them, save them, print them, etc.
    [Show full text]
  • VNC User Guide 7 About This Guide
    VNC® User Guide Version 5.3 December 2015 Trademarks RealVNC, VNC and RFB are trademarks of RealVNC Limited and are protected by trademark registrations and/or pending trademark applications in the European Union, United States of America and other jursidictions. Other trademarks are the property of their respective owners. Protected by UK patent 2481870; US patent 8760366 Copyright Copyright © RealVNC Limited, 2002-2015. All rights reserved. No part of this documentation may be reproduced in any form or by any means or be used to make any derivative work (including translation, transformation or adaptation) without explicit written consent of RealVNC. Confidentiality All information contained in this document is provided in commercial confidence for the sole purpose of use by an authorized user in conjunction with RealVNC products. The pages of this document shall not be copied, published, or disclosed wholly or in part to any party without RealVNC’s prior permission in writing, and shall be held in safe custody. These obligations shall not apply to information which is published or becomes known legitimately from some source other than RealVNC. Contact RealVNC Limited Betjeman House 104 Hills Road Cambridge CB2 1LQ United Kingdom www.realvnc.com Contents About This Guide 7 Chapter 1: Introduction 9 Principles of VNC remote control 10 Getting two computers ready to use 11 Connectivity and feature matrix 13 What to read next 17 Chapter 2: Getting Connected 19 Step 1: Ensure VNC Server is running on the host computer 20 Step 2: Start VNC
    [Show full text]
  • Implementation of Clipboard Security Using Cryptographic Techniques
    International Journal of Computer Applications (0975 – 8887) Volume 86 – No 6, January 2014 Implementation of Clipboard Security using Cryptographic Techniques Gaurav Pathak Gaurav Kumar Tak Department of Computer Department of Computer Science and Engineering Science and Engineering Lovely Professional University Lovely Professional University Phagwara, India Phagwara, India ABSTRACT looking malicious content. So security to clipboard content is In the present scenario malicious authors are rapidly growing issue of concern and need to enhance the functionality of and now other than internet users they are also targeting the operating system by which we can protect our clipboard data loophole in operating system application level security. from being got watched. Transferring data between applications is common user From the study of recent papers and market reports, clipboard activity. Since data in a clipboard is freely delivered between security becomes important issue of concern in data security. arbitrary programs capable of using a format of the data, a According to the google forum [6] there is being the great simple text, a rich text, a picture, and information having a threat to the clipboard security in which they talk about particular format may be delivered between programs capable ClipNote that can monitor the system clipboard of using such information. Information delivery made and collect all clipboard entries. That ClipNote application between programs through a clipboard is undoubtedly an does not require any special permission to run. That means efficient method of properly using a multitasking function of any malware can steal passwords by just monitoring the an operating system, but as the security of important data is system clipboard in the background, which become great increasingly demanded, data transmitted between independent threat to the client’s system.
    [Show full text]
  • Gotomypc® User Guide
    GoToMyPC® User Guide GoToMyPC GoToMyPC Pro GoToMyPC Corporate Citrix Online 6500 Hollister Avenue • Goleta CA 93117 +1-805-690-6400 • Fax: +1-805-690-6471 © 2009 Citrix Online, LLC. All rights reserved. GoToMyPC® User Guide Contents Welcome ........................................................................................... 4 Getting Started .................................................................................. 1 System Requirements ....................................................................... 1 Notes on Installation and Feature Access ............................................. 1 Versions of GoToMyPC ...................................................................... 1 Mac Users .................................................................................... 1 Upgrade Information ......................................................................... 2 Useful GoToMyPC Terms .................................................................... 4 Features ......................................................................................... 5 Set Up a Host Computer .................................................................... 6 Create Your Account (first-time users) .............................................. 6 Set Up a Host PC ........................................................................... 7 Leaving the Host Computer Accessible................................................. 8 Managing Billing and Account Information ........................................ 9 Change Your
    [Show full text]
  • Cheatsheet V2.4.Pdf
    ! ! 2.4!Edition! Cross!reference!processes!with!various!lists:! Scan!a!block!of!code!in!process!or!kernel!memory! psxview! for!imported!APIs:! ! impscan!! Show!processes!in!parent/child!tree:! !!!!Hp/HHpid=PID!!!!!!!!!Process!ID!! pstree! !!!!Hb/HHbase=BASE!!!Base!address!to!scan! & !!!!Hs/HHsize=SIZE!!!!!!!Size!to!scan!from!start!of!base! Process&Information& ! ! Logs&/&Histories& Specify!–o/HHoffset=OFFSET!or!Hp/HHpid=1,2,3!! ! ! Recover!event!logs!(XP/2003):! Display!DLLs:! evtlogs!! ! ! dlllist! !!!!HS/HHsaveHevt!!!!!!!!!!!!!!!!!!!!Save!raw!event!logs! Development!build!and!wiki:! ! !!!!HD/HHdumpHdir=PATH!!!Write!to!this!directory! github.com/volatilityfoundation!! Show!command!line!arguments:! ! ! cmdline! Recover!command!history:! Download!a!stable!release:! ! cmdscan!and!consoles!! volatilityfoundation.org!! Display!details!on!VAD!allocations:! ! ! vadinfo![HHaddr]! Recover!IE!cache/Internet!history:! Read!the!book:! ! iehistory!! artofmemoryforensics.com! Dump!allocations!to!individual!files:! ! ! vaddump!HHdumpHdir=PATH![HHbase]! Show!running!services:! Development!Team!Blog:! ! svcscan!! http://volatilityHlabs.blogspot.com!! Dump!all!valid!pages!to!a!single!file:! !!!!Hv/HHverbose!!!!Show!ServiceDll!from!registry! ! memdump!HHdumpHdir=PATH! ! (Official)!Training!Contact:! ! Networking&Information& Display!open!handles:! [email protected]!! ! handles!! ! Active!info!(XP/2003):! !!!!Ht/HHobjectHtype=TYPE!!!Mutant,!File,!Key,!etc…! Follow:!@volatility! connections!and!sockets!! !!!!Hs/HHsilent!!!!!!!!!!!!!!!!!!!!!!!!!!!Hide!unnamed!handles!
    [Show full text]
  • Secrets of Powershell Remoting
    Secrets of PowerShell Remoting The DevOps Collective, Inc. This book is for sale at http://leanpub.com/secretsofpowershellremoting This version was published on 2018-10-28 This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get reader feedback, pivot until you have the right book and build traction once you do. © 2016 - 2018 The DevOps Collective, Inc. Also By The DevOps Collective, Inc. Creating HTML Reports in Windows PowerShell A Unix Person’s Guide to PowerShell The Big Book of PowerShell Error Handling DevOps: The Ops Perspective Ditch Excel: Making Historical and Trend Reports in PowerShell The Big Book of PowerShell Gotchas The Monad Manifesto, Annotated Why PowerShell? Windows PowerShell Networking Guide The PowerShell + DevOps Global Summit Manual for Summiteers Why PowerShell? (Spanish) Secrets of PowerShell Remoting (Spanish) DevOps: The Ops Perspective (Spanish) The Monad Manifesto: Annotated (Spanish) Creating HTML Reports in PowerShell (Spanish) The Big Book of PowerShell Gotchas (Spanish) The Big Book of PowerShell Error Handling (Spanish) DevOps: WTF? PowerShell.org: History of a Community Contents Secrets of PowerShell Remoting ..................................... 1 Remoting Basics ................................................ 3 What is Remoting? ............................................ 3 Examining Remoting Architecture .................................. 3 Enabling
    [Show full text]
  • Windows Terminal Copy Paste
    Windows Terminal Copy Paste photosynthesisAdolpho reinterpret hoax. north? Brady Unenvying is nutritionally and corniculatediscontented Umberto after vitreum gelded Israel almost balanced discernibly, his Betjeman though Ravi ingenuously. deflagrating his If you want to impress your friend or your attendees at a session, you can add a gif as a background. No copy and paste on console? The windows terminal app is a tabbed application so it is possible to have multiple tabs for cmd or you can launch powershell, powershell core, etc. What happens to the mass of a burned object? For example, I use Fira Code as font because I like it also in Visual Studio Code. It offers everything you could ask from a terminal emulator, without the glitches of Cmder or Hyper. VM graphics issues and the same also happens in Chromium. Choose what you would like to copy. What is the trick to pasting it into WSL? Would I basically need to change the command to explicitly run wt. How do I use a coupon? We will not be using that Public Key any longer since we have configured it as an authorized key already. Windows to Linux or vice versa. Linux and Windows in terms of a clipboard. It will allow you to paste styled console contents to other applications such as Outlook, Microsoft Word, etc. Click to customize it. In some cases you may not require the text output, and a screenshot is sufficient. There may be more comments in this discussion. One cause for this problem can be your antivirus software. This article is free for everyone, thanks to Medium Members.
    [Show full text]
  • Automated Malware Analysis Report for M954tovb7j
    ID: 227143 Sample Name: m954tovB7J Cookbook: default.jbs Time: 23:36:20 Date: 03/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report m954tovB7J 5 Overview 5 General Information 5 Detection 5 Confidence 5 Classification Spiderchart 6 Analysis Advice 6 Mitre Att&ck Matrix 7 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 System Summary: 8 Data Obfuscation: 8 Boot Survival: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 9 Anti Debugging: 9 HIPS / PFW / Operating System Protection Evasion: 9 Language, Device and Operating System Detection: 9 Remote Access Functionality: 9 Malware Configuration 9 Behavior Graph 9 Simulations 10 Behavior and APIs 10 Antivirus, Machine Learning and Genetic Malware Detection 10 Initial Sample 10 Dropped Files 10 Unpacked PE Files 10 Domains 11 URLs 11 Yara Overview 11 Initial Sample 11 PCAP (Network Traffic) 11 Dropped Files 11 Memory Dumps 11 Unpacked PEs 13 Sigma Overview 14 Joe Sandbox View / Context 14 IPs 14 Domains 14 ASN 14 JA3 Fingerprints 15 Dropped Files 15 Screenshots 15 Thumbnails 15 Startup 16 Created / dropped Files 16 Domains and IPs 16 Contacted Domains 16 URLs from Memory and Binaries 16 Contacted IPs 16 Public 17 Static File Info 17 General 17 File Icon 17 Copyright Joe Security LLC 2020 Page 2 of 32 Static PE Info 18 General 18 Entrypoint Preview 18 Data Directories 19 Sections 19 Resources 20 Imports 22 Possible Origin 23 Network Behavior
    [Show full text]
  • A Records, 244–245, 279 -A Switch in Nbtstat, 190 in Netstat, 186 AAS Deployment Package, 710 .Aas Extension, 712 Abstract
    22_InsideWin_Index 13/3/03 9:50 AM Page 1269 Index A A records, 244–245, 279 ACEs (Access Control Entries) -a switch access masks in, 568–570 in Nbtstat, 190 command-line tools for, 572–576 in Netstat, 186 for cumulative permissions, 577 AAS deployment package, 710 for deny permissions, 578 .aas extension, 712 inheritance in, 579–580, 725–728 Abstract classes, 299–300 object ownership in, 572 Accelerated Graphics Port (AGP) adapters, 164 viewing and modifying, 570–571 Access Control Entries. See ACEs (Access ACKs in DHCP, 101–102 Control Entries) ACL Editor, 570, 723 Access control lists (ACLs) Advanced view in Active Directory security, 732–734 for inheritance, 578, 581 objects in, 339 for ownership, 572 in security descriptors, 559 for special permissions, 723–724 Access Control Settings window, 728 Edit view, 725–726 Access masks for permissions inheritance, 578 in ACEs, 568–570 blocking, 579 in DSOs, 733 settings for, 581 Access requests in Kerberos, 621 viewings, 582 Access rights. See also Permissions ACLs (access control lists) in Active Directory security in Active Directory security, 732–734 delegation, 729–732 objects in, 339 types of, 724–725 in security descriptors, 559 for group policies, 682 ACPI (Advanced Configuration and Power Access tokens Interface) contents of, 560–561 compatibility of, 23–28, 148–149 local, 559 kernel version for, 135 SIDs in, 559, 561, 581 for PnP,17, 147–149 ACCM (Asynchronous-Control- ACPIEnable option, 149 Character-Map), 1124 Activation Account domain upgrades, 496–498 in IA64, 130 BDC, 494–496 in installation, 49–50 PDC, 490–493 unattended setup scripts for, 95 Account lockout policies Active Directory, 238 in domain design, 429 bulk imports and exports in, 353–356 in password security, 593–594 DNS deployment in, 242–243 Account logons, auditing, 647 DNS integration in, 238–239 Account management, auditing, 511, 648 dynamic updates, 244–245 Accounts in domain migration.
    [Show full text]
  • From DOS/Windows to Linux HOWTO from DOS/Windows to Linux HOWTO
    From DOS/Windows to Linux HOWTO From DOS/Windows to Linux HOWTO Table of Contents From DOS/Windows to Linux HOWTO ........................................................................................................1 By Guido Gonzato, ggonza at tin.it.........................................................................................................1 1.Introduction...........................................................................................................................................1 2.For the Impatient...................................................................................................................................1 3.Meet bash..............................................................................................................................................1 4.Files and Programs................................................................................................................................1 5.Using Directories .................................................................................................................................2 6.Floppies, Hard Disks, and the Like ......................................................................................................2 7.What About Windows?.........................................................................................................................2 8.Tailoring the System.............................................................................................................................2 9.Networking:
    [Show full text]