DOCSLIB.ORG

Automated Malware Analysis Report For

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Malware Analysis Report For ID: 396299 Cookbook: urldownload.jbs Time: 09:35:05 Date: 23/04/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report https://us.softpedia-secure- download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 No static file info 9 Network Behavior 9 Network Port Distribution 10 TCP Packets 10 UDP Packets 10 DNS Queries 11 DNS Answers 11 HTTPS Packets 11 Code Manipulations 11 Statistics 11 Behavior 11 System Behavior 11 Analysis Process: cmd.exe PID: 5548 Parent PID: 2128 11 General 12 File Activities 12 File Created 12 Analysis Process: conhost.exe PID: 5536 Parent PID: 5548 12 General 12 Analysis Process: wget.exe PID: 6028 Parent PID: 5548 12 General 12 File Activities 13 File Created 13 Disassembly 13 Code Analysis 13 Copyright Joe Security LLC 2021 Page 2 of 13 Analysis Report https://us.softpedia-secure-download.co…m:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp100907.exe Overview General Information Detection Signatures Classification Sample URL: https://us.softpedia-s ecure- DDeettteeccttteedd ppoottteenntttiiiaalll ccrrryypptttoo fffuunncctttiiioonn download.com:443/dl/4b98 UDUseseteessc ctceoodd eep ootbbefffnuutssiacclaa ctttiiriooynnp ttttoee ccfuhhnnciiiqqtiuuoeenss (((… b6dbc02a94c36aff3c7686b dbd31/60813f0d/30081879 Uses code obfuscation techniques ( 3/drivers/keyboard/sp1009 Ransomware 07.exe Miner Spreading Analysis ID: 396299 mmaallliiiccciiioouusss malicious Infos: Evader Phishing sssuusssppiiiccciiioouusss suspicious Most interesting Screenshot: cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 80% Startup System is w10x64 cmd.exe (PID: 5548 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/ 300818793/drivers/keyboard/sp100907.exe' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6028 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://us.softpedia-secure-download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp10 0907.exe' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright Joe Security LLC 2021 Page 3 of 13 • Compliance • Networking • System Summary • Data Obfuscation • Malware Analysis System Evasion • Language, Device and Operating System Detection Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Archive Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Collected Over Other Channel 1 2 Insecure Track Device System Instrumentation Dumping Discovery 1 Data 1 Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 2 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Remote SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information 1 Account System Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Discovery 1 Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 13 Hide Legend Legend: Behavior Graph Process ID: 396299 Signature URL: https://us.softpedia-secure... Created File Startdate: 23/04/2021 DNS/IP Info Architecture: WINDOWS Is Dropped Score: 1 Is Windows Process Number of created Registry Values started Number of created Files Visual Basic cmd.exe Delphi Java 2 .Net C# or VB.NET C, C++ or other language started started Is malicious Internet wget.exe conhost.exe 2 us.softpedia-secure-download.com 5.35.211.214, 443, 49709 GTSCEGTSCentralEuropeAntelGermanyCZ Romania Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 13 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://us.softpedia-secure- 0% Avira URL Cloud safe download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818793/drivers/keyboard/sp10 0907.exe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs No Antivirus matches Copyright Joe Security LLC 2021 Page 6 of 13 Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation us.softpedia-secure-download.com 5.35.211.214 true false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://us.softpedia-secure- wget.exe, 00000003.00000002.21 false high download.com:443/dl/4b98b6dbc02a94c36aff3c7686bdbd31/6 6184192.0000000001376000.00000 0813f0d/300818793/ 004.00000040.sdmp https://us.softpedia-secure- wget.exe, 00000003.00000002.21 false high download.com/dl/4b98b6dbc02a94c36aff3c7686bdbd31/60813 6184192.0000000001376000.00000 f0d/300818793/driv 004.00000040.sdmp, cmdline.out.3.dr Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Domain Country Flag ASN ASN Name Malicious 5.35.211.214 us.softpedia-secure- Romania 5588 GTSCEGTSCentralEuropeA false download.com ntelGermanyCZ General Information Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 396299 Start date: 23.04.2021 Start time: 09:35:05 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 45s Hypervisor based Inspection enabled: false Report type: light Copyright Joe Security LLC 2021 Page 7 of 13 Cookbook file name: urldownload.jbs Sample URL: https://us.softpedia-secure-download.com:443/dl/ 4b98b6dbc02a94c36aff3c7686bdbd31/60813f0d/300818 793/drivers/keyboard/sp100907.exe Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.win@4/2@1/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Unable to download file Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.147.198.201, 92.122.145.220, 104.43.139.144 Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, e12564.dspb.akamaiedge.net, store-images.s- microsoft.com, blobcollector.events.data.trafficmanager.net, store- images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, skypedataprdcolwus15.cloudapp.net Execution Graph export aborted for target wget.exe, PID 6028 because there are no executed function Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: https://us.softpedia-secure- download.com:443/dl/4b98b6dbc02a94c36aff3c768 6bdbd31/60813f0d/300818793/drivers/keyboard/sp 100907.exe Simulations Behavior and APIs No simulations Joe Sandbox View / Context IPs No context Domains Copyright Joe Security LLC 2021 Page 8 of 13 No context ASN No context JA3 Fingerprints No context Dropped Files No context Created / dropped Files C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File
Load more

Recommended publications
  • Yahoo Messenger Error Code 7 Softpedia
    Yahoo Messenger Error Code 7 Softpedia Available now for Linux, Mac OS X, and Microsoft Windows. Mozilla Thunderbird 38.0 Arrives with GMail OAuth2 and Yahoo Messenger Support. DESKTOP Windows Messenger, Google Talk, ICQ, Skype), but it can also directly access social with red highlights), or change font to code style (which is especially useful if you're trying There are tons of emoticons you can play with (smiley faces, objects and symbols), and some of them are compatible with Yahoo! Clear Yahoo Messenger cache in Windows. Caution: These steps apply to 32-bit and 64-bit versions of Windows XP, Windows Vista, Windows 7, and Windows. ManyCam also allows you to broadcast four video windows simultaneously or picture in picture video. wont finish downloading, gets stuck everytime and Im on an i7 the exe file runs (and I assume pulls more code down from web) Norton says Trojan. Operating Systems, Windows XP/Vista/7/8 Yahoo Messenger. Yahoo! Messenger can be run on various versions of the Windows operating Download Skype 7.1 Offline Installer Latest Version 2015 Download Skype. -Softpedia.com can add not only keystrokes and mouse actions to your scripts but also manage windows, Facebook, Yahoo, AOL, Hotmail So im using this for a game and it works great but theres one issue it doesnt June 19 at 7:32am. Yahoo Messenger Error Code 7 Softpedia >>>CLICK HERE<<< Telegram Desktop is a powerful, cross-platform messenger app that enables iOS (known as Telegram Messenger) and Windows Phone, but also desktop a valid mobile phone number, which is used for generating a security code.
    [Show full text]
  • Software Sites-2010 ALL FULL
    Software Sites-2010 ALL FULL related:http://www.brothersoft.com/ related:http://download.cnet.com/ related:http://www.soft32.com/ related:http://www.freedownloadscenter.com/ related:http://www.filehippo.com/ related:http://www.softpedia.com/ related:http://www.dl4all.com/ related:http://www.topdownloads.net/ related:http://downloads.zdnet.com/ related:http://www.freedownloadmanager.org/ related:http://www.tucows.com/ related:http://www.download3k.com/ related:http://www.bestfreewaredownload.com/ related:http://www.download3000.com/ related:http://www.download3k.com/ related:http://www.123-free-download.com/ related:http://www.download3k.com/ related:http://www.123-free-download.com/ related:http://www.topshareware.com/ related:http://www.freedownloadsplace.com/ related:http://www.freedownloadsplace.com/ related:http://www.download32.com/ related:http://www.sharewareplaza.com/ related:http://www.freewarefiles.com/ related:http://majorgeeks.com/ related:http://www.top4download.com/ http://www.brothersoft.com/ http://download.cnet.com/ http://www.soft32.com/ http://www.freedownloadscenter.com/ http://www.filehippo.com/ http://www.softpedia.com/ http://www.dl4all.com/ http://www.topdownloads.net/ http://downloads.zdnet.com/ http://www.freedownloadmanager.org/ http://www.tucows.com/ http://www.download3k.com/ http://www.bestfreewaredownload.com/ http://www.download3000.com/ http://www.download3k.com/ http://www.123-free-download.com/ http://www.download3k.com/ http://www.123-free-download.com/ http://www.topshareware.com/ http://www.freedownloadsplace.com/ http://www.freedownloadsplace.com/ http://www.download32.com/ http://www.sharewareplaza.com/ http://www.freewarefiles.com/ http://majorgeeks.com/ http://www.top4download.com/ 1. http://download.cnet.com/ 2. http://www.soft32.com/ 3. http://www.freedownloadscenter.com/ 4.
    [Show full text]
  • Bi-Weekly Cybersecurity Rollup
    UNCLASSIFIED October 28, 2016 North Dakota State and Local Intelligence Center Bi-Weekly Cybersecurity Rollup Included in this week’s summary: Click on the Section Header to go directly to that location in the Summary NORTH DAKOTA & REGIONAL (U) Phish Looking to Hook NDSU Community (U) Task force close to finalizing cybersecurity recommendations NATIONAL (U) Locky ransomware accounted for 97 percent of all malicious email attachments (U) Weebly breach affects over 43 million users (U) U.S. calls on automakers to make cyber security a priority INTERNATIONAL (U) Magneto malware hides stolen card data in image files (U) WordPress sites under attack via security flaw in unmaintained plugin (U) Windows zero-day exploited by “FruityArmor” APT group (U) Linux kernel zero-day CVE-2016-5195 patched after being deployed in live attacks (U) Dyn DDoS attack: The aftermath (U) LinkedIn to get Banned in Russia for not Complying with Data Localization Law UNCLASSIFIED UNCLASSIFIED NORTH DAKOTA & REGIONAL (U) Phish Looking to Hook NDSU Community (U) Over 280 North Dakota State email accounts had been compromised by phishing attackers since Tuesday. Students, staff and faculty are mainly being targeted through malicious phishing emails through their NDSU accounts. Examples include false emails saying users may upgrade their email storage space through Help Desk, someone’s cousin needs money or individuals in Africa need money. Source: (U) http://ndsuspectrum.com/phish-looking-to-hook-ndsu-community/ (U) Task force close to finalizing cybersecurity recommendations (U) A state cybersecurity task force is preparing for one last discussion early next month before they sign off on their recommendations in a final report to the governor.
    [Show full text]
  • Ursnif Malware Executive Summary on April 16, 2020, Fireeye Released a Report on the Top 10 Malware Affecting the Healthcare Industry in the First Quarter of 2020
    Health Sector Cybersecurity Coordination Center (HC3) Sector Note June 16, 2020 TLP: WHITE Report: 202006160800 Ursnif Malware Executive Summary On April 16, 2020, FireEye released a report on the Top 10 malware affecting the healthcare industry in the first quarter of 2020. Among the Top 10 malware identified was the malware family Ursnif (ranked number 2 with 30.2% of malware detections), which is a form of banking trojan and spyware. The malware has previously targeted entities in North America, Europe, and Asia and has undergone a number of development iterations following the leak of its source code in 2015. As a result, it is highly likely that this malware will continue to evolve and appear in a variety of campaigns targeting myriad industry verticals and geographies by indistinct threat actors. Report Ursnif (aka Gozi, Gozi-ISFB, Dreambot, Papras) is a modified modular banking malware with backdoor capabilities. The latest source code was leaked to GitHub in February 2015 and its capabilities include intercepting and modifying browser traffic (i.e. web injects), file download and upload, establishing a SOCKS proxy, system restart and shutdown, system information gathering, and a domain generation algorithm (DGA). The malware can also steal data and credentials from popular email and FTP clients and browsers as well as capture keystrokes, screenshots, and clipboard data. While it is considered a banking Trojan by many security researchers, the Ursnif malware family is also considered spyware given its information gathering capabilities. The malware is also capable of file infection. Since the 2015 source code leak, Ursnif has been continuously distributed and the code has been routinely modified and updated.
    [Show full text]
  • Costly Freeware: a Systematic Analysis Of
    IET Information Security Research Article ISSN 1751-8709 Costly freeware: a systematic analysis of Received on 24th November 2017 Revised 3rd May 2018 abuse in download portals Accepted on 16th May 2018 doi: 10.1049/iet-ifs.2017.0585 www.ietdl.org Richard Rivera1,2 , Platon Kotzias1,2, Avinash Sudhodanan1, Juan Caballero1 1IMDEA Software Institute, Madrid, Spain 2Universidad Politécnica de Madrid, Madrid, Spain E-mail: [email protected] Abstract: Freeware is proprietary software that can be used free of charge. A popular vector for distributing freeware is download portals, i.e. websites that index, categorise, and host programs. Download portals can be abused to distribute potentially unwanted programs (PUP) and malware. The abuse can be due to PUP and malware authors uploading their ware, by benign freeware authors joining as affiliate publishers of pay-per-install (PPI) services and other affiliate programs, or by malicious download portal owners. The authors perform a systematic study of abuse in download portals. They build a platform to crawl download portals and apply it to download 191 K Windows freeware installers from 20 download portals. They analyse the collected installers and execute them in a sandbox to monitor their installation. They measure an overall ratio of PUP and malware between 8% (conservative estimate) and 26% (lax estimate). In 18 of the 20 download portals examined the amount of PUP and malware is below 9%. However, they also find two download portals exclusively used to distribute PPI downloaders. Finally, they detail different abusive behaviours that authors of undesirable programs use to distribute their programs through download portals.
    [Show full text]
  • Microsoft Security Intelligence Report
    Microsoft Security Intelligence Report Volume 17 | January through June, 2014 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2014 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Authors Dennis Batchelder Nam Ng Tim Rains Microsoft Malware Protection Microsoft Trustworthy Microsoft Trustworthy Center Computing Computing Joe Blackbird Niall O'Sullivan Jerome Stewart Microsoft Malware Protection Microsoft Digital Crimes Unit Microsoft Digital Crimes Unit Center Daryl Pecelj Holly Stewart Paul Henry Microsoft IT Information Microsoft Malware Protection Wadeware LLC Security and Risk Management Center Sriram Iyer Anthony Penta Todd Thompson Application and Services Group Windows Services Safety Microsoft IT Information Platform Security and Risk Management Jeff Jones Microsoft Trustworthy Simon Pope Terry Zink Computing Microsoft Trustworthy Exchange Online Protection Computing Aneesh Kulkarni Geoff McDonald Windows Services Safety Ina Ragragio Microsoft Malware Protection Platform Microsoft Malware Protection Center Center Marc Lauricella Microsoft Trustworthy Computing Contributors Tanmay Ganacharya Sean Krulewitch Takumi Onodera
    [Show full text]
  • Renew Ip Address Windows Vista
    Renew Ip Address Windows Vista Egoistic or swingy, Pennie never rejudged any shier! Unterrified Jean-Lou nictitate: he sampled his heterogenies accentually and affrontingly. Unreturned Willis ceil no dragonnades delays conjecturally after Hollis parries rakishly, quite movable. Internet connection on the state or computers on the subnet mask, the internet connectivity, windows ip address already set to hide ip It may be renewed you access the window and renewing the joke was an ip but internet? The windows firewall or renew its ip addresses, renewing and tricks on. The software or implied by a dns addresses to use of the issue resolve the router and obtain an ip? Well can you heat me same to change about public IP Address? Belkin is customer responsible or liable for release does not endorse the dip or practices of such Linked Sites, then during Run, Tricks and Hacks. Then renewing the windows update your own menu system to renew process due to the same as the adapter may have to not. Do is renewed ip address is not renew ips and renewing the windows vista to pc after reading my isp assign a computer. For the unit experience, turn it to the amaze that digest the Reset button allow it. If double use installation while windows open it says your xp is higher than this xp SO wish will delete my xp It all happaned after i delete avira by. Windows 7 and Vista Verify that Release Renew IP Address Click to Start button roll the bottom left without your PC screen In patient search follow enter CMD Press Enter.
    [Show full text]
  • Freeware-List.Pdf
    FreeWare List A list free software from www.neowin.net a great forum with high amount of members! Full of information and questions posted are normally answered very quickly 3D Graphics: 3DVia http://www.3dvia.com...re/3dvia-shape/ Anim8or - http://www.anim8or.com/ Art Of Illusion - http://www.artofillusion.org/ Blender - http://www.blender3d.org/ CreaToon http://www.creatoon.com/index.php DAZ Studio - http://www.daz3d.com/program/studio/ Freestyle - http://freestyle.sourceforge.net/ Gelato - http://www.nvidia.co...ge/gz_home.html K-3D http://www.k-3d.org/wiki/Main_Page Kerkythea http://www.kerkythea...oomla/index.php Now3D - http://digilander.li...ng/homepage.htm OpenFX - http://www.openfx.org OpenStages http://www.openstages.co.uk/ Pointshop 3D - http://graphics.ethz...loadPS3D20.html POV-Ray - http://www.povray.org/ SketchUp - http://sketchup.google.com/ Sweet Home 3D http://sweethome3d.sourceforge.net/ Toxic - http://www.toxicengine.org/ Wings 3D - http://www.wings3d.com/ Anti-Virus: a-squared - http://www.emsisoft..../software/free/ Avast - http://www.avast.com...ast_4_home.html AVG - http://free.grisoft.com/ Avira AntiVir - http://www.free-av.com/ BitDefender - http://www.softpedia...e-Edition.shtml ClamWin - http://www.clamwin.com/ Microsoft Security Essentials http://www.microsoft...ity_essentials/ Anti-Spyware: Ad-aware SE Personal - http://www.lavasoft....se_personal.php GeSWall http://www.gentlesec...m/download.html Hijackthis - http://www.softpedia...ijackThis.shtml IObit Security 360 http://www.iobit.com/beta.html Malwarebytes'
    [Show full text]
  • Microsoft Windows: the Launch of Windows 7
    S w 909A23 MICROSOFT WINDOWS: THE LAUNCH OF WINDOWS 7 Matthew Ball wrote this case under the supervision of Professor Miranda Goode solely to provide material for class discussion. The authors do not intend to illustrate either effective or ineffective handling of a managerial situation. The authors may have disguised certain names and other identifying information to protect confidentiality. Ivey Management Services prohibits any form of reproduction, storage or transmittal without its written permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies or request permission to reproduce materials, contact Ivey Publishing, Ivey Management Services, c/o Richard Ivey School of Business, The University of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail [email protected]. Copyright © 2009, Ivey Management Services Version: (A) 2009-08-13 INTRODUCTION It was the spring of 2009, and Steve Ballmer, chief executive officer of Microsoft Corporation, was planning the launch of Windows 7, the company’s newest operating system. Successfully marketing Windows 7 had become essential for the company, which had faced numerous challenges in recent years. The company’s image had been tarnished by the commercial and public relations failure of its last operating system, Windows Vista. Moreover, the company became the target of a brutal series of advertisements by its largest competitor, Apple Inc., and was continuing to bleed market share. Beta releases had been well received by the Internet community, and Microsoft hoped that Windows 7 would not only improve its bottom line, but also restore its tarnished image.
    [Show full text]
  • Malware Reverse Engineering Handbook
    Malware Reverse Engineering Handbook Ahmet BALCI Dan UNGUREANU Jaromír VONDRUŠKA NATO CCDCOE Tallinn 2020 CCDCOE The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is a NATO-accredited cyber defence hub focusing on research, training and exercises. It represents a community of 25 nations and providesing a 360- degree view of cyber defence, with expertise in the areas of technology, strategy, operations and law. The heart of the Centre is a diverse group of international experts from military, government, academia and industry backgrounds. The CCDCOE is home to the Tallinn Manual 2.0, the most comprehensive guide on how International Law applies to cyber operations. The Centre organises the world’s largest and most complex international live-fire cyber defence exercise, Locked Shields, and hosts the International Conference on Cyber Conflict, CyCon, a unique annual event in Tallinn, bringing together key experts and decision-makers in the global cyber defence community. As the Department Head for Cyberspace Operations Training and Education, the CCDCOE is responsible for identifying and coordinating education and training solutions in the field of cyber defence operations for all NATO bodies across the Alliance. The Centre is staffed and financed by its member nations – currently Austria, Belgium, Bulgaria, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Spain, Sweden, Turkey, the United Kingdom and the United States. NATO-accredited centres of excellence are not part of the NATO Command Structure. www.ccdcoe.org [email protected] Disclaimer This publication is a product of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre).
    [Show full text]
  • OSINT Handbook September 2020
    OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 OPEN SOURCE INTELLIGENCE TOOLS AND RESOURCES HANDBOOK 2020 Aleksandra Bielska Noa Rebecca Kurz, Yves Baumgartner, Vytenis Benetis 2 Foreword I am delighted to share with you the 2020 edition of the OSINT Tools and Resources Handbook. Once again, the Handbook has been revised and updated to reflect the evolution of this discipline, and the many strategic, operational and technical challenges OSINT practitioners have to grapple with. Given the speed of change on the web, some might question the wisdom of pulling together such a resource. What’s wrong with the Top 10 tools, or the Top 100? There are only so many resources one can bookmark after all. Such arguments are not without merit. My fear, however, is that they are also shortsighted. I offer four reasons why. To begin, a shortlist betrays the widening spectrum of OSINT practice. Whereas OSINT was once the preserve of analysts working in national security, it now embraces a growing class of professionals in fields as diverse as journalism, cybersecurity, investment research, crisis management and human rights. A limited toolkit can never satisfy all of these constituencies. Second, a good OSINT practitioner is someone who is comfortable working with different tools, sources and collection strategies. The temptation toward narrow specialisation in OSINT is one that has to be resisted. Why? Because no research task is ever as tidy as the customer’s requirements are likely to suggest. Third, is the inevitable realisation that good tool awareness is equivalent to good source awareness. Indeed, the right tool can determine whether you harvest the right information.
    [Show full text]
  • Web Browser Private Mode Forensics Analysis
    Rochester Institute of Technology RIT Scholar Works Theses 6-30-2014 Web Browser Private Mode Forensics Analysis Emad Sayed Noorulla Follow this and additional works at: https://scholarworks.rit.edu/theses Recommended Citation Noorulla, Emad Sayed, "Web Browser Private Mode Forensics Analysis" (2014). Thesis. Rochester Institute of Technology. Accessed from This Thesis is brought to you for free and open access by RIT Scholar Works. It has been accepted for inclusion in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact [email protected]. Web Browser Private Mode Forensics Analysis By Emad Sayed Noorulla Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Computer Security and Information Assurance Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Department of Computing Security 06/30/2014 1 | P a g e Rochester Institute of Technology B. Thomas Golisano College of Computing and Information Sciences Department of Computing Security Master of Science in Computer Security and Information Assurance Thesis Approval Form Student Name: Emad Sayed Noorulla Thesis Title: Web Browser Private Mode Forensics Analysis Thesis Committee Name Signature Date Prof Yin Pan Chair Prof Bo Yuan Committee Member Prof Bill Stackpole Committee Member 2 | P a g e Table of Contents Abstract ................................ ..................................................................................... 4 1. Introduction
    [Show full text]