Loading ...

Play interactive tourEdit tour

Analysis Report KYC DEBIT 11202020.exe

Overview

General Information

Sample Name:KYC DEBIT 11202020.exe
Analysis ID:321019
MD5:1a507889b51bb4c630efdab875fe492d
SHA1:18213e51363e486cff2e3707db5f3b85dc9c7d6f
SHA256:dc124de38bc46065f427928b5b1c0dae742f8dbbca236e611735f24ae70e6cb5
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Machine Learning detection for sample
Detected potential crypto function
Enables debug privileges
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Yara signature match

Classification

Startup

  • System is w10x64
  • KYC DEBIT 11202020.exe (PID: 4168 cmdline: 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe' MD5: 1A507889B51BB4C630EFDAB875FE492D)
    • WerFault.exe (PID: 5340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xb050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xb3da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16ced:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x167d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16def:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x16f67:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xbde2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x15a54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xcb5a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1bdcf:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ce42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18cf1:$sqlite3step: 68 34 1C 7B E1
    • 0x18e04:$sqlite3step: 68 34 1C 7B E1
    • 0x18d20:$sqlite3text: 68 38 2A 90 C5
    • 0x18e45:$sqlite3text: 68 38 2A 90 C5
    • 0x18d33:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18e5b:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xb050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xb3da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x16ced:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x167d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16def:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x16f67:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xbde2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x15a54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xcb5a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1bdcf:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ce42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 7 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: KYC DEBIT 11202020.exeJoe Sandbox ML: detected

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeCode function: 0_2_00BCDB210_2_00BCDB21
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Source: KYC DEBIT 11202020.exe, 00000000.00000002.300296289.0000000005740000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJnMryRIPGtnuqyyG.bounce.exe4 vs KYC DEBIT 11202020.exe
      Source: KYC DEBIT 11202020.exe, 00000000.00000002.300792152.00000000060B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs KYC DEBIT 11202020.exe
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: KYC DEBIT 11202020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal60.troj.winEXE@33502/4@0/1
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4168
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp
      Source: KYC DEBIT 11202020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: unknownProcess created: C:\Users\user\Desktop\KYC DEBIT 11202020.exe 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: KYC DEBIT 11202020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: KYC DEBIT 11202020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: mscorlib.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.Drawing.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: mscorlib.ni.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.ni.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.pdb source: WERE917.tmp.dmp.3.dr
      Source: initial sampleStatic PE information: section name: .text entropy: 7.86097375794
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeQueries volume information: C:\Users\user\Desktop\KYC DEBIT 11202020.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.