[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Source: 3.2.rundll32.exe.f20000.2.raw.unpack | Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: gg.gif.dll | ReversingLabs: Detection: 41% |
Source: gg.gif.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match | File source: 00000003.00000002.287291124.0000000000F20000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.257345092.0000000000F10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.240096521.0000000002290000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.f10000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2290000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.f20000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.287291124.0000000000F20000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.257345092.0000000000F10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.240096521.0000000002290000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.f10000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2290000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.f20000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275A25 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_0227150C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02273A14 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02271B1E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02271967 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02272566 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275262 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02272A69 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275378 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02272FAF |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02273FAB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_022731B3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_022792B2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_022788BA |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_022713C5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_022727D4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02271CD0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_022743D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE13C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE43D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE27D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE1CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE3FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE88BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE92B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE31B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE1967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE5A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE1B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE3A14 |
Source: gg.gif.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine | Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Source: gg.gif.dll | ReversingLabs: Detection: 41% |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg.gif.dll' |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg.gif.dll,DllServer |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: gg.gif.dll | Static PE information: section name: .code |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], ebp |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], edi |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push 00000000h; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02275F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx |
Source: Yara match | File source: 00000003.00000002.287291124.0000000000F20000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.257345092.0000000000F10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.240096521.0000000002290000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.f10000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2290000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.f20000.2.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe | Thread delayed: delay time: 120000 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_02272A69 xor edi, dword ptr fs:[00000030h] |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 2_2_00EE2A69 xor edi, dword ptr fs:[00000030h] |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg.gif.dll',#1 |
Source: Yara match | File source: 00000003.00000002.287291124.0000000000F20000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.257345092.0000000000F10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.240096521.0000000002290000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.f10000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2290000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.f20000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000003.00000002.287291124.0000000000F20000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.257345092.0000000000F10000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.240096521.0000000002290000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 2.2.rundll32.exe.f10000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.loaddll32.exe.2290000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 3.2.rundll32.exe.f20000.2.raw.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.