[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Source: 4.2.rundll32.exe.4ba0000.2.raw.unpack | Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]] |
Source: gg_1.gif.dll | ReversingLabs: Detection: 41% |
Source: gg_1.gif.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: Yara match | File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 | 1_2_00EA5F16 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA13C5 | 1_2_00EA13C5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA43D8 | 1_2_00EA43D8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA1CD0 | 1_2_00EA1CD0 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA27D4 | 1_2_00EA27D4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA3FAB | 1_2_00EA3FAB |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA2FAF | 1_2_00EA2FAF |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA88BA | 1_2_00EA88BA |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA92B2 | 1_2_00EA92B2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA31B3 | 1_2_00EA31B3 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA2A69 | 1_2_00EA2A69 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA2566 | 1_2_00EA2566 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA1967 | 1_2_00EA1967 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA150C | 1_2_00EA150C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA510C | 1_2_00EA510C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA1B1E | 1_2_00EA1B1E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA3A14 | 1_2_00EA3A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03465F16 | 4_2_03465F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03462566 | 4_2_03462566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03461967 | 4_2_03461967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03465262 | 4_2_03465262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03462A69 | 4_2_03462A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03465378 | 4_2_03465378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_0346150C | 4_2_0346150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03463A14 | 4_2_03463A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03461B1E | 4_2_03461B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03465A25 | 4_2_03465A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_034613C5 | 4_2_034613C5 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_034627D4 | 4_2_034627D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03461CD0 | 4_2_03461CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_034643D8 | 4_2_034643D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03462FAF | 4_2_03462FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03463FAB | 4_2_03463FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_034692B2 | 4_2_034692B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_034631B3 | 4_2_034631B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_034688BA | 4_2_034688BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03305F16 | 5_2_03305F16 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03305A25 | 5_2_03305A25 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03303A14 | 5_2_03303A14 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03301B1E | 5_2_03301B1E |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_0330150C | 5_2_0330150C |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03305378 | 5_2_03305378 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03305262 | 5_2_03305262 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03302566 | 5_2_03302566 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03301967 | 5_2_03301967 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03302A69 | 5_2_03302A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_033092B2 | 5_2_033092B2 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_033031B3 | 5_2_033031B3 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_033088BA | 5_2_033088BA |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03303FAB | 5_2_03303FAB |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03302FAF | 5_2_03302FAF |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03301CD0 | 5_2_03301CD0 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_033027D4 | 5_2_033027D4 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_033043D8 | 5_2_033043D8 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_033013C5 | 5_2_033013C5 |
Source: gg_1.gif.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: classification engine | Classification label: mal68.troj.winDLL@7/0@0/0 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer |
Source: gg_1.gif.dll | ReversingLabs: Detection: 41% |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll' | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 | |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\gg_1.gif.dll,DllServer | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\gg_1.gif.dll',#1 | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: C:\Windows\SysWOW64\rundll32.exe | Automated click: OK |
Source: gg_1.gif.dll | Static PE information: section name: .code |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA709D push edi; mov dword ptr [esp], FFFF0000h | 1_2_00EA709E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ebp | 1_2_00EA70F5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA709D push esp; mov dword ptr [esp], 00000040h | 1_2_00EA711D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA709D push 00000000h; mov dword ptr [esp], ecx | 1_2_00EA716C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx | 1_2_00EA5F7B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 1_2_00EA5F94 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 1_2_00EA5FDD |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 1_2_00EA604B |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 1_2_00EA6124 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi | 1_2_00EA614F |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx | 1_2_00EA625E |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 1_2_00EA62B5 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 1_2_00EA6343 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 1_2_00EA635D |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], ebp | 1_2_00EA6368 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 1_2_00EA6385 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx | 1_2_00EA63B4 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 1_2_00EA6483 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 1_2_00EA64F2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax | 1_2_00EA64FE |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax | 1_2_00EA650A |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi | 1_2_00EA6567 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi | 1_2_00EA65A9 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], eax | 1_2_00EA6610 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 1_2_00EA6685 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx | 1_2_00EA66C2 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 1_2_00EA66E8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edi | 1_2_00EA6781 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push 00000000h; mov dword ptr [esp], edx | 1_2_00EA67B6 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 1_2_00EA684C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax | 1_2_00EA6858 |
Source: Yara match | File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe | Code function: 1_2_00EA2A69 xor edi, dword ptr fs:[00000030h] | 1_2_00EA2A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 4_2_03462A69 xor edi, dword ptr fs:[00000030h] | 4_2_03462A69 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 5_2_03302A69 xor edi, dword ptr fs:[00000030h] | 5_2_03302A69 |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: Yara match | File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000004.00000002.387313333.0000000004BA0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000005.00000002.389073217.0000000004B40000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000001.00000002.699200830.0000000000EC0000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 5.2.rundll32.exe.4b40000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 4.2.rundll32.exe.4ba0000.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 1.2.loaddll32.exe.ec0000.1.raw.unpack, type: UNPACKEDPE |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.