Loading ...

Play interactive tourEdit tour

Analysis Report vbc.exe.vir

Overview

General Information

Sample Name:vbc.exe.vir (renamed file extension from vir to exe)
Analysis ID:430987
MD5:788016c9072423914b96f0d15a61812d
SHA1:040f85b4ef512bb74990becfa1a5029f92eb65c7
SHA256:df34f3d4030a5ea484108271f749ca5fbc3af0f415051e98b342a505c88971e4
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w7x64
  • vbc.exe.exe (PID: 2400 cmdline: 'C:\Users\user\Desktop\vbc.exe.exe' MD5: 788016C9072423914B96F0D15A61812D)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
vbc.exe.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2095163938.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000000.00000002.3175874940.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.vbc.exe.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          0.2.vbc.exe.exe.400000.1.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: vbc.exe.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/"}
            Source: vbc.exe.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://bara-seck.com/bin_YIuwAXdc211.bin, https://wizumiya.co.jp/html/user_data/

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\Desktop\vbc.exe.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046699A NtAllocateVirtualMemory,0_2_0046699A
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00466C02 NtAllocateVirtualMemory,0_2_00466C02
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004669E4 NtAllocateVirtualMemory,0_2_004669E4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004669AE NtAllocateVirtualMemory,0_2_004669AE
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00466A34 NtAllocateVirtualMemory,0_2_00466A34
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00466AD4 NtAllocateVirtualMemory,0_2_00466AD4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00466A99 NtAllocateVirtualMemory,0_2_00466A99
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00466B59 NtAllocateVirtualMemory,0_2_00466B59
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00466BCC NtAllocateVirtualMemory,0_2_00466BCC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004056070_2_00405607
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004032F50_2_004032F5
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046699A0_2_0046699A
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004644540_2_00464454
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004624520_2_00462452
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046245C0_2_0046245C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B45D0_2_0046B45D
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004654660_2_00465466
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004650690_2_00465069
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004644040_2_00464404
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004650040_2_00465004
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A8140_2_0046A814
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B4100_2_0046B410
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004654180_2_00465418
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046582E0_2_0046582E
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004624C70_2_004624C7
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B4E00_2_0046B4E0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A4F10_2_0046A4F1
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004638FC0_2_004638FC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004654FC0_2_004654FC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004650F80_2_004650F8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004638950_2_00463895
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B4930_2_0046B493
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A8900_2_0046A890
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00465C990_2_00465C99
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004644B20_2_004644B2
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004658B80_2_004658B8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004645440_2_00464544
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004655780_2_00465578
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004649100_2_00464910
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046593E0_2_0046593E
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004659CF0_2_004659CF
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B5CC0_2_0046B5CC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A5C80_2_0046A5C8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004645D10_2_004645D1
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004669E40_2_004669E4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004639E80_2_004639E8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004651FA0_2_004651FA
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004699840_2_00469984
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A5800_2_0046A580
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004651810_2_00465181
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004649880_2_00464988
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B5880_2_0046B588
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004631890_2_00463189
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004639A00_2_004639A0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004669AE0_2_004669AE
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004632490_2_00463249
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B6500_2_0046B650
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00463A620_2_00463A62
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00465A680_2_00465A68
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004652780_2_00465278
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B6080_2_0046B608
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004632090_2_00463209
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A6140_2_0046A614
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004656270_2_00465627
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00466A340_2_00466A34
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A2D80_2_0046A2D8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004692EF0_2_004692EF
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00464EF20_2_00464EF2
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A6F00_2_0046A6F0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00463AF80_2_00463AF8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004656880_2_00465688
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B69C0_2_0046B69C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A6A00_2_0046A6A0
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00465B580_2_00465B58
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A76C0_2_0046A76C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004697680_2_00469768
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004653020_2_00465302
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004633000_2_00463300
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00465B080_2_00465B08
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004657120_2_00465712
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00464F1C0_2_00464F1C
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00462F270_2_00462F27
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A7C70_2_0046A7C7
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00465BE70_2_00465BE7
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046B3F80_2_0046B3F8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004653940_2_00465394
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00464F980_2_00464F98
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004657A50_2_004657A5
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004633AC0_2_004633AC
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004643B80_2_004643B8
            Source: vbc.exe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: vbc.exe.exe, 00000000.00000002.3175842448.0000000000330000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs vbc.exe.exe
            Source: vbc.exe.exe, 00000000.00000000.2095192138.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSuperintellectually.exe vs vbc.exe.exe
            Source: vbc.exe.exeBinary or memory string: OriginalFilenameSuperintellectually.exe vs vbc.exe.exe
            Source: vbc.exe.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal80.rans.troj.evad.winEXE@1/0@0/0
            Source: vbc.exe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\vbc.exe.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: vbc.exe.exe, type: SAMPLE
            Source: Yara matchFile source: 00000000.00000000.2095163938.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3175874940.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.0.vbc.exe.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.vbc.exe.exe.400000.1.unpack, type: UNPACKEDPE
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00403112 push dword ptr [ebp-44h]; ret 0_2_0041ECC4
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A965 push eax; ret 0_2_0046A956
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00464A3C push AFBDCFF2h; iretd 0_2_00464A2E
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00467F05 push edx; ret 0_2_00467F12
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00462B1B push ebp; retf 0_2_00462B0A
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00463895 0_2_00463895
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046BB26 0_2_0046BB26
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046BB2B 0_2_0046BB2B
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\vbc.exe.exeRDTSC instruction interceptor: First address: 0000000000469BBF second address: 0000000000469BBF instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4A1014F8h 0x00000007 xor eax, 91CBACF6h 0x0000000c xor eax, 7F9DE2BDh 0x00000011 xor eax, A4465AB2h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FCE68367844h 0x0000001e lfence 0x00000021 mov edx, C49425E1h 0x00000026 xor edx, 40636495h 0x0000002c sub edx, D2D01692h 0x00000032 xor edx, CDD92AF6h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007FCE68367836h 0x0000003f test al, bl 0x00000041 cmp al, E3h 0x00000043 jmp 00007FCE68367836h 0x00000045 cmp ch, 0000006Dh 0x00000048 cmp bh, ah 0x0000004a ret 0x0000004b sub edx, esi 0x0000004d ret 0x0000004e add edi, edx 0x00000050 dec dword ptr [ebp+000000F8h] 0x00000056 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005d jne 00007FCE683677B4h 0x0000005f jmp 00007FCE68367836h 0x00000061 test ah, ch 0x00000063 call 00007FCE68367826h 0x00000068 call 00007FCE68367865h 0x0000006d lfence 0x00000070 mov edx, C49425E1h 0x00000075 xor edx, 40636495h 0x0000007b sub edx, D2D01692h 0x00000081 xor edx, CDD92AF6h 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c jmp 00007FCE68367836h 0x0000008e test al, bl 0x00000090 cmp al, E3h 0x00000092 jmp 00007FCE68367836h 0x00000094 cmp ch, 0000006Dh 0x00000097 cmp bh, ah 0x00000099 ret 0x0000009a mov esi, edx 0x0000009c pushad 0x0000009d rdtsc
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00468C4F rdtsc 0_2_00468C4F
            Source: C:\Users\user\Desktop\vbc.exe.exeAPI coverage: 7.0 %
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\vbc.exe.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00468C4F rdtsc 0_2_00468C4F
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00469840 mov eax, dword ptr fs:[00000030h]0_2_00469840
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00464454 mov eax, dword ptr fs:[00000030h]0_2_00464454
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00464404 mov eax, dword ptr fs:[00000030h]0_2_00464404
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046642D mov eax, dword ptr fs:[00000030h]0_2_0046642D
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A4F1 mov eax, dword ptr fs:[00000030h]0_2_0046A4F1
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00463895 mov eax, dword ptr fs:[00000030h]0_2_00463895
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00468D1F mov eax, dword ptr fs:[00000030h]0_2_00468D1F
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A5C8 mov eax, dword ptr fs:[00000030h]0_2_0046A5C8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A580 mov eax, dword ptr fs:[00000030h]0_2_0046A580
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046A614 mov eax, dword ptr fs:[00000030h]0_2_0046A614
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_004643B8 mov eax, dword ptr fs:[00000030h]0_2_004643B8
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_00463FB8 mov eax, dword ptr fs:[00000030h]0_2_00463FB8
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: vbc.exe.exe, 00000000.00000002.3175940908.00000000008C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: vbc.exe.exe, 00000000.00000002.3175940908.00000000008C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: vbc.exe.exe, 00000000.00000002.3175940908.00000000008C0000.00000002.00000001.sdmpBinary or memory string: !Progman
            Source: C:\Users\user\Desktop\vbc.exe.exeCode function: 0_2_0046BB2B cpuid 0_2_0046BB2B

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery211Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.