Upload
khangminh22
View
1
Download
0
Embed Size (px)
Citation preview
ID: 171697Sample Name: Update.exeCookbook: default.jbsTime: 00:19:21Date: 08/09/2019Version: 26.0.0 Aquamarine
244444556666777777
78888888899999999999999
101011111111111212121212131414151515
Table of Contents
Table of ContentsAnalysis Report Update.exe
OverviewGeneral InformationDetectionConfidenceClassificationAnalysis AdviceMitre Att&ck MatrixSignature Overview
Networking:System Summary:Data Obfuscation:Persistence and Installation Behavior:Hooking and other Techniques for Hiding and Protection:Malware Analysis System Evasion:Anti Debugging:Language, Device and Operating System Detection:
Behavior GraphSimulations
Behavior and APIsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Yara OverviewInitial SamplePCAP (Network Traffic)Dropped FilesMemory DumpsUnpacked PEs
Joe Sandbox View / ContextIPsDomainsASNJA3 FingerprintsDropped Files
ScreenshotsThumbnails
StartupCreated / dropped FilesDomains and IPs
Contacted DomainsURLs from Memory and BinariesContacted IPs
Static File InfoGeneralFile IconStatic PE Info
GeneralAuthenticode SignatureEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion Infos
Copyright Joe Security LLC 2019 Page 2 of 18
15151616161616161617
1818
Network BehaviorCode ManipulationsStatisticsSystem Behavior
Analysis Process: Update.exe PID: 4272 Parent PID: 2712GeneralFile Activities
File CreatedFile WrittenFile Read
DisassemblyCode Analysis
Copyright Joe Security LLC 2019 Page 3 of 18
Analysis Report Update.exe
Overview
General Information
Joe Sandbox Version: 26.0.0 Aquamarine
Analysis ID: 171697
Start date: 08.09.2019
Start time: 00:19:21
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 4m 24s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: Update.exe
Cookbook file name: default.jbs
Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed: 2
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis stop reason: Timeout
Detection: CLEAN
Classification: clean4.winEXE@1/3@0/0
EGA Information: Successful, ratio: 100%
HDC Information: Successful, ratio: 0.7% (good quality ratio 0.5%)Quality average: 53.6%Quality standard deviation: 34.9%
HCA Information: Successful, ratio: 100%Number of executed functions: 0Number of non-executed functions: 0
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exeStop behavior analysis, all processes terminated
Warnings:
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 4 0 - 100 false
Confidence
Exclude process from analysis (whitelisted): dllhost.exe
Show All
Copyright Joe Security LLC 2019 Page 4 of 18
Strategy Score Range Further Analysis Required? Confidence
Threshold 3 0 - 5 true
Analysis Advice
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
Classification
Copyright Joe Security LLC 2019 Page 5 of 18
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additionalcharacters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Initial Access Execution PersistencePrivilegeEscalation
DefenseEvasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Command andControl
Valid Accounts WindowsRemoteManagement
WinlogonHelper DLL
Port Monitors DisablingSecurityTools 1
CredentialDumping
QueryRegistry 1
ApplicationDeploymentSoftware
Data from LocalSystem
DataEncrypted 1
StandardCryptographicProtocol 1
ReplicationThroughRemovableMedia
ServiceExecution
Port Monitors AccessibilityFeatures
DLL Side-Loading 1
NetworkSniffing
SystemInformationDiscovery 1
Remote Services Data fromRemovableMedia
Exfiltration OverOther NetworkMedium
FallbackChannels
Signature Overview
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
Click to jump to signature section
Networking:
Urls found in memory or binary data
System Summary:
Detected potential crypto function
PE file contains strange resources
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Classification label
Creates files inside the user directory
PE file has an executable .text section and no other executable section
Parts of this applications are using the .NET runtime (Probably coded in C#)
Reads software policies
Sample might require command line arguments
PE file contains a COM descriptor data directory
PE file has a big code size
PE file has a valid certificate
PE file has a valid certificate with Microsoft as Issuer
Submission file is bigger than most known malware samples
Copyright Joe Security LLC 2019 Page 6 of 18
PE file has a big raw section
Contains modern PE file flags such as dynamic base (ASLR) or NX
Data Obfuscation:
PE file contains an invalid checksum
Persistence and Installation Behavior:
Creates install or setup log file
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Contains long sleeps (>= 3 min)
May sleep (evasive loops) to hinder dynamic analysis
Anti Debugging:
Creates guard pages, often used to prevent reverse engineering and debugging
Language, Device and Operating System Detection:
Queries the volume information (name, serial number etc) of a device
Queries the cryptographic machine GUID
Behavior Graph
Copyright Joe Security LLC 2019 Page 7 of 18
Behavior GraphID: 171697
Sample: Update.exe
Startdate: 08/09/2019
Architecture: WINDOWS
Score: 4
Update.exe
3
started
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
No simulations
Source Detection Scanner Label Link
Update.exe 0% virustotal Browse
No Antivirus matches
No Antivirus matches
No Antivirus matches
Simulations
Behavior and APIs
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Domains
URLs
Copyright Joe Security LLC 2019 Page 8 of 18
No Antivirus matches
No yara matches
No yara matches
No yara matches
No yara matches
No yara matches
No context
No context
No context
No context
No context
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Yara Overview
Initial Sample
PCAP (Network Traffic)
Dropped Files
Memory Dumps
Unpacked PEs
Joe Sandbox View / Context
IPs
Domains
ASN
JA3 Fingerprints
Dropped Files
Screenshots
Copyright Joe Security LLC 2019 Page 9 of 18
System is w10x64
Update.exe (PID: 4272 cmdline: 'C:\Users\user\Desktop\Update.exe' MD5: 498E357CE42BC8FC6D043DE9A10646F4)
cleanup
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.logProcess: C:\Users\user\Desktop\Update.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 1265
Entropy (8bit): 5.345885356924421
Encrypted: false
MD5: 088B949FA02D80036941FAA30667E29A
SHA1: B600127A5E14E737E654EA5019AA87DC63D7435E
SHA-256: A48C2312B556B2993E0523804B4644372C669371A669F7382F377712CD2538F2
SHA-512: E7EA7D212CC1E8447F478CAE38FBAD1507B26780893232285D7297F047E9FF342D0EC260D8D9D21A1BD793E5040777436D854F3A712F9563EA225A7DB444C98B
Malicious: false
Reputation: moderate, very likely benign file
Startup
Created / dropped Files
Copyright Joe Security LLC 2019 Page 10 of 18
Static File Info
Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b9171c43be8428a7ceaf253e5d7738\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\2da4cf2bb9a8f8a554da96d83ee20d39\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\7ede7502bdd935f2e31c32146e8206cf\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\74e4951d24e78d60061b6f9f8d6f49f4\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log
C:\Users\user\Desktop\SquirrelSetup.logProcess: C:\Users\user\Desktop\Update.exe
File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators
Size (bytes): 62
Entropy (8bit): 4.651067479427662
Encrypted: false
MD5: 85166F613C6912B20B88BC2147FAB977
SHA1: 73038EA0F7D3A8E15D0843128A6A6E29FEF95E41
SHA-256: E7B85B78309D0E2BCFD6395E91C2D2CCFB84A6C273FD1839807DF634D7BA7A4A
SHA-512: F2C3586056FB51C434A67A60609F3F2DF70F2C150585BC2AA1B248731E4B67F8A23946B572498C9A9543114CFADA41EF3F36C576CC40981B6B3B2610D00D00AE
Malicious: false
Reputation: low
Preview: .2019-09-08 00:20:26> Program: Starting Squirrel Updater: ..
\Device\ConDrvProcess: C:\Users\user\Desktop\Update.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 2691
Entropy (8bit): 4.1822000607901115
Encrypted: false
MD5: B00FD939F0AA67BD5FCC0C3401951F02
SHA1: 176E4B31F5534B4A7E0E618AE18F539D6FBD5A40
SHA-256: 523E8FA39AA80F81273E1CB7B3C010EFC0F97087C4CE462289DA23DAFD0DD7C6
SHA-512: FD10E275ED0D1B449D4FF553D5C1ED8F9290ED02CEB1BA3B790F6A0AEC701A9644BD656626091290E540EE0ADFC29D8491A1D0780F8517E479911DA5E5335AC4
Malicious: false
Reputation: low
Preview: Usage: Squirrel.exe command [OPTS]..Manages Squirrel packages....Commands.. --install=VALUE Install the app whose package is in the specified.. directory.. --uninstall Uninstall the app the same dir as Update.exe.. --download=VALUE Download the releases specified by the URL and.. write new results to stdout as JSON.. --checkForUpdate=VALUE Check for one available update and writes new.. results to stdout as JSON.. --update=VALUE Update the application to the latest remote.. version specified by URL.. --releasify=VALUE Update or generate a releases directory with a.. given NuGet package.. --generateMsi=VALUE Generate MSI with a given installer package.. --createShortcut=VALUE Create a shortcut for the given executable name.. --removeShortcut=VALUE Remove a
No contacted domains info
Name Source Malicious Antivirus Detection Reputation
https://github.com/myuser/myrepo Update.exe false high
https://api.github.com/# Update.exe false high
https://api.github.com/ Update.exe false high
No contacted IP infos
Domains and IPs
Contacted Domains
URLs from Memory and Binaries
Contacted IPs
Copyright Joe Security LLC 2019 Page 11 of 18
GeneralFile type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb
ly, for MS Windows
Entropy (8bit): 5.903169445866686
TrID: Win32 Executable (generic) a (10002005/4) 99.94%Generic Win/DOS Executable (2004/3) 0.02%DOS Executable Generic (2002/1) 0.02%Java Script embedded in Visual Basic Script (1500/0) 0.01%Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name: Update.exe
File size: 1801840
MD5: 498e357ce42bc8fc6d043de9a10646f4
SHA1: 62f6b53f0403611552a7f0c52628e83a8934a07e
SHA256: 0683a18cc60d259920281ce6f3c20b5524dea4d84fa0c8d194be96f7da8db605
SHA512: 35332b2cceb4e64dadd64c523297cead93cba91d6286c0ed43913fc8f080ca65a21edd6c42b7ee11ecff6fbebe3c0598a9de597384c18e7faebe1dca6ce1a8de
SSDEEP: 24576:n8miYPA0nRGvaslXipNdspqH2w6wXm/L2oU81YhZYxQlZRjmWmP:n8miAdRGvw+kZ6wX1P0
File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.............................%... ........@.. ....................................@................................
File Icon
Icon Hash: 10e2acaca4e47a90
GeneralEntrypoint: 0x58259e
Entrypoint Section: .text
Digitally signed: true
Imagebase: 0x400000
Subsystem: windows gui
Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp: 0x5C9308FE [Thu Mar 21 03:46:06 2019 UTC]
TLS Callbacks:
CLR (.Net) Version: v4.0.30319
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744
Signature Valid: true
Signature Issuer: CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error: The operation completed successfully
Error Number: 0
Not Before, Not After 2/14/2019 1:52:07 PM 7/31/2020 2:52:07 PM
Subject Chain CN=Microsoft 3rd Party Application Component, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version: 3
Thumbprint MD5: 71261DF8F445393D830596103B6B6B3B
Thumbprint SHA-1: 32F28ACBC1B26F28D0EF6773E3E6FBF5E13F3BB0
Thumbprint SHA-256: 8C109F1C8051F398E17FE11AB721B732F84B32D52D8C5958793A4D282610DFAD
Static PE Info
Authenticode Signature
Copyright Joe Security LLC 2019 Page 12 of 18
Serial: 330000014161EC27309807CFB6000000000141
Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
Entrypoint Preview
Copyright Joe Security LLC 2019 Page 13 of 18
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
Instruction
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0x182548 0x53 .text
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x184000 0x30b94 .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0x1b1600 0x6870
IMAGE_DIRECTORY_ENTRY_BASERELOC 0x1b6000 0xc .reloc
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
.text 0x2000 0x1805a4 0x180600 False 0.372134146341 data 5.83928870766 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Data Directories
Sections
Copyright Joe Security LLC 2019 Page 14 of 18
No network behavior found
Code Manipulations
.rsrc 0x184000 0x30b94 0x30c00 False 0.260061097756 data 4.44539452832 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc 0x1b6000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
Name RVA Size Type Language Country
RT_ICON 0x184340 0x6ee4 PNG image data, 1024 x 1024, 8-bit/color RGBA, non-interlaced
RT_ICON 0x18b224 0x32c3 PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
RT_ICON 0x18e4e8 0x181f PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x18fd08 0x10828 dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
RT_ICON 0x1a0530 0x94a8 data
RT_ICON 0x1a99d8 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 3238002687, next used block 4294967043
RT_ICON 0x1adc00 0x25a8 data
RT_ICON 0x1b01a8 0x1a68 data
RT_ICON 0x1b1c10 0x10a8 data
RT_ICON 0x1b2cb8 0x988 data
RT_ICON 0x1b3640 0x6b8 data
RT_ICON 0x1b3cf8 0x468 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0x1b4160 0xae data
RT_VERSION 0x1b4210 0x3a0 data
RT_MANIFEST 0x1b45b0 0x5e1 XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
DLL Import
mscoree.dll _CorExeMain
Description Data
LegalCopyright Microsoft Corporation
Assembly Version 1.4.4.0
InternalName Update.exe
FileVersion 1.4.4.0
CompanyName Microsoft Corporation
LegalTrademarks
Comments Microsoft Teams
ProductName Microsoft Teams
ProductVersion 1.4.4.0
FileDescription Microsoft Teams
OriginalFilename Update.exe
Translation 0x0000 0x04b0
Network Behavior
Resources
Imports
Version Infos
Copyright Joe Security LLC 2019 Page 15 of 18
Statistics
Statistics
System Behavior
File ActivitiesFile Activities
Start time: 00:20:25
Start date: 08/09/2019
Path: C:\Users\user\Desktop\Update.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\Update.exe'
Imagebase: 0x470000
File size: 1801840 bytes
MD5 hash: 498E357CE42BC8FC6D043DE9A10646F4
Has administrator privileges: true
Programmed in: .Net C# or VB.NET
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user\Desktop\SquirrelSetup.log read attributes | synchronize | generic write
none synchronous io non alert | non directory file | open no recall
success or wait 1 6C561E60 CreateFileW
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log
read attributes | synchronize | generic write
normal synchronous io non alert | non directory file
success or wait 1 6DA2CA8D CreateFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
\Device\ConDrv unknown 0 success or wait 1 6C561B4F WriteFile
\Device\ConDrv unknown 36 55 73 61 67 65 3a 20 53 71 75 69 72 72 65 6c 2e 65 78 65 20 63 6f 6d 6d 61 6e 64 20 5b 4f 50 54 53 5d 0d 0a
Usage: Squirrel.exe command [OPTS]..
success or wait 6 6C561B4F WriteFile
\Device\ConDrv unknown 8 20 20 20 20 20 20 2d 2d
-- success or wait 20 6C561B4F WriteFile
\Device\ConDrv unknown 7 69 6e 73 74 61 6c 6c install success or wait 20 6C561B4F WriteFile
\Device\ConDrv unknown 6 3d 56 41 4c 55 45 =VALUE success or wait 21 6C561B4F WriteFile
\Device\ConDrv unknown 8 20 20 20 20 20 20 20 20
success or wait 26 6C561B4F WriteFile
\Device\ConDrv unknown 51 49 6e 73 74 61 6c 6c 20 74 68 65 20 61 70 70 20 77 68 6f 73 65 20 70 61 63 6b 61 67 65 20 69 73 20 69 6e 20 74 68 65 20 73 70 65 63 69 66 69 65 64 0d 0a
Install the app whose package is in the specified..
success or wait 39 6C561B4F WriteFile
\Device\ConDrv unknown 31 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
success or wait 11 6C561B4F WriteFile
\Device\ConDrv unknown 3 20 20 2d - success or wait 8 6C561B4F WriteFile
\Device\ConDrv unknown 1 68 h success or wait 8 6C561B4F WriteFile
Analysis Process: Update.exe PID: 4272 Parent PID: 2712Analysis Process: Update.exe PID: 4272 Parent PID: 2712
General
File CreatedFile Created
File WrittenFile Written
Copyright Joe Security LLC 2019 Page 16 of 18
\Device\ConDrv unknown 2 2c 20 , success or wait 9 6C561B4F WriteFile
\Device\ConDrv unknown 1 2d - success or wait 9 6C561B4F WriteFile
\Device\ConDrv unknown 1 3f ? success or wait 9 6C561B4F WriteFile
\Device\ConDrv unknown 2 0d 0a .. success or wait 2 6C561B4F WriteFile
\Device\ConDrv unknown 29 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
success or wait 2 6C561B4F WriteFile
C:\Users\user\Desktop\SquirrelSetup.log unknown 62 ef bb bf 32 30 31 39 2d 30 39 2d 30 38 20 30 30 3a 32 30 3a 32 36 3e 20 50 72 6f 67 72 61 6d 3a 20 53 74 61 72 74 69 6e 67 20 53 71 75 69 72 72 65 6c 20 55 70 64 61 74 65 72 3a 20 0d 0a
...2019-09-08 00:20:26> Program: Starting Squirrel Updater: ..
success or wait 1 6C561B4F WriteFile
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log
unknown 1265 31 2c 22 66 75 73 69 6f 6e 22 2c 22 47 41 43 22 2c 30 0d 0a 31 2c 22 57 69 6e 52 54 22 2c 22 4e 6f 74 41 70 70 22 2c 31 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 4e 61 74 69 76 65 49 6d 61 67 65 73 5f 76 34 2e 30 2e 33 30 33 31 39 5f 33 32 5c 53 79 73 74 65 6d 5c 38 34 62 39 31 37 31 63 34 33 62 65 38 34 32 38 61 37 63 65 61 66 32 35 33 65 35 64 37 37 33 38 5c 53 79 73 74 65 6d 2e 6e 69 2e 64 6c 6c 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2e 43 6f 72 65 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30
1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b9171c43be8428a7ceaf253e5d7738\System.ni.dll",0..3,"System.Core, Version=4.0.0
success or wait 1 6DA2CC07 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D663625 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D663625 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D663625 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D663625 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D663625 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6D5CEE1E ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D66A974 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D66A974 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D66A974 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D66A974 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D66A974 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\2da4cf2bb9a8f8a554da96d83ee20d39\System.Core.ni.dll.aux
unknown 900 success or wait 1 6D5CEE1E ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b9171c43be8428a7ceaf253e5d7738\System.ni.dll.aux
unknown 620 success or wait 1 6D5CEE1E ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\b8254ec01c31459d7f6f66e4d6a670a5\PresentationFramework.ni.dll.aux
unknown 2436 success or wait 1 6D5CEE1E ReadFile
File ReadFile Read
Copyright Joe Security LLC 2019 Page 17 of 18
Disassembly
Code Analysis
C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\7ede7502bdd935f2e31c32146e8206cf\WindowsBase.ni.dll.aux
unknown 1348 success or wait 1 6D5CEE1E ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\74e4951d24e78d60061b6f9f8d6f49f4\PresentationCore.ni.dll.aux
unknown 1832 success or wait 1 6D5CEE1E ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\95f7be3abae719343f354f3adc883704\System.Xaml.ni.dll.aux
unknown 572 success or wait 1 6D5CEE1E ReadFile
File Path Offset Length Completion CountSourceAddress Symbol
Copyright Joe Security LLC 2019 Page 18 of 18