String found in binary or memory: ents5.goog le.com/com plete/sear ch?hl= String found in binary or memory: ca.lycos.i t/ String found in binary or memory: queda.aol. String found in binary or memory: car.ya.com / String found in binary or memory: cador.terr a.es/ String found in binary or memory: cador.terr a.com/favi con.ico String found in binary or memory: cador.terr a.com/ String found in binary or memory: cador.terr a.com.br/ String found in binary or memory: cador.lyco s.es/ String found in binary or memory: ca.uol.com. String found in binary or memory: ca.orange. ![]() String found in binary or memory: ca.igbusca. String found in binary or memory: ca.estadao. String found in binary or memory: ca.buscape. String found in binary or memory: wse.guardi an.co.uk/f avicon.ico String found in binary or memory: wse.guardi an.co.uk/ String found in binary or memory: search.yah oo.com/ String found in binary or memory: o.search.m sn.com/res ponse.asp? MT= String found in binary or memory: ne.jp/favi con.ico String found in binary or memory: anna.liber o.it/favic on.ico String found in binary or memory: anna.liber o.it/ String found in binary or memory: adna.elmun do.es/favi con.ico String found in binary or memory: adna.elmun do.es/ String found in binary or memory: zon.fr/ String found in binary or memory: Efacebookh ttp://om// eq uals m (Faceboo k) String found in binary or memory: equals (You tube) String found in binary or memory: equals com (Faceb ook) Source: install-an droid-pass word-reset -tool.h tm0.14.dr String found in binary or memory: w.rambler. com/ equals w ww.faceboo k.com (Fac ebook) String found in binary or memory: w.facebook. 0 rv:11.0 ) like Gec koAccept-E ncoding: g zip, defla teHost: ww w.tenorsha re.comConn ection: Ke ep-Aliveįound strings which match to known social media urls html HTTP/ 1.1Accept: text/html, applicat ion/xhtml+ xml, image /jxr, */*A ccept-Lang uage: en-U SUser-Agen t: Mozilla /5.0 (Wind ows NT 10. ![]() HTTP traffic detected: GET /thank you/instal l-android- password-r eset-tool. Uses code obfuscation techniques (call, push, ret) ![]() Stores files to the Windows start menu directory Sample file is different than original file name gathered from version info Sample execution stops while process was sleeping (likely an evasion) Queries the volume information (name, serial number etc) of a device PE file contains sections with non-standard names May sleep (evasive loops) to hinder dynamic analysis JA3 SSL client fingerprint seen in connection with other malware IP address seen in connection with other malware Detected unpacking (creates a PE file in dynamic memory)Ĭontains functionality for read data from the clipboardĬontains functionality to detect virtual machines (SLDT)Ĭontains functionality to shutdown / reboot the systemĬreates a process in suspended mode (likely to inject code)įound dropped PE file which has not been started or loaded
0 Comments
Leave a Reply. |