`Case 3:17-cv-05659-WHA Document 98-22 Filed 06/07/18 Page 1 of 3
`
`
`
`
`
`
`EXHIBIT 19
`EXHIBIT 19
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5/25/2018
`
`Case 3:17-cv-05659-WHA Document 98-22 Filed 06/07/18 Page 2 of 3
`Case 3:17-cv-05659-WHA Docunemandb98+2or Pate 06/07/18 Page 2 of 3
`
`JBX Analysis Report
`
`Overview
`Startup
`Dropped
`Domains/TPs
`Static
`Strings
`Network
`Hooks
`System
`° Behavior
`o Disassembly.
`
`25393
`13:47:02
`09/11/2012
`
`Oh 3m 20s
`vm_trickssample
`default.jbs
`XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat
`Reader 9.3.4, Internet Explorer 8)
`4
`0
`0
`0
`0
`true
`
`true, ratio: 98%
`
`¢ Too many NtQueryDirectoryFile calls
`(excessive behavior)
`e Too many NtProtectVirtualMemory calls
`(excessive behavior)
`
`
`
`
`
`
`https:/Awww.joesecurity. org/reports/report-6b16c4526a01 3e744b3d91cd7a091c361.html
`
`1/68
`
`FINJAN-JN 304955
`
`General Information
`
`Analysis ID:
`Start time:
`Start date:
`
`Overall analysis duration:
`Samplefile name:
`Cookbookfile name:
`
`Analysis system description:
`
`Numberof analysed new started processes analysed:
`Numberof new started drivers analysed:
`Numberof existing processes analysed:
`Numberof existing drivers analysed:
`Numberof injected processes analysed:
`SCAE enabled:
`
`SCAE success:
`
`Warnings:
`
`Classification / Threat Score
`
`Persistence, Installation, Boot Survival:
`
`Hiding, Stealthiness, Detection and Removal Protection:
`
`Security Solution / Mechanism bypass, termination and removal, Anti Debugging, VM Detection:
`
`Spreading:
`
`Exploiting:
`
`Networking:
`
`Data spying, Sniffing, Keylogging, Ebanking Fraud:
`
`Matching Signatures
`
`Behavior Signatures
`Createsfiles inside the user directory
`Queriesa list of all running processes
`Spawnsprocesses
`Urls found in memoryor binary data
`Binary may include packed or crypted data
`Checksif the current process is beeing debugged
`Createsfiles inside the system directory
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 98-22 Filed 06/07/18 Page 3 of 3
`5/25/2018 Case 3:17-cv-05659-WHA9Docubatanth88-+22o0r Pater] 06/07/18 Page 3 of 3
`
`Behavior Signatures
`
`Creates mutexes
`
`\BaseNamedObjects\Local\c:!documents and settings!networkservice!local
`settings!temporary internet files!content.ie5! \BaseNamedObjects\Loca
`I\c:!documents and settings! networkservice!cookies! \BaseNamedObjects\
`Local\c:!documents and settings! networkservice!local settings! history !history.ie
`5!
`
`Drops PEfiles
`Enumeratesthefile system
`Found strings which match to known social media urls
`Maytried to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
`PEsections with suspicious entropy found
`Performs DNS lookups
`Posts data to webserver
`
`ssleay32.dIl libeay32.dIl libss132.dll
`
`Tries to load a missing dll
`AVprocessstrings found (often used to terminate AV products)
`Binary contains a suspicious time stamp
`Checksfor available system drives (often done to infect USB drives)
`Contains capabilities to detect virtual machines
`Creates an autostart registry key
`Creates autorun.inf (USB autostart)
`Modifies the context of a thread in another process (thread injection)
`
`Code Signatures
`Contains functionality to download additional files from the internet
`Contains functionality to enumerate/ list files inside a directory
`Contains functionality to query local / system time
`Contains functionality to start windows services
`Contains functionality to dynamically determine APIcalls
`
`Startup
`
`= system is xp
`
`* vmtrickssample.exe (PID: 656 MDS: 6B16C4526A013E744B3D91CD7A091C36)
`
`° vm_trickssample.exe (PID: 608 MDS: 6B16C4526A013E744B3D91CD7A091C36)
`
`* svchst.exe (PID: 1084 MDS: 6B16C4526A013E744B3D91CD7A091C36)
`© sychst.exe (PID: 1356 MDS: 6B16C4526A013E744B3D91CD7A091C36)
`
`= cleanup
`
`
`Created(droppedFiles
`
`File Path
`
`C:\Documents and Settings\NetworkService\Local Settings\Application Data\sLT.exf
`CAWINDOWS\mssys.dll
`CAWINDOWS\svchst.exe
`C\\autorun.inf
`\ROUTER
`
`\net\NtControlPipe20
`
`Contacted Domains
`
`MDS5
`
`DS5AB441BD47EDE42EF7FBDB58D6DA541
`87963 1FB71EEFO07DB32A97E8DAD372EA
`6B16C4526A013E744B3D91CD7A091C36
`22E7E2047F46662384F9 IEACTEFCC806
`C485FFBBCB652D92B63F 1BF3301D6609
`
`8E48D13549E3A7D9 1FFA1925918CBEDD
`
`IP
`
`NameServer
`Name
`ns2.md-4.webhostbox.net ns1.md-
`oe
`208.91.198.109 4webhostbox.net
`mahaajan.in
`http://mahaajan.in/dd/ unknown
`unknown
`
`Active
`
`true
`false
`
`Registrar
`Directi Web Services Pvt. Ltd. (R118-
`AFIN)
`unknown
`
`.
`.
`support@vikcon.in
`unknown
`
`Contacted IPs
`
`Pingable Open Ports
`Country
`IP
`true
`21 80 443
`208.91.198.109 unknown
`195.186.1.121 SWITZERLAND false
`195.186.4.121 SWITZERLAND false
`
`https:/Awww.joesecurity. org/reports/report-6b16c4526a01 3e744b3d91cd7a091c361.html
`
`2/68
`
`FINJAN-JN 304956
`
`
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
