Advanced File Analysis System

Information Discovery

Reads data out of its own binary image Show sources

api_process_name

process: DropboxUpdate.exe, pid: 2876, offset: 0x00000000, length: 0x00022f28

Networking

Attempts to connect to a dead IP:Port (6 unique times) Show sources

network_host_ip	104.16.241.184:80 (unknown)
network_host_ip	104.31.75.124:80 (unknown)
network_host_ip	23.67.250.123:80 (United States)
network_host_ip	54.192.39.119:443 (United States)
network_host_ip	72.21.91.29:80 (United States)
network_host_ip	162.125.6.3:443 (United States)

Performs some HTTP requests Show sources

network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA%2BoSQYV1wCgviF2%2FcXsbb0%3D
network_url	http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
network_url	http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSYagvY3tfizDNoybzVSPFZmSEm0wQUe2jOKarAF75JeuHlP9an90WPNTICEAjFm8I8U0vytRT358KGA6Y%3D
network_url	http://crl3.digicert.com/assured-cs-g1.crl
network_url	http://crl4.digicert.com/assured-cs-g1.crl
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAXibxWoiKXlI0cyDYA8j6k%3D
network_url	http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
network_url	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAP4cVEQS8cwnZzLED4tzxA%3D
network_url	http://crl.globalsign.net/primobject.crl

Lowering of HIPS/ PFW/ Operating System Security Settings

Attempts to block SafeBoot use by removing registry keys Show sources

registry_delete

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option

Cryptography

At least one IP Address, Domain, or File Name was found in a crypto call Show sources

ioc	www.digicert.com1
ioc	www.digicert.com1.0
ioc	http://www.digicert.com/ssl-cps-repository.htm0
ioc	http://ocsp.digicert.com0C
ioc	http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
ioc	http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
ioc	http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
ioc	http://crl3.digicert.com/assured-cs-g1.crl00
ioc	http://crl4.digicert.com/assured-cs-g1.crl0L
ioc	https://www.digicert.com/CPS0
ioc	http://ocsp.digicert.com0L
ioc	http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
ioc	http://crl4.digicert.com/assured-cs-g1.crl0B
ioc	3.9.1208.0

Packer

The binary likely contains encrypted or compressed data. Show sources

packer_section

name: .rsrc, entropy: 7.94, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00093e00, virtual_size: 0x00093c9c

Stealing of Sensitive Information

Attempts to create or modify system certificates Show sources

registry_write

HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\A031C46782E6E6C662C2C87C76DA9AA62CCABD8E\Blob

Steals private information from local Internet browsers Show sources

file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\jdm2a1on.default\prefs.js
file_read	C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Static Anomaly

Anomalous binary characteristics Show sources

static_pe_anomaly

Actual checksum does not match that reported in PE header

Hooking and other Techniques for Hiding Protection

Creates RWX memory Show sources

injection_rwx_memory

0x00000040, NtAllocateVirtualMemory or VirtualProtectEx

Persistence and Installation Behavior

Installs itself for autorun at Windows startup Show sources

service_create	dbupdate
service_create	"C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe" /svc
file_write	C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job
file_write	C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job

Created a service that was not started Show sources

service_start	dbupdate
service_start	dbupdatem

Malware Analysis System Evasion

A process attempted to delay the analysis task. Show sources

api_process_name

svchost.exe tried to sleep 674 seconds, actually delayed analysis time by 0 seconds

Attempts to repeatedly call a single API many times in order to delay analysis time Show sources

api_process_name

services.exe (460) called API GetSystemTimeAsFileTime 3796291 times

Creates a hidden or system file Show sources

file_write

C:\Users\user\AppData\Local\Temp\BITF1CE.tmp

File Name: A74C1985D541E302ACF7EB49887E7137C35E3237

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 0c13ace5116c5fc0ba3be8d06caa4f68463ec1ee

MD5: f1d8a2a0e4c25e7db06e4f975d9ce8ce