BOOK A DEMO

Ransomware Installation method using NSIS Installer

Locky_trojan_02-2016_German_PD

Introduction

Over the past few years, we have seen various ways for executing malicious code.

Lately, we’ve noticed a highly complicated one, which uses many layers of evasion techniques, starting from wrapping internal parts with an NSIS installer, XOR encryption, code injection and even usage of Heaven’s Gate technique. Two of the most known ransomware were currently observed using this technique: Locky and Cerber, both in their new versions.

One of the techniques used with NSIS, is the usage of the “System” plugin, which allows the NSIS installer to call Win32API. This enables the attackers to allocate executable memory, and execute a code stub which in turn, decrypts the actual payload of the ransomware. Thus, hiding its content from security vendors. The fact that everything happens in the memory, makes it even harder to detect.

The ransomware is also using a technique called “Heaven’s Gate” for two main reasons.

It allows to call 64-bit code from a 32-bit process. The ransomware uses this technique to bypass API hooks in ntdll.dll (by security vendors) and use system calls directly instead of going through the standard APIs (which are allowed only through 64 bit). This technique was used several times by Trojans in the wild (one of them is Vawtrak, a banking Trojan – the biggest and most recognized family known to have used Heaven’s Gate).

Second, it is a great way to obfuscate the code. Almost all debuggers seem to be ineffective in dealing with these technique – executing 64-bit code from 32-bit process (only remote kernel debugging using windbg can step through the code). The debuggers do not handle the situation very well since they are designed to handle only one architecture at a time.

To complicate things even further, the ransomware uses a technique called “Process Hollowing” to execute the installer. Process Hollowing is a technique where an attacker creates a new process in a suspended state, and replaces its image with the one that is to be hidden. The installer itself is also encrypted inside NSIS and cannot be traced by security vendors. It is decrypted only at run-time.

The interesting thing with the implementation of this technique is that it is not a typical process hollowing. The ransomware creates a shared section (which contains the ransomware’s installer) between the two processes, and directs the execution of the new process to the new section.

As part of the research we came across several ransomware that use the exact same evasion techniques: both Locky and Cerber (from different versions) reveal the exact same behavior, starting with the usage of NSIS, same NSIS’s script obfuscation, same XOR encryption, decryption of the installer in run-time, usage of Heaven’s Gate technique, and last, the same process hollowing implementation.

NSIS Installer

One of the techniques used in this installation method is the usage of NSIS (Nullsoft Scriptable Install System) installer.

NSIS is a professional open source system used to create Windows Installers. Unlike other systems that can only generate installers based on a list of files and registry keys, NSIS has a powerful scripting language. This script language is designed for installers and has commands that help perform many installation tasks. You can easily add custom logic and handle different upgrades, version checks, and more.

One of the main features of NSIS is the use of plugins, which extends NSIS abilities. They can be written in C, C++, Delphi or another language and can be used to perform installation tasks or extend the installer interface.

One of the plugins that Cerber and Locky are using is the “System” Plugin, which allows the installer to communicate with the operating system [2] and even to call functions exported by external DLL (and thus allows the installer to call Win32 APIs exported by kernel32.dll).

Locky and Cerber installers are using this advantage. Furthermore,  by calling Win32 APIs, they are able to execute a malicious shellcode.

In this report, we have examined the Locky ransomware (SHA256: c976db2208c3fda077da5cd51355f958417b7d3d180a817aaeb7a62acf9faf83). Please note that everything explained here applies to other versions of Locky and Cerber.

Referenced IoC are mentioned at the end of the article.

NSIS Installer structure

NSIS installers can be decompressed using 7-Zip. Locky’s NSIS file is fairly simple and contains the following files and directories:

1– [NSIS].nsi – the main script file (clear-text).
– 3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X – the actual shellcode and the “business logic” of Locky’s execution method. This file also contains encrypted content (which will be explained in-depth later in this article).
– $PLUGINSDIR – the directory which contains the plugins the installer is using.g.

2

Script Analysis

As mentioned earlier, NSIS is a script-based installer, and by using 7-Zip, we were able to open the installer and extract its files, including the actual script, which was used to build the installer.

By looking at the file [NSIS].nsi, we examined the logic behind the installer and were able to see exactly what it is doing.

According to the NSIS documentation, the function “.onInit” is a callback, which is called when the installer has nearly finished initializing, as this is the actual “main” function of the installer.

Taking a look into “.onInit” function on Locky’s installer reveals a simple logic to execute the shellcode.

First, it writes the installation files to the %temp% directory (which is the installation directory),

and by using the “System” plugin (by calling the “CreateFile” function), it opens a handle to the file containing the actual shellcode.

3

The script author probably wrote this code this way to obfuscate and confuse..

According to NSIS documentation, the result of the function (in this case – the handle) is put to the “r0” variable.

The second step is allocating a memory region using the “VirtualAlloc” function with PAGE_EXECUTE_READWRITE permissions (0x40).

4

The size of the region is the same size of the file containing the shellcode and the encrypted content (3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X), which happens to be 120464 bytes. The address of the newly allocated memory Is put inside the “r1” variable.

Third step –read the content of “3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X” file (with the “r0” handle, as returned from “CreateFile” function) into the newly allocated memory region (“r1” variable, as returned from “VirtualAlloc” function).

5

Now that the code has everything in place, the forth step is to call the main function of the shellcode and pass “\3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X” as a parameter. The main shellcode function is in offset 97508 from the beginning of the allocated memory.

6

The Shellcode

By first looking at the shellcode, we can clearly see that it is obfuscated in some way.

7

Traversing through the code reveals an interesting way to XOR the code. The shellcode works in a way that each part is in charge on XORing the next part, and the next part is in charge to XOR the next part and so forth. In this specific example, it took 2 cycles of XORing until we reached the actual “business logic” of the execution phase, but other examples were different, some had 7 cycles and some had 5.

XORing Process

This process works in an interesting way. First, it traverses through the XORed content and looks for the byte “0x4E”.

8

Since the code is XORed, OllyDbg cannot parse the full code and some of it is missing. Once the code increases the index (EBP register) by 1, it jumps back to the actual check for 0x4E.

9

As soon as the code finds the address containing 0x4E, it is time to search for the XOR keys.

The way the shellcode searches for the XOR keys is fairly simple, yet a bit complicated. The 0x4E is a marker of the next section of code to be “DE-XOR”. Each of this sections has the following header:

table 1

The way the shellcode initializes the XOR Keys are simple. It initializes the ESI register to 0, and checks if the result of Value ^ ESI matches the value inside “XOR keys”. As soon as it finds a match, it replaces the content of “XOR Keys” with ESI and now the keys have been initialized.

10

EAX contains the result of Value ^ ESI, while [EBP+4] is the uninitialized XOR keys. If it did not find a match, it increases ESI by 1. Once the ESI has increased, it makes the XOR action again, and does the comparison again.

11

As soon as ESI has given the correct value for the comparison to be true, the “XOR Keys” are replaced with ESI.

12

If, for example ESI = 0xABCDEF12 gives the correct result, the XOR keys will be as follow:

Key1 = AB

Key2 = CD

Key3 = EF

Key4 = 12

Now that we have the XOR keys, loop “Section Size” times from “Code to be DE-XOR” and XOR each byte with its key, respectively:

table 2

EDX is our counter. Check that we haven’t passed “Section Size”.

13

Loop continues and the shellcode XOR the next byte in line.

The CL register contains the current key being used to do the XOR action. If the counter reaches 4, the EBX needs to be set to 0 and the loop has to be done again.

14

Once the shellcode DE-XOR all the relevant bytes, it jumps to the next section of code.

15

The entire process takes place again one more time, and afterwards it jumps to the actual business logic of Locky.

Business Logic

Locky and Cerber install themselves using a known method which has many techniques of implementation – Process Hollowing. Digging into the code revealed an interesting implementation for this attack method.

Getting Kernel32 & NTDLL Imagebase:

Locky and Cerber use a well-known technique to find the base addresses of core libraries.

Since, a shellcode needs to call Win32 APIs – it needs to find their addresses. To do so, the shellcode accesses the PEB (Process Environment Block), which contains a linked list of loaded modules and their base addresses. This specific function receives as an input the library name – and returns the image base of the requested library.

16

As soon as the code has the image base address of kernel32.dll, it goes through the export table and looks for 22 functions in kernel32, 10 functions in advapi32.dll, and 4 from ntdll.dll.

The way it looks for a specific function’s address is fairly unique – it passes the search function some kind of CRC32 calculation of a string, goes through the export table of the specified DLL and calculates the CRC32 for each of the exported functions. As soon as it has a match to the one it was looking for, the shellcode retrieves the address and stores it (I didn’t go into much details about how they calculate the CRC32, but it looks like it since they are using a CRC32 lookup table with Polynomial value of “0x04C11DB7”). The functions are being searched that way *possibly* to hide which functions they are actually searching for.

17– Mapping NTDLL

An interesting thing happening inside the shellcode, is the mapping of ntdll.dll.

18

First, the code opens a handle to ntdll.dll, allocating enough space using VirtualAlloc (size is the size of ntdll.dll, received by GetFileSize). It then reads the content of ntdll.dll into the newly allocated memory. Please note that even when the path displays “C:\Windows\SYSTEM32” it actually points to “C:\Windows\SysWOW64” since the process is 32-bit.

Second, by hopping over IMAGE_OPTIONAL_HEADER, it goes straight to the sections of ntdll.dll.

19

Third, allocate enough space to contain the mapped image of ntdll (with size “SizeOfImage” field of ntdll).

Forth, copy the headers (Size of headers is determined by the “SizeOfHeaders” field inside IMAGE_OPTIONAL_HEADER).

20

Fifth, copy the sections (the number of sections to copy is determined by “NumberOfSections” field inside IMAGE_FILE_HEADER).

21

As soon as NTDLL is mapped into memory, something interesting happens. The code searches for a specific function’s address (using the CRC32 method described above) inside the mapped ntdll. As soon as it has the function address, the shellcode extracts the system call identifier belonging to that function. To understand this process, we need to understand how system call numbers are set:

Every Nt* function begins with the same opcodes (MOV EAX, IMM32), and the next four bytes determines the system call number. Therefore, we expect the first to be B8h (MOV EAX, IMM32), and the next four – system call number. This is exactly what happens on the shellcode:

22

23

This is probably done to bypass hooking mechanisms of security solutions, evade monitoring and obtaining a basic code obfuscation. The process is fairly simple – instead of using normal high level APIs, registers need to be set up and call sysenter / syscall (sysenter – x32 architecture, syscall – x64 architecture).

The problem with system calls is that they vary between Windows versions and there is no API to obtain a system call number. But this is achievable to do it on runtime using ntdll.dll. Let’s dig more to understand what exactly is happening using the extracted system call number.

Heaven’s Gate

As soon as the shellcode retrieves the system call number, it uses a technique called “Heaven’s Gate” to execute 64-bit code from a 32-bit process.

Every process (either 64-bit or 32-bit) executed on Windows 64-bit is first executed as 64-bit. The first code to execute is the 64-bit ntdll, which is in charge of initializing the process (as 64-bit process, even if the process is 32-bit). Only later WoW64 (Windows-On-Windows) takes over, loads the 32-bit version of ntdll.dll and execution begins through a far jump to a computability code segment. It cannot back to 64-bit world, only in the case of system calls. The 32-bit ntdll.dll that was loaded contains a series of instructions to jump back into 64-bit mode (instead of SYSCALL instruction which exists in 64-bit ntdll.dll) so the SYSCALL instruction can be issued.

Basically, WOW64 is composed of a full set of 32-bit stub libraries that make the app run smoothly while it manages the switch between 32-bit and 64-bit code.

Heaven’s Gate is a really simple way to transition between 32-bit and 64-bit code. For every process running on 64-bit Windows, two code segments are allocated.

Code segment 0x23 -> x86 mode

Code segment 0x33 -> x64 mode

This is also what being used on the shellcode. Once it receives the required system call number, it is time to switch to x64 mode to execute a SYSCALL command.

24

Inside the 64-bit code, we can see a SYSCALL.

25

Basically, the shellcode uses a SYSCALL to bypass hooking mechanism and to make the code harder to debug, since almost all debuggers seem to be ineffective in dealing with these jumps (only remote kernel debugging using windbg can step through the code).

Also, the debuggers do not handle the situation very well since debuggers are designed to handle only one architecture at a time.

Process Hollowing

The shellcode tries to achieve several purposes using Heaven’s Gate:

Decrypt the PE which will be used as the code to be executed inside the process host

Remember the file “3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X” which NSIS wrote to temp? Time to use it. A handle is opened to the file.

26

As soon as it has a handle, it allocates space and reads the whole content of the file into the newly allocated memory. It then allocates another memory region, where the size is extracted from “3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X” at offset 0x5C.

As soon as allocation is complete – it copies the content from offset 0x64 of “3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X” to the newly allocated memory (size to copy is the size extracted previously). Now that we have the content, it is time to decrypt!

27

28

29

30

31

And this is where the magic happens. The encryption key is the filename of the main file it previously extracted (“3FKGytBDrBQsD6lyO3ahoqj.2tiUAHhzBB4k0X”).

32

A WILD non-valid PE APPEARS!

33

This buffer is compressed, so it needs to decompress it.  This is why it allocates a new memory region (the size of the uncompressed buffer is also extracted from the file), and calls RtlDecompressBuffer

0x102 is the compression format. It stands for 0x100 | 0x2 0x100 where 0x100 is the maximum compression level, and 0x02 is LZNT1 compression algorithm.

34

A wild valid PE appears!

35

Apparently, the file is a known variant of Locky (SHA256: 31af9ea19741da26235b9f6e253da5112d27260545cf3034bd12ff36a8b65dad)

Now that the shellcode has everything it needs. What’s next?

The shellcode executes the same process it is running from (for example, if the code runs from calc.exe, it executes calc.exe again) in a SUSPENDED_STATE. A strong indication for process hollowing.

36

The following step is to get the main thread context, to direct execution afterwards.

37– Replacing the content of the suspended process

What interesting in this case is that it is not a typical process hollowing.

In order to replace the content of suspended process, the code is mapping ntdll.dll again and using the search mechanism (CRC32), searching for the system call number of “NtReadVirtualMemory”, which is equivalent to the Win32API “ReadProcessMemory” and it is used to determine the base address of the destination image.

Once it got the base address, it searches again, but this time for the system call number of “NtCreateSection” and creates a section with ACCESS_MASK of SECTION_MAP_WRITE | SECTION_MAP_READ | SECTION_MAP_EXECUTE.

Now that the code has created the section, it searches for the system call number of “NtMapViewOfSection” in order to map the section created previously into the suspended process (I know this since the process handle is passed to NtMapViewOfSection).

Itis doing this action again, but this time it is mapping the section to its own address space (since the process handle is -1). This means that the section is shared between processes.

The next step is to map the decrypted PE (Locky’s Image decrypted earlier) to the section. It is done exactly the same as it mapped ntdll.dll – parse Locky’s image, and copy the headers and sections.

Now the section is shared between the two processes and contains Locky’s PE. It now searches for the system call number of “NtWriteVirtualMemory” which is the equivalent of Win32API “WriteProcessMemory”. With this function, the code replaces the ImageBaseAddress in the suspended process to Locky’s PE ImageBase.

38

From the picture above, we can see the Thread Information Block of the suspended process (the right window). We can see that offset 30h points to the PEB (Process Environment Block) of the suspended process. The parameter passed to NtWriteVirtualMemory (equivalent of “WriteProcessMemory”) is the address of PEB+8h (+8h is the offset to PEB.ImageBaseAddress).

Now that everything is in place, it is time to change the EAX inside the CONTEXT structure (CONTEXT was extracted previously using GetThreadContext) using SetThreadContext.

39

[EBP-4C0] now contains the EntryPoint of Locky’s Image

40

41

Note that the address 0x1C0000 is the offset returned from NtMapViewOfSection, when the code mapped the section to the suspended process. So basically, 0x1C0000 is the offset of the shared section inside the suspended process.

The final step: search for the system call number of “NtResumeThread” using the same search mechanism explained above.

42

As soon as the code gets the system call number for resume thread, it just calls it using SYSCALL and Locky’s file begins to execute while encrypting the entire file system of the computer.

Similarities Between Cerber and Locky

When inspecting Cerber (SHA256: dbd21df0f96f870875e4abafaa33b595df9e4da8b39ccc6c717fea9afcaedef3), we noticed that both versions contains similar behaviors.

First, the recent Cerber variants also start from NSIS installers, having the same structure of files.

43

The script ([NSIS].nsi) is the same:

44

Digging into the code being executed looks exactly the same. The same XOR process happens here as well, searching for the byte marker of the section to be DE-XOR.

45

Unlike the previous example (0x4E), this time itis 0xED.

XORing process is also the same (see above for example how the process works) – XOR ESI with EAX to find the 4 keys.

46

As soon as the code finishes to XOR everything, we can see the same search mechanism using CRC32 for system call numbers.

47

As soon as the code retrieves the system call number, Heaven’s Gate technique is used here as well.

48

49

The technique for process hollowing is also the same as above:

– Create its own image as a new process in suspended state
– Get CONTEXT using GetThreadContext
– Create a section
– Map section to both suspended process and its own process (so section is shared between them) using NtMapViewOfSection system call number.
– Decrypt Cerber’s PE and map it to the section (Encryption key is also its file name – “zXoueT8m.cdhNtye”).
– Fix suspended process ImageBaseAddress inside PEB to Cerber’s ImageBase.
– Change CONTEXT.EAX (which contains the entrypoint) to Cerber’s EntryPoint
– ResumeThread

NSIS Extractor

We wrote a tool using C and Python to extract the actual ransomware binary file from a given NSIS installer. The source code can be found in our GitHub.

Leveraging deep learning in combination with strong research capabilities, enables Deep Instinct to offer unmatched detection of new malware variants, providing powerful protection on endpoints and mobile devices.

IoC

Locky OSIRIS

c976db2208c3fda077da5cd51355f958417b7d3d180a817aaeb7a62acf9faf83

da1469e08123a829e5d33d0e51632953c3e0b36abec90cfe8ff5cb812f9d56e9

 

Cerber 5.0.1

993ee9f39003c5221f270846c0df668b4b3258e6f72ad6cc3c1f3e14c5f16ae9

dbd21df0f96f870875e4abafaa33b595df9e4da8b39ccc6c717fea9afcaedef3

 

Cerber 4.1.1

29744b8bab2f176444a8d614bfb96de05803585be50ebc9fa62bc2a027db96a3

 

Other versions of Cerber:

c27db0c832d5821454d1881d323a6745e8356fd531e7565809bc6cd99af6d682

0635dedd5b1e4b21e1324828608973926417e3b53900a7a8dc8ef8f0c068df2b

45ee98554aa6ea466a17609740f6e2f8dc4de11ebce3c3eb72d73c4fcbb16d1e

39a1eeda1f5c252a2daaa60609bb151bcdbe35ec753d7daad1904152509cf49

 

Dumped original version of Locky:

31af9ea19741da26235b9f6e253da5112d27260545cf3034bd12ff36a8b65dad

To learn about the different Ransomware variants, download this free guide >>

Ransomware



Book a Demo

See the benchmarks for yourself!

To understand how you can thoroughly protect your organization against unknown and known threats, from any digital touchpoint, book your private demo with a Deep Instinct expert consultant.

Get an overview of how Deep Instinct’s security solution works, as well as an initial assessment of your specific security needs.

Start instinctively protecting your organization against all threats.

*
*
*
*
* We respect your privacy. Read our Privacy Policy
BOOK A DEMO TODAY

Terms of Use

Last updated: 20 September, 2015

THIS WEBSITE, www.Deep Instinct.com (the “Site”), is owned and operated by Deep Instinct Ltd. (“Deep Instinct”, “we”, “us” or “our”). Any use of this Site or the services available on the site from time to time (“Services”) is subject to and conditioned upon your consent to and compliance with, all of the terms and conditions in this terms of use agreement (the “Agreement”) which also incorporates our privacy policy [insert hyperlink to privacy policy]. By accessing and using the Site and/or any Services made available on it you hereby consent to be bound by this Agreement. If you do not agree with any of the terms and conditions of use, please cease any use or access to this Site and any use or access to the Services. We may amend this Agreement at any time by posting the amended terms on the Site. Your continued use of the Site or Services shall constitute your consent to any changes made. If you do not agree to the new or different terms, you should not use the Site or the Service. This Agreement may not be otherwise amended.

THE SITE AND THE SERVICES

We are engaged in the business of development, configuration, marketing, sales, integration and implementation of projects and solutions (including tactical verticals thereof) in the field of cyber security and our Site provides informative, educational and promotional information on our company, our products, and our services. We currently do not offer a direct download of our products from our site and provide our software directly to you subject to additional terms and conditions which are detailed in the end user license agreement accompanying each copy of our products.

ELIGIBILITY TO USE OUR SERVICES

This Site is aimed for use by individuals who are natural persons, who are at least 13 years old and who are of sufficient legal age and capability to form a binding agreement under the laws of their domicile. You may not use the Site and the Services and may not accept this Agreement if (a) you are not of legal age to form a binding contract with Deep Instinct (as determined in your domicile), or (b) you are a person barred from using the Site or the Services under the laws of the United States or Israel or other countries including the country in which you are domiciled or from which you access or use the Site and/or the Services. Subject to applicable law, Deep Instinct may, in its sole discretion, refuse to offer the Site and the Services to any person or entity and change its eligibility criteria at any time.

ELECTRONIC COMMUNICATIONS

When you contact us by sending emails to us, you are communicating with us electronically and you consent to receive communications from us electronically. We will communicate with you by email (if and to the extent you choose to provide with your e-mail address) or by posting notices on this Site. You agree that all agreements, notices, disclosures and other communications that we provide to you electronically satisfy any legal requirement that such communications be in writing.

PROPRIETARY RIGHTS

The Site, the Services and the content therein are proprietary to us and/or our licensors. Any and all intellectual property rights related to the Services and the Site are and shall remain our exclusive property or our licensors. Nothing in this Site grants any license or right to use any marks displayed on this Site without the written permission of the owner of the mark. Your misuse of the marks displayed on this Site or any other content on this Site is strictly prohibited. Without derogating from any of the provisions herein, you agree not to decompile, reverse-engineer, copy, transfer, assign, rent, resell, distribute or use the Site or the Services (or any part thereof, or any software underlying the Service), other than as expressly authorized by Deep Instinct. Any and all trademarks, service marks, product names, and trade names of Deep Instinct appearing on or through the Site and/or Service are exclusively owned by Deep Instinct. All other trademarks, service marks, product names, and logos appearing on or through the Service are the property of their respective owners. You may not use or display any trademark, service mark, product name, trade name, or logo appearing on or through the Service without the owner's prior written consent. Furthermore, the site is intended for use by natural persons. Any access or use of the Site by any automated means including but not limited to spiders, bots, scrapers and the like is prohibited. Any use of any information collected by such automated means constitutes a violation of this Agreement. Any use of the Site or any parts thereof or information therein for any commercial purposes is prohibited.

COMPLIANCE WITH LAWS

Access or use of the Internet or of certain websites may be prohibited in certain territories and/or certain restrictions may apply to you in such territories. Don’t access this Site if such access is prohibited under law applicable to you. You agree that your use of the Site and Services shall not violate any applicable local, national or international law, including but not limited to any regulations having the force of law.

LINKS TO OTHER WEBSITES

This Site may contain links and references to websites of others. We may, from time to time, at our sole discretion, add or remove links to other websites. These links are provided solely for informative purposes and as a convenience to you, and access to any such websites is at your own risk. We recommend that you review the information provided by third parties (such as, but not limited to, the terms of service and privacy policy of the relevant website) before accessing such websites. We do not review, approve, monitor, endorse, warrant, or make any representations with respect to such websites. In no event will we be responsible for the information contained in such websites, their practices or for your use of or inability to use such websites, or transmissions received from such sites. You expressly relieve us from any and all liability arising from your use of any third-party website. We encourage you to be aware when you leave the Site, and to read the terms and conditions and privacy policy of such other website/s that you visit.

NO WARRANTY

THE SITE, AND ANY SERVICES OFFERED THROUGH IT IS PROVIDED ON AN "AS IS" BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF TITLE OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOU EXPRESSLY AGREE THAT USE OF THE SITE IS AT YOUR SOLE RISK. NEITHER DEEP INSTINCT, ITS SUBSIDIARIES, ITS AFFILIATES NOR ANY OF THEIR RESPECTIVE EMPLOYEES, AGENTS, THIRD PARTY CONTENT PROVIDERS OR LICENSORS WARRANT THAT THE SITE WILL BE UNINTERRUPTED OR ERROR FREE; NOR DO THEY MAKE ANY WARRANTY AS TO THE RESULTS THAT MAY BE OBTAINED FROM USE OF THE SITE, OR AS TO THE ACCURACY, RELIABILITY OR CONTENT OF ANY INFORMATION, SERVICE, OR MERCHANDISE PROVIDED THROUGH THE SITE.

THE SITE OFFERS CERTAIN INFORMATION ABOUT THE COMPANY AND ITS PRODUCTS AND SERVICES, INCLUDING A KNOWLEDGE BASE IN WHICH THE COMPANY MAY UPLOAD CERTAIN DOCUMENTS OR PRESENTATIONS. SUCH INFORMATION IS DESIGNED FOR EDUCATIONAL AND INFORMATIONAL PURPOSES ONLY. THE INFORMATION CONTAINED ON THE SITE DOES NOT AND IS NOT INTENDED TO PROVIDE ANY REPRESENTATION OR WARRANTIES AS TO THE PRODUCTS, THEIR CAPABILITIES OR THEIR USE. ALL SUCH INFORMATION IS SPECIFICALLY PROVIDED IN THE DOCUMENTATION ACCOMPANYING THE COMPANY’S PRODUCTS AND SUCH DOCUMENTATION IS THE ONLY SOURCE OR REPRESENTATION AND WARRANTIES AS WITH RESPECT TO THE COMPANY’S PRODUCTS. YOU SHOULD NOT RELY ON THIS INFORMATION AS A SUBSTITUTE FOR, NOR DOES IT REPLACE THE COMPANY’S PRODUCTS’ DOCUMENTATION. DEEP INSTINCT IS NOT RESPONSIBLE FOR ANY ACTIONS OR INACTION ON YOUR PART BASED ON THE INFORMATION THAT IS PRESENTED IN THE SITE.

LIMITATION OF LIABILITY

IN NO EVENT SHALL WE, OUR SUBSIDIARIES, OFFICERS, DIRECTORS, EMPLOYEES OR OUR SUPPLIERS BE LIABLE FOR LOST PROFITS OR ANY SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH OUR SITE, OUR SERVICES OR THIS AGREEMENT, HOWEVER ARISING. IF YOU ARE DISSATISFIED WITH THE SITE OR THE SERVICES OR ANY MATERIALS THEREON, OR WITH THESE TERMS AND CONDITIONS, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE SITE AND SERVICES. WITHOUT DEROGATING FROM ANY OF THE FOREGOING, OUR TOTAL AGGREGATE LIABILITY UNDER THIS AGREEMENT, IF ANY, IN CONNECTION WITH THE SITE, THE SERVICES OR THE AGREEMENT WILL NOT EXCEED USD $100. THE FOREGOING LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY AND ARE FUNDAMENTAL ELEMENTS OF THE BARGAIN BETWEEN US AND YOU.

PRIVACY POLICY

Information that we collect and use about you is subject to our Privacy Policy located at http://www.dinstinct.com/privacy. By accessing this Site you consent to the collection and use of information as described in our Privacy Policy, as may be amended by us from time to time.

GOVERNING LAW; DISPUTE RESOLUTION

The laws of Israel will govern this Agreement, without regard to its conflict of law principles. Any and all legal claims, suits or actions that arise in connection with this Agreement and/or the Site or Services, claimed against us shall be brought exclusively in the courts located in Tel-Aviv, Israel. You agree that this Site shall be deemed a passive website that does not give rise to personal jurisdiction over Deep Instinct, either specific or general, in jurisdictions other than Israel.

LIMITATION OF CLAIMS

You agree that regardless of any statute or law to the contrary, any claim or cause of action arising out of or related to use of the Services or the Agreement must be filed within one (1) year after such claim or cause of action arose or be forever barred.

WAIVER AND SEVERABILITY

The failure of Deep Instinct to exercise or enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision. If any of the provisions of this Agreement are held invalid, unenforceable, or void by a court or other tribunal of competent jurisdiction, the parties nevertheless agree that the court should endeavor to give effect to the parties' intentions as reflected in the provision, and the other provisions of the Agreement remain in full force and effect.

Deep Instinct Privacy Policy

Last updated: 20 September, 2015

This Privacy Policy ("Privacy Policy") describes the policies and practices of Deep Instinct Ltd. ("we," "us," or "Deep Instinct") and the choices you have in connection with the collection, use and disclosure of your personal information that you provide to us or that may be generated by your use of our website (the "Site"). Please review carefully this Privacy Policy before making any use of the Site. Each use of the Site by you constitutes your consent to the collection, transfer, storage, disclosure and other uses of your personal information as described in this Privacy Policy.

THE PRIVACY PHILOSOPHY OF DEEP INSTINCT

Your privacy is important to Deep Instinct. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. However, due to the nature of Internet communications and evolving technologies, unauthorized entry or use, hardware or software failure, and other factors, the security of user information may be compromised at any time. No method of transmission over the Internet, or method of electronic storage, is 100% secure.

COLLECTION OF PERSONAL INFORMATION

We do not actively collect personal identifiable information. When you visit our Site you remain anonymous. Some areas of our Site may however require you to provide us with certain information, such as a user's name, email address, contact information and other personally-identifiable information ("Personal Information") may be collected from you and stored in our databases, request support, enter into a sales promotion or otherwise interact with us (for example through the "contact us" option). When you submit or make available your Personal Information through the Service, you are giving your consent to the collection, use and disclosure of such information pursuant to this Privacy Policy. If you do not wish us to collect any Personal Information from you, please do not provide us with any such information. However if you will not provide us with the required information we may not be able to provide you with the information/services requested by you.

COLLECTION OF NON-PERSONALLY IDENTIFIABLE INFORMATION

Our servers automatically collect data about your Internet Protocol address when you visit us. We collect non-identifiable information about your access to our site and your visit to it. We may also collect technical non identifiable information about the type of web browser, computer, platform, related software and settings you are using; any search terms you have entered on our Site or a referral website; and other web usage activity and data logged by our web servers. When you use the Site, we may employ clear gifs (also known as web beacons) which are used to track the online usage patterns of our users anonymously. In addition, we may also use clear gifs in HTML-based emails sent to our users to track which emails are opened by recipients. The information is used to enable more accurate reporting, improve the effectiveness of our marketing, and make Deep Instinct better for our users.

We may use "cookies" on or in connection with our Site to maintain non personally identifiable information about you. A cookie is a very small text document, which often includes an anonymous unique identifier. Deep Instinct may use both "session" cookies and "persistent" cookies. A persistent cookie remains on your hard drive after you close your browser. Persistent cookies may be used by your browser on subsequent visits to the Site. Persistent cookies can be removed by following your web browser’s directions. A session cookie is temporary and disappears after you close your browser. When you visit our Site, our computer may ask your computer for permission to employ the use of a session or persistent cookie. Our Site will then send a cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits our Site to access the cookies it has already sent to you and not the cookies sent to you by other websites. Most web browsers can be adjusted to inform you when a cookie has been sent to you and provide you with the opportunity to refuse that cookie. However, refusing a cookie may, in some cases, preclude you from using, or negatively impact the display or function of, our Site or certain areas or features of our Site.

HOW WE USE INFORMATION

The personal information you provide to us may be used for a variety of purposes such as provide you with support, sales promotion or other interaction with us (for example through the "contact us" option). Any such use will be made only following your affirmative express consent through our Site. Your information may also be used by us, in aggregate manner for internal purposes to improve our site, content, customize advertising and content. We may also use information we collect for internal analytical purposes.

Deep Instinct uses "cookies", web beacons, log file information and other non-personally identifiable information for purposes such as to: (a) collect website users' usage data to enable easy access to the Site and otherwise improve the Site; (b) provide custom, personalized content and information; (c) monitor the effectiveness of the Site; (d) monitor aggregate metrics such as total number of visitors and pages viewed; and (e) track your entries and submissions to the Site.

HOW WE SHARE YOUR PERSONAL INFORMATION

Deep Instinct will not rent or sell your Personal Information to others.

OPT-OUT OPTIONS AND UNSUBSCRIBING

Deep Instinct may send you, from time to time, email communications, with news and updates about the Service or other products, as well as other marketing communications and promotional offers. If, you wish to stop receiving such promotional information you can opt-out by clicking the “unsubscribe” link available at the bottom part of each email sent from Deep Instinct which will remove your email address from any such mailing lists.

LINKS

The Site may contain links to third parties' web sites. While we attempt to provide links to sites that value your privacy, we cannot be responsible for the content or privacy policies of such sites. We encourage you to carefully review the privacy policies of such third parties' Web sites linked or provided through the Site prior to any use of such Web sites.

BUSINESS TRANSFERS

In the conduct of our business, we may sell some of our assets. Information collected from users of the Site, including personal information, could be transferred as part of such transaction. By submitting your personal information through the Site, you agree that your information may be transferred to third parties under such or similar circumstances.

CHANGES TO THIS PRIVACY POLICY

Deep Instinct may occasionally revise this Privacy Policy to reflect changes in its Site and other practices. Therefore, you should review Deep Instinct's Privacy Policy prior to each use of the Site, particularly each time before you submit your personal information through the Service, so you could be informed of any changes in our privacy practices. At all times, the most current version of our privacy policy will supersede any other versions of our privacy policy. You can determine when the Privacy Policy was last modified by checking the "Last updated" legend at the top of the Privacy Policy. If the policies described in our Privacy Policy change in any material respect, we will notify you by posting the revised policy on our Site, by email, or by other means that we may choose and as required by applicable law. We may apply changes to information previously collected by us, to the extent permitted by law. If you do not agree to be bound by the terms of the new or modified Privacy Policy, you agree to immediately notify us that your personal information should be deleted. Your continued use of the Site after such changes become effective constitutes your acceptance of any such changes.

HOW TO CONTACT US

If you have any questions or comments regarding this Privacy Policy, you can contact us by email at: Contact@dinstinct.com. GENERAL

This Privacy Policy replaces all previous disclosures we may have provided to you about our privacy practices associated with the Site. The examples contained in this Privacy Policy are illustrations only and are not intended to be exhaustive.