Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2021, 9:57 a.m.	April 13, 2021, 10:26 a.m.

Size	73.6KB
Type	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
MD5	`1e73cf9148d10aef910af3800a6330af`
SHA256	`455e624cacd6251288643472fd0395d095f797c015cfa196317345681a26f345`
CRC32	`A2408FB0`
ssdeep	`1536:vsnCSemCLLWeKNJ+1kbOSYcpC636v/bcYSZBFFi:rS1+SYccv/gp/i`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "ChhxGlbyhYCqWG" C:\Users\test22\AppData\Local\Temp\loligang.spc
4864
- rundll32.exe "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenPKCS7 C:\Users\test22\AppData\Local\Temp\loligang.spc
  9076

Name	Response	Post-Analysis Lookup
r3---sn-3u-bh26.gvt1.com	A 59.18.44.14 CNAME r3.sn-3u-bh26.gvt1.com	59.18.44.14

IP Address	Status	Action
101.99.91.200	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
59.18.44.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 13, 2021, 9:57 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 13, 2021, 9:57 a.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	POST method with no referer header				suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:2581656494&cup2hreq=e96ecb8cdb49f5b3a444bc5b45acc714f01dd19550bffb79f4e10c7ae3d003c1
suspicious_features	POST method with no referer header				suspicious_request	POST https://update.googleapis.com/service/update2

Performs some HTTP requests (5 events)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request	HEAD http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1618276578&mv=m&mvi=3&pl=18&shardbypass=yes
request	GET http://r3---sn-3u-bh26.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=175.208.134.150&mm=28&mn=sn-3u-bh26&ms=nvh&mt=1618276578&mv=m&mvi=3&pl=18&shardbypass=yes
request	POST https://update.googleapis.com/service/update2?cup2key=10:2581656494&cup2hreq=e96ecb8cdb49f5b3a444bc5b45acc714f01dd19550bffb79f4e10c7ae3d003c1
request	POST https://update.googleapis.com/service/update2

Sends data using the HTTP POST Method (2 events)

request	POST https://update.googleapis.com/service/update2?cup2key=10:2581656494&cup2hreq=e96ecb8cdb49f5b3a444bc5b45acc714f01dd19550bffb79f4e10c7ae3d003c1
request	POST https://update.googleapis.com/service/update2

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x765b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e80000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73771000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72da4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:57 a.m.	process_identifier: 9076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1

Yara rule detected in process memory (9 events)

description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (2 events)

host	101.99.91.200
host	172.217.25.14

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

ClamAV	Unix.Trojan.Mirai-6976991-0
FireEye	Trojan.Linux.Generic.175479
McAfee	Linux/Mirai.f
Zillya	Backdoor.Mirai.Linux.53645
Sangfor	Malware.ELF-Script.Save.41b44dcf
Cyren	E32/Mirai.G.gen!Camelot
Symantec	Linux.Mirai
ESET-NOD32	a variant of Linux/Mirai.A
TrendMicro-HouseCall	Backdoor.Linux.MIRAI.SMBEM
Avast	ELF:Mirai-ACT [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Backdoor.Linux.Mirai.b
BitDefender	Trojan.Linux.Generic.175479
MicroWorld-eScan	Trojan.Linux.Generic.175479
Tencent	Backdoor.Linux.Mirai.waz
Ad-Aware	Trojan.Linux.Generic.175479
DrWeb	Linux.Mirai.4704
TrendMicro	Backdoor.Linux.MIRAI.SMBEM
McAfee-GW-Edition	Linux/Mirai.f
Emsisoft	Trojan.Linux.Generic.175479 (B)
Avast-Mobile	ELF:Mirai-DN [Trj]
Jiangmin	Backdoor.Linux.ckta
Avira	LINUX/Mirai.bonb
MAX	malware (ai score=81)
Antiy-AVL	Trojan/Generic.ASELF.1FA81
Gridinsoft	Suspicious.XOR_Encoded.bot!yf
Microsoft	Backdoor:Linux/Mirai.YA!MTB
ZoneAlarm	HEUR:Backdoor.Linux.Mirai.r
GData	Trojan.Linux.Generic.175479
AhnLab-V3	Linux/Mirai.Gen10
BitDefenderTheta	Gen:NN.Mirai.34670
ALYac	Trojan.Linux.Generic.175479
Rising	Trojan.Mirai/Linux!1.C9CB (CLASSIC)
Ikarus	Trojan.Linux.Gafgyt
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	ELF/Mirai.BONB!tr
AVG	ELF:Mirai-ACT [Trj]
Qihoo-360	virus.elf.mirai.c

loligang.spc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All