Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | April 15, 2021, 7:36 a.m. | April 15, 2021, 7:38 a.m. |
-
-
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
2076 -
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
1296
-
Name | Response | Post-Analysis Lookup |
---|---|---|
script.google.com | 216.58.220.110 | |
uyyge5w3ye.2ihsfa.com | 207.246.80.14 | |
iplogger.org | 88.99.66.31 | |
ip-api.com | 208.95.112.1 | |
www.facebook.com | 31.13.82.36 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49204 -> 157.240.215.35:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49209 -> 142.250.199.78:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49210 -> 88.99.66.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49198 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49204 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com | 06:27:21:15:a3:58:11:72:d2:44:44:19:3b:af:00:15:4b:f5:e0:e2 |
TLSv1 192.168.56.101:49209 142.250.199.78:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com | ac:5a:54:aa:08:75:e8:ab:c8:02:46:e1:33:46:73:67:77:2e:3f:39 |
TLSv1 192.168.56.101:49210 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
pdb_path | D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb |
resource name | HHGE |
suspicious_features | POST method with no referer header | suspicious_request | POST http://uyyge5w3ye.2ihsfa.com/api/?sid=92468&key=165d0df49d4f7de7b67582d2a0345a1b |
request | GET http://ip-api.com/json/ |
request | GET http://uyyge5w3ye.2ihsfa.com/api/fbtime |
request | POST http://uyyge5w3ye.2ihsfa.com/api/?sid=92468&key=165d0df49d4f7de7b67582d2a0345a1b |
request | GET https://www.facebook.com/ |
request | GET https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150 |
request | GET https://iplogger.org/18hh57 |
request | POST http://uyyge5w3ye.2ihsfa.com/api/?sid=92468&key=165d0df49d4f7de7b67582d2a0345a1b |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal |
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bd710 | size | 0x00033e00 | ||||||||||||||||||
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bd710 | size | 0x00033e00 | ||||||||||||||||||
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bd710 | size | 0x00033e00 |
domain | ip-api.com |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
section | {u'size_of_data': u'0x00071800', u'virtual_address': u'0x00080000', u'entropy': 7.89136660255915, u'name': u'.rsrc', u'virtual_size': u'0x00071690'} | entropy | 7.89136660256 | description | A section with a high entropy has been found | |||||||||
entropy | 0.466598150051 | description | Overall entropy of this PE file is high |
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng | reg_value | C:\Users\test22\AppData\Local\Temp\haleng.ex |
file | C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Trojan.GenericKD.36688088 |
FireEye | Generic.mg.9786f11c6015566b |
CAT-QuickHeal | Trojan.Cookiesstealer |
Qihoo-360 | Win32/Backdoor.SpyAgent.HgIASSAA |
ALYac | Trojan.GenericKD.36688088 |
Cylance | Unsafe |
Zillya | Trojan.CookiesStealer.Win32.62 |
Sangfor | Trojan.Win32.Stealer.KA |
K7AntiVirus | Trojan ( 005723511 ) |
Alibaba | Trojan:Win32/CookiesStealer.b842e0e9 |
K7GW | Trojan ( 005723511 ) |
CrowdStrike | win/malicious_confidence_100% (W) |
Cyren | W32/CookieStealer.A.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Agent.ACLN |
APEX | Malicious |
Avast | Win32:Malware-gen |
ClamAV | Win.Malware.Spyagent-9830839-0 |
Kaspersky | Trojan.Win32.CookiesStealer.b |
BitDefender | Trojan.GenericKD.36688088 |
NANO-Antivirus | Riskware.Win32.PSWTool.hqsnsl |
Paloalto | generic.ml |
Rising | Stealer.Facebook!1.CC5B (CLOUD) |
Ad-Aware | Trojan.GenericKD.36688088 |
Sophos | Generic ML PUA (PUA) |
DrWeb | Trojan.DownLoader38.9705 |
VIPRE | Trojan.Win32.Generic!BT |
McAfee-GW-Edition | BehavesLike.Win32.PUP.dc |
Emsisoft | Trojan.Agent (A) |
SentinelOne | Static AI - Suspicious PE |
Jiangmin | Trojan.CookiesStealer.n |
Webroot | W32.Malware.Gen |
Avira | TR/AD.JazoStealer.wcoir |
Kingsoft | Win32.Heur.KVM003.a.(kcloud) |
Gridinsoft | Trojan.Win32.Agent.ns |
Microsoft | Trojan:Win32/Stealer.KA!MTB |
GData | Trojan.GenericKD.36688088 |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Trojan/Win32.RL_Infostealer.R356907 |
McAfee | GenericRXAA-AA!9786F11C6015 |
MAX | malware (ai score=82) |
VBA32 | BScope.Trojan.Infospy |
Malwarebytes | Generic.Trojan.Malicious.DDS |
TrendMicro-HouseCall | TROJ_GEN.R002C0DD321 |
Tencent | Win32.Trojan.Cookiesstealer.Hufm |
Ikarus | Trojan.Malagent |
eGambit | Unsafe.AI_Score_99% |
Fortinet | W32/Agent.UAW!tr |