Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 15, 2021, 7:36 a.m.	April 15, 2021, 7:38 a.m.

Size	974.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`9786f11c6015566b11b9c3c89378679d`
SHA256	`83ca633800860209287078ee57257d3c04151b6bc7561a96b4cbdbd41dab4747`
CRC32	`FD64D9FE`
ssdeep	`24576:fzdZZK1KPQAcVmXW3ARaBfmeTNkdBAnlXG6+Z1mbXul:3Z2AcVmXWwR2fmGkUlXF+Z1Iel`
PDB Path	D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb
Yara	PE_Header_Zero - PE File Signature Zero OS_Processor_Check_Zero - OS Processor Check Signature Zero Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen screenshot - Take screenshot win_registry - Affect system registries win_files_operation - Affect private profile Str_Win32_Wininet_Library - Match Windows Inet API library declaration Str_Win32_Http_API - Match Windows Http API call UPX_Zero - UPX packed file Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet IsPE32 - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check

jvppp.exe "C:\Users\test22\AppData\Local\Temp\jvppp.exe"
2444
- jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
  2076
- jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
  1296

Name	Response	Post-Analysis Lookup
script.google.com	A 142.250.199.78	216.58.220.110
uyyge5w3ye.2ihsfa.com	A 207.246.80.14	207.246.80.14
iplogger.org	A 88.99.66.31	88.99.66.31
ip-api.com	A 208.95.112.1	208.95.112.1
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	31.13.82.36

IP Address	Status	Action
142.250.199.78	Active	Moloch
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
207.246.80.14	Active	Moloch
208.95.112.1	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 157.240.215.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 142.250.199.78:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49210 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com	06:27:21:15:a3:58:11:72:d2:44:44:19:3b:af:00:15:4b:f5:e0:e2
TLSv1 192.168.56.101:49209 142.250.199.78:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com	ac:5a:54:aa:08:75:e8:ab:c8:02:46:e1:33:46:73:67:77:2e:3f:39
TLSv1 192.168.56.101:49210 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

This executable has a PDB path (1 event)

pdb_path

D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 15, 2021, 7:36 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

HHGE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://uyyge5w3ye.2ihsfa.com/api/?sid=92468&key=165d0df49d4f7de7b67582d2a0345a1b

Performs some HTTP requests (6 events)

request	GET http://ip-api.com/json/
request	GET http://uyyge5w3ye.2ihsfa.com/api/fbtime
request	POST http://uyyge5w3ye.2ihsfa.com/api/?sid=92468&key=165d0df49d4f7de7b67582d2a0345a1b
request	GET https://www.facebook.com/
request	GET https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150
request	GET https://iplogger.org/18hh57

Sends data using the HTTP POST Method (1 event)

request

POST http://uyyge5w3ye.2ihsfa.com/api/?sid=92468&key=165d0df49d4f7de7b67582d2a0345a1b

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal

Foreign language identified in PE resource (3 events)

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bd710

size

0x00033e00

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bd710

size

0x00033e00

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bd710

size

0x00033e00

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 15, 2021, 7:36 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00071800', u'virtual_address': u'0x00080000', u'entropy': 7.89136660255915, u'name': u'.rsrc', u'virtual_size': u'0x00071690'}

entropy

7.89136660256

description

A section with a high entropy has been found

entropy

0.466598150051

description

Overall entropy of this PE file is high

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng

reg_value

C:\Users\test22\AppData\Local\Temp\haleng.ex

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36688088
FireEye	Generic.mg.9786f11c6015566b
CAT-QuickHeal	Trojan.Cookiesstealer
Qihoo-360	Win32/Backdoor.SpyAgent.HgIASSAA
ALYac	Trojan.GenericKD.36688088
Cylance	Unsafe
Zillya	Trojan.CookiesStealer.Win32.62
Sangfor	Trojan.Win32.Stealer.KA
K7AntiVirus	Trojan ( 005723511 )
Alibaba	Trojan:Win32/CookiesStealer.b842e0e9
K7GW	Trojan ( 005723511 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/CookieStealer.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ACLN
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Spyagent-9830839-0
Kaspersky	Trojan.Win32.CookiesStealer.b
BitDefender	Trojan.GenericKD.36688088
NANO-Antivirus	Riskware.Win32.PSWTool.hqsnsl
Paloalto	generic.ml
Rising	Stealer.Facebook!1.CC5B (CLOUD)
Ad-Aware	Trojan.GenericKD.36688088
Sophos	Generic ML PUA (PUA)
DrWeb	Trojan.DownLoader38.9705
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	BehavesLike.Win32.PUP.dc
Emsisoft	Trojan.Agent (A)
SentinelOne	Static AI - Suspicious PE
Jiangmin	Trojan.CookiesStealer.n
Webroot	W32.Malware.Gen
Avira	TR/AD.JazoStealer.wcoir
Kingsoft	Win32.Heur.KVM003.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.ns
Microsoft	Trojan:Win32/Stealer.KA!MTB
GData	Trojan.GenericKD.36688088
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Infostealer.R356907
McAfee	GenericRXAA-AA!9786F11C6015
MAX	malware (ai score=82)
VBA32	BScope.Trojan.Infospy
Malwarebytes	Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall	TROJ_GEN.R002C0DD321
Tencent	Win32.Trojan.Cookiesstealer.Hufm
Ikarus	Trojan.Malagent
eGambit	Unsafe.AI_Score_99%
Fortinet	W32/Agent.UAW!tr

jvppp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All