Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2021, 9:11 a.m.	May 18, 2021, 9:15 a.m.

Size	971.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`aed57d50123897b0012c35ef5dec4184`
SHA256	`096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e`
CRC32	`70E98DC3`
ssdeep	`24576:6dWdWjFMYKO1ZcqlHrorVCkTNkdBAnlXG6+Z1mbXEC:FSMYKO1ZcmHsrVCokUlXF+Z1IUC`
PDB Path	D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet

jooyu.exe "C:\Users\test22\AppData\Local\Temp\jooyu.exe"
1016
- jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
  1772
- jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
  1460

Name	Response	Post-Analysis Lookup
uyg5wye.2ihsfa.com	A 88.218.92.148	88.218.92.148
ip-api.com	A 208.95.112.1	208.95.112.1
iplogger.org	A 88.99.66.31	88.99.66.31
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35

IP Address	Status	Action
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
88.218.92.148	Active	Moloch
88.99.66.31	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49198 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49204 -> 157.240.215.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49209 -> 88.99.66.31:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com	8a:d5:51:89:8f:00:98:8e:5b:0f:b8:07:6d:0d:43:18:89:c2:bb:d0
TLSv1 192.168.56.101:49209 88.99.66.31:443	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=*.iplogger.org	55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb

This executable has a PDB path (1 event)

pdb_path

D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2021, 9:11 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

HHGE

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928

Performs some HTTP requests (5 events)

request	GET http://ip-api.com/json/
request	GET http://uyg5wye.2ihsfa.com/api/fbtime
request	POST http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928
request	GET https://www.facebook.com/
request	GET https://iplogger.org/18hh57

Sends data using the HTTP POST Method (1 event)

request

POST http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal

Foreign language identified in PE resource (3 events)

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

name

HHGE

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 18, 2021, 9:11 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00071800', u'virtual_address': u'0x0007f000', u'entropy': 7.891368917905341, u'name': u'.rsrc', u'virtual_size': u'0x00071690'}

entropy

7.89136891791

description

A section with a high entropy has been found

entropy

0.46780010304

description

Overall entropy of this PE file is high

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Tool.PassView.1944
MicroWorld-eScan	Trojan.GenericKD.46293970
FireEye	Generic.mg.aed57d50123897b0
CAT-QuickHeal	PUA.IgenericRI.S15903427
McAfee	GenericRXAA-AA!AED57D501238
Cylance	Unsafe
Zillya	Trojan.CookiesStealer.Win32.67
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005690671 )
Alibaba	Trojan:Win32/CookiesStealer.5df03cb5
K7GW	Trojan ( 005690671 )
Cybereason	malicious.012389
BitDefenderTheta	Gen:NN.ZexaF.34690.8uW@a82JMxcj
Cyren	W32/CookieStealer.E.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ACLN
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Malware.Spyagent-9830839-0
Kaspersky	Trojan.Win32.CookiesStealer.b
BitDefender	Trojan.GenericKD.46293970
NANO-Antivirus	Riskware.Win32.PSWTool.hqsnsl
AegisLab	Trojan.Win32.Malicious.4!c
Avast	Win32:Malware-gen
Tencent	Win32.Trojan.Cookiesstealer.Lrsf
Ad-Aware	Trojan.GenericKD.46293970
Emsisoft	Trojan.Agent (A)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PE721
McAfee-GW-Edition	BehavesLike.Win32.PUP.dc
Sophos	Mal/Generic-S
SentinelOne	Static AI - Suspicious PE
Webroot	W32.Trojan.Gen
Avira	TR/AD.JazoStealer.znvpf
MAX	malware (ai score=100)
Antiy-AVL	Trojan/Generic.ASMalwS.2FFCE3E
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Script/Phonzy.A!ml
GData	Trojan.GenericKD.46293970
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Infostealer.R356907
VBA32	BScope.Trojan.Infospy
ALYac	Trojan.GenericKD.46293970
Malwarebytes	Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall	TROJ_GEN.R002C0PE721
Rising	Stealer.Facebook!1.CC5B (CLOUD)
Yandex	Trojan.Convagent!WP9TbZjCMq4
Ikarus	Trojan.Malagent

jooyu.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All