Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 18, 2021, 9:11 a.m. | May 18, 2021, 9:15 a.m. |
-
-
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
1772 -
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
1460
-
Name | Response | Post-Analysis Lookup |
---|---|---|
uyg5wye.2ihsfa.com | 88.218.92.148 | |
ip-api.com | 208.95.112.1 | |
iplogger.org | 88.99.66.31 | |
www.facebook.com | 157.240.215.35 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49198 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
TCP 192.168.56.101:49204 -> 157.240.215.35:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49209 -> 88.99.66.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49204 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com | 8a:d5:51:89:8f:00:98:8e:5b:0f:b8:07:6d:0d:43:18:89:c2:bb:d0 |
TLSv1 192.168.56.101:49209 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
pdb_path | D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb |
resource name | HHGE |
suspicious_features | POST method with no referer header | suspicious_request | POST http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928 |
request | GET http://ip-api.com/json/ |
request | GET http://uyg5wye.2ihsfa.com/api/fbtime |
request | POST http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928 |
request | GET https://www.facebook.com/ |
request | GET https://iplogger.org/18hh57 |
request | POST http://uyg5wye.2ihsfa.com/api/?sid=292191&key=60099d26f09507c82251d7c25fada928 |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal |
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 | ||||||||||||||||||
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 | ||||||||||||||||||
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 |
domain | ip-api.com |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
section | {u'size_of_data': u'0x00071800', u'virtual_address': u'0x0007f000', u'entropy': 7.891368917905341, u'name': u'.rsrc', u'virtual_size': u'0x00071690'} | entropy | 7.89136891791 | description | A section with a high entropy has been found | |||||||||
entropy | 0.46780010304 | description | Overall entropy of this PE file is high |
file | C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
DrWeb | Tool.PassView.1944 |
MicroWorld-eScan | Trojan.GenericKD.46293970 |
FireEye | Generic.mg.aed57d50123897b0 |
CAT-QuickHeal | PUA.IgenericRI.S15903427 |
McAfee | GenericRXAA-AA!AED57D501238 |
Cylance | Unsafe |
Zillya | Trojan.CookiesStealer.Win32.67 |
Sangfor | Trojan.Win32.Save.a |
K7AntiVirus | Trojan ( 005690671 ) |
Alibaba | Trojan:Win32/CookiesStealer.5df03cb5 |
K7GW | Trojan ( 005690671 ) |
Cybereason | malicious.012389 |
BitDefenderTheta | Gen:NN.ZexaF.34690.8uW@a82JMxcj |
Cyren | W32/CookieStealer.E.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Agent.ACLN |
APEX | Malicious |
Paloalto | generic.ml |
ClamAV | Win.Malware.Spyagent-9830839-0 |
Kaspersky | Trojan.Win32.CookiesStealer.b |
BitDefender | Trojan.GenericKD.46293970 |
NANO-Antivirus | Riskware.Win32.PSWTool.hqsnsl |
AegisLab | Trojan.Win32.Malicious.4!c |
Avast | Win32:Malware-gen |
Tencent | Win32.Trojan.Cookiesstealer.Lrsf |
Ad-Aware | Trojan.GenericKD.46293970 |
Emsisoft | Trojan.Agent (A) |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R002C0PE721 |
McAfee-GW-Edition | BehavesLike.Win32.PUP.dc |
Sophos | Mal/Generic-S |
SentinelOne | Static AI - Suspicious PE |
Webroot | W32.Trojan.Gen |
Avira | TR/AD.JazoStealer.znvpf |
MAX | malware (ai score=100) |
Antiy-AVL | Trojan/Generic.ASMalwS.2FFCE3E |
Gridinsoft | Trojan.Win32.Agent.vb |
Microsoft | Trojan:Script/Phonzy.A!ml |
GData | Trojan.GenericKD.46293970 |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Trojan/Win32.RL_Infostealer.R356907 |
VBA32 | BScope.Trojan.Infospy |
ALYac | Trojan.GenericKD.46293970 |
Malwarebytes | Generic.Trojan.Malicious.DDS |
TrendMicro-HouseCall | TROJ_GEN.R002C0PE721 |
Rising | Stealer.Facebook!1.CC5B (CLOUD) |
Yandex | Trojan.Convagent!WP9TbZjCMq4 |
Ikarus | Trojan.Malagent |