Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 18, 2021, 9:11 a.m.	May 18, 2021, 9:20 a.m.

Size	971.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`6d7603e4fd4d633cae7eaee0f1029a17`
SHA256	`689fb410bd14b79f1932953f7bd35e3569c75f99e6c507f8a37eaeb9760e9b5a`
CRC32	`A7628EE0`
ssdeep	`24576:LMuFuRDs+a14JiNwXlenXTNkdBAnlXG6+Z1mbXgL3:H0Ds+a144NwVenpkUlXF+Z1IQL3`
PDB Path	D:\workspace\workspace_c\TAOYUFAIFJ_1\Release\TAOYUFAIFJ_1.pdb
Yara	PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet

customer2.exe "C:\Users\test22\AppData\Local\Temp\customer2.exe"
1896
- jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
  1756
- jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
  1460

Name	Response	Post-Analysis Lookup
uyg5wye.2ihsfa.com	A 88.218.92.148	88.218.92.148
ip-api.com	A 208.95.112.1	208.95.112.1
www.facebook.com	A 157.240.215.35 CNAME star-mini.c10r.facebook.com	157.240.215.35

IP Address	Status	Action
157.240.215.35	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
88.218.92.148	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 157.240.215.35:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 157.240.215.35:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com	8a:d5:51:89:8f:00:98:8e:5b:0f:b8:07:6d:0d:43:18:89:c2:bb:d0

This executable has a PDB path (1 event)

pdb_path

D:\workspace\workspace_c\TAOYUFAIFJ_1\Release\TAOYUFAIFJ_1.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 18, 2021, 9:11 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

MJKS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc

Performs some HTTP requests (4 events)

request	GET http://ip-api.com/json/
request	GET http://uyg5wye.2ihsfa.com/api/fbtime
request	POST http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc
request	GET https://www.facebook.com/

Sends data using the HTTP POST Method (1 event)

request

POST http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc

Steals private information from local Internet browsers (3 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal

Foreign language identified in PE resource (3 events)

name

MJKS

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

name

MJKS

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

name

MJKS

language

LANG_CHINESE

filetype

PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000bc710

size

0x00033e00

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 18, 2021, 9:11 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00071800', u'virtual_address': u'0x0007f000', u'entropy': 7.891369588773331, u'name': u'.rsrc', u'virtual_size': u'0x00071690'}

entropy

7.89136958877

description

A section with a high entropy has been found

entropy

0.468041237113

description

Overall entropy of this PE file is high

Deletes executed files from disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
file	C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetect.malware2
Elastic	malicious (high confidence)
DrWeb	Tool.PassView.1944
MicroWorld-eScan	Gen:Variant.Razy.301902
FireEye	Generic.mg.6d7603e4fd4d633c
CAT-QuickHeal	PUA.IgenericRI.S15903427
McAfee	Artemis!6D7603E4FD4D
Cylance	Unsafe
Sangfor	Trojan.Win32.CookiesStealer.b
K7AntiVirus	Trojan ( 005723511 )
Alibaba	Trojan:Win32/CookiesStealer.1a43649c
K7GW	Trojan ( 005723511 )
Cybereason	malicious.4fd4d6
Arcabit	Trojan.Razy.D49B4E
BitDefenderTheta	Gen:NN.ZexaF.34690.8uW@aaa2Umjj
Cyren	W32/CookieStealer.E.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Agent.ACLN
APEX	Malicious
Avast	Win32:Malware-gen
ClamAV	Win.Malware.Spyagent-9830839-0
Kaspersky	Trojan.Win32.CookiesStealer.b
BitDefender	Gen:Variant.Razy.301902
NANO-Antivirus	Riskware.Win32.PSWTool.hqsnsl
Paloalto	generic.ml
Tencent	Malware.Win32.Gencirc.11beae3b
Ad-Aware	Gen:Variant.Razy.301902
Sophos	Mal/Generic-S (PUA)
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R002C0PEB21
McAfee-GW-Edition	BehavesLike.Win32.PUP.dc
Emsisoft	Gen:Variant.Razy.301902 (B)
Ikarus	Trojan.Malagent
Jiangmin	Trojan.CookiesStealer.q
Webroot	W32.Malware.Gen
Avira	TR/AD.JazoStealer.agdsy
Antiy-AVL	Trojan/Generic.ASMalwS.2FFCE3E
Kingsoft	Win32.Heur.KVM003.a.(kcloud)
Gridinsoft	Trojan.Win32.Agent.vb
Microsoft	Trojan:Win32/Casdet!rfn
AegisLab	Trojan.Win32.CookiesStealer.4!c
ZoneAlarm	not-a-virus:HEUR:PSWTool.Win32.PassView.a
GData	Gen:Variant.Razy.301902
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.RL_Infostealer.R356907
VBA32	BScope.Trojan.Infospy
ALYac	Gen:Variant.Razy.301902
MAX	malware (ai score=88)
Malwarebytes	Generic.Trojan.Malicious.DDS
TrendMicro-HouseCall	TROJ_GEN.R002C0PEB21

customer2.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All