Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | May 18, 2021, 9:11 a.m. | May 18, 2021, 9:20 a.m. |
-
-
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
1756 -
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
1460
-
Name | Response | Post-Analysis Lookup |
---|---|---|
uyg5wye.2ihsfa.com | 88.218.92.148 | |
ip-api.com | 208.95.112.1 | |
www.facebook.com | 157.240.215.35 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.101:49204 -> 157.240.215.35:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.101:49198 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49204 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com | 8a:d5:51:89:8f:00:98:8e:5b:0f:b8:07:6d:0d:43:18:89:c2:bb:d0 |
pdb_path | D:\workspace\workspace_c\TAOYUFAIFJ_1\Release\TAOYUFAIFJ_1.pdb |
resource name | MJKS |
suspicious_features | POST method with no referer header | suspicious_request | POST http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc |
request | GET http://ip-api.com/json/ |
request | GET http://uyg5wye.2ihsfa.com/api/fbtime |
request | POST http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc |
request | GET https://www.facebook.com/ |
request | POST http://uyg5wye.2ihsfa.com/api/?sid=293611&key=c68174dfa7ef002910087c89cd0331cc |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal |
name | MJKS | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 | ||||||||||||||||||
name | MJKS | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 | ||||||||||||||||||
name | MJKS | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 |
domain | ip-api.com |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
section | {u'size_of_data': u'0x00071800', u'virtual_address': u'0x0007f000', u'entropy': 7.891369588773331, u'name': u'.rsrc', u'virtual_size': u'0x00071690'} | entropy | 7.89136958877 | description | A section with a high entropy has been found | |||||||||
entropy | 0.468041237113 | description | Overall entropy of this PE file is high |
file | C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
DrWeb | Tool.PassView.1944 |
MicroWorld-eScan | Gen:Variant.Razy.301902 |
FireEye | Generic.mg.6d7603e4fd4d633c |
CAT-QuickHeal | PUA.IgenericRI.S15903427 |
McAfee | Artemis!6D7603E4FD4D |
Cylance | Unsafe |
Sangfor | Trojan.Win32.CookiesStealer.b |
K7AntiVirus | Trojan ( 005723511 ) |
Alibaba | Trojan:Win32/CookiesStealer.1a43649c |
K7GW | Trojan ( 005723511 ) |
Cybereason | malicious.4fd4d6 |
Arcabit | Trojan.Razy.D49B4E |
BitDefenderTheta | Gen:NN.ZexaF.34690.8uW@aaa2Umjj |
Cyren | W32/CookieStealer.E.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Agent.ACLN |
APEX | Malicious |
Avast | Win32:Malware-gen |
ClamAV | Win.Malware.Spyagent-9830839-0 |
Kaspersky | Trojan.Win32.CookiesStealer.b |
BitDefender | Gen:Variant.Razy.301902 |
NANO-Antivirus | Riskware.Win32.PSWTool.hqsnsl |
Paloalto | generic.ml |
Tencent | Malware.Win32.Gencirc.11beae3b |
Ad-Aware | Gen:Variant.Razy.301902 |
Sophos | Mal/Generic-S (PUA) |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R002C0PEB21 |
McAfee-GW-Edition | BehavesLike.Win32.PUP.dc |
Emsisoft | Gen:Variant.Razy.301902 (B) |
Ikarus | Trojan.Malagent |
Jiangmin | Trojan.CookiesStealer.q |
Webroot | W32.Malware.Gen |
Avira | TR/AD.JazoStealer.agdsy |
Antiy-AVL | Trojan/Generic.ASMalwS.2FFCE3E |
Kingsoft | Win32.Heur.KVM003.a.(kcloud) |
Gridinsoft | Trojan.Win32.Agent.vb |
Microsoft | Trojan:Win32/Casdet!rfn |
AegisLab | Trojan.Win32.CookiesStealer.4!c |
ZoneAlarm | not-a-virus:HEUR:PSWTool.Win32.PassView.a |
GData | Gen:Variant.Razy.301902 |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Trojan/Win32.RL_Infostealer.R356907 |
VBA32 | BScope.Trojan.Infospy |
ALYac | Gen:Variant.Razy.301902 |
MAX | malware (ai score=88) |
Malwarebytes | Generic.Trojan.Malicious.DDS |
TrendMicro-HouseCall | TROJ_GEN.R002C0PEB21 |