Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 12, 2021, 5:59 p.m.	July 12, 2021, 6:01 p.m.

Size	745.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`fca673821522a3329ad3ab6308cf9692`
SHA256	`c20353fd8e3d6800be5f2b174bcf3dd9f7bbccb9d87c6bb6df6c9925e54fc18f`
CRC32	`BA49E631`
ssdeep	`12288:4n+8d+rUFWI6vpibC077cVTano0T2FOuTKa:4+8dVFW5ibLcuyOuma`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file

VNPhone.exe "C:\Users\test22\AppData\Local\Temp\VNPhone.exe"
2216
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
cdn.poopycloud.com	A 188.124.36.145	188.124.36.145

IP Address	Status	Action
164.124.101.2	Active	Moloch
188.124.36.145	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW July 12, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW July 12, 2021, 5:59 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 12, 2021, 5:59 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	POST method with no referer header	suspicious_request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=FIRST_REQUEST
suspicious_features	POST method with no referer header	suspicious_request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=INFO
suspicious_features	POST method with no referer header	suspicious_request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=REQUEST

Performs some HTTP requests (4 events)

request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=FIRST_REQUEST
request	GET https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=FIRST_REQUEST&AspxAutoDetectCookieSupport=1
request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=INFO
request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=REQUEST

Sends data using the HTTP POST Method (3 events)

request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=FIRST_REQUEST
request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=INFO
request	POST https://cdn.poopycloud.com/timeout/voip.aspx?guid=7C6024AD&v=1.7&cg=REQUEST

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 12, 2021, 5:59 p.m.	process_identifier: 2216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73795000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:59 p.m.	process_identifier: 2216 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 12, 2021, 5:59 p.m.	process_identifier: 2216 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

VNPhone.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW July 12, 2021, 6 p.m.	total_number_of_free_bytes: 13725466624 free_bytes_available: 13725466624 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

None

filetype

data

sublanguage

SUBLANG_ARABIC_YEMEN

offset

0x0009bad8

size

0x00000270

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\nsg63A6.tmp\System.dll

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\nsg63A6.tmp\System.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MobileSrv.exe

Executes one or more WMI queries (1 event)

wmi

Generates some ICMP traffic

File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 events)

MicroWorld-eScan	Trojan.GenericKD.37214946
McAfee	Artemis!FCA673821522
Sangfor	Trojan.Win32.Scar.gen
Alibaba	Trojan:Win32/GenCBL.ef04ae4f
K7GW	Trojan ( 0057e5db1 )
K7AntiVirus	Trojan ( 0057e5db1 )
Arcabit	Trojan.Generic.D237DAE2
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/GenCBL.AMS
Kaspersky	HEUR:Trojan.Win32.Scar.gen
BitDefender	Trojan.GenericKD.37214946
Avast	Win32:DangerousSig [Trj]
Ad-Aware	Trojan.GenericKD.37214946
Emsisoft	MalCert-S.KU (A)
DrWeb	Trojan.Siggen13.58094
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.37214946
Sophos	Mal/Generic-S
Avira	TR/AD.NsisInject.jggmr
MAX	malware (ai score=87)
GData	Trojan.GenericKD.37214946
ALYac	Trojan.GenericKD.37214946
TrendMicro-HouseCall	TROJ_GEN.R002H0DG921
AVG	Win32:DangerousSig [Trj]
Panda	Trj/CI.A
Qihoo-360	Win32/Trojan.Generic.HoMASYEA

VNPhone.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All