Summary | ZeroBOX

http://192.227.158.111/fud.js

Downloader FTP Code injection DGA HTTP Socket Escalate priviledges persistence Create Service KeyLogger Internet API Sniff Audio DNS Http API Steal credential ScreenShot P2P AntiVM AntiDebug
Category Machine Started Completed
URL s1_win7_x6402 July 13, 2021, 7:29 a.m. July 13, 2021, 7:32 a.m.
URL http://192.227.158.111/fud.js

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

stacktrace:
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x7577d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x7577964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75764d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75766f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x7576e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75766002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75765fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x757649e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75765a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77799a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x777b8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x777b8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75b37a25
wscript+0x2fbd @ 0x502fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x75b333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77799ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77799ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75793ef4
registers.esp: 2226612
registers.edi: 0
registers.eax: 40826032
registers.ebp: 2226640
registers.edx: 1
registers.ebx: 0
registers.esi: 7150584
registers.ecx: 1948268244
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

process_identifier: 2432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74663000
process_handle: 0xffffffff
1 0 0
CRDF malicious site
CyRadar malicious site
Webroot malicious site
Kaspersky malware site
url http://192.227.158.111/fud.js
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Communications over FTP rule Network_FTP
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description Steal credential rule local_credential_Steal
description Take ScreenShot rule ScreenShot
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Install itself for autorun at Windows startup rule Persistence
url http://192.227.158.111/fud.js