Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 25, 2021, 12:05 p.m.	July 25, 2021, 12:13 p.m.

Size	4.9MB
Type	Java archive data (JAR)
MD5	`43245acd2bfc4fb651961933a72da0ad`
SHA256	`c393f0f03013dc249481462e58fa90c2cec561dc5cf4f9687930d1da8460bcbc`
CRC32	`50597BF3`
ssdeep	`98304:4biNUPZ3rWOyLmQ0HA6aKoguzonco58+/dSisczzOj:4uePZ3LQF6OgQoncY8+/dVsczz+`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "OEFwRDtIpD" C:\Users\test22\AppData\Local\Temp\vodafone
620
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\vodafone
  2260
  - editplus.exe "editplus.exe"
    2760

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2021, 12:05 p.m.			0	0
IsDebuggerPresent July 25, 2021, 12:05 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2021, 12:05 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73770000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72904000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72711000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2021, 12:05 p.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d2000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 620 resumed a thread in remote process 2260
NtResumeThread July 25, 2021, 12:05 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2260	1	0	0

File has been identified by 30 AntiVirus engines on VirusTotal as malicious (30 events)

Lionic	Trojan.AndroidOS.Hqwar.C!c
MicroWorld-eScan	Trojan.GenericKD.37281861
McAfee	Artemis!43245ACD2BFC
Trustlook	Android.PUA.DebugKey
Alibaba	TrojanDropper:Android/Hqwar.e45f3b83
K7GW	Trojan ( 0053b5f91 )
Cyren	Trojan.LLYY-4
SymantecMobileInsight	Other:Android.Reputation.1
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Android/TrojanDropper.Agent.IIG
Kaspersky	HEUR:Trojan-Banker.AndroidOS.Bian.h
BitDefender	Trojan.GenericKD.37281861
Tencent	a.privacy.AnubisTrojanBanking
Ad-Aware	Trojan.GenericKD.37281861
Emsisoft	Trojan.GenericKD.37281861 (B)
F-Secure	Malware.ANDROID/Dropper.FJRP.Gen
DrWeb	Android.BankBot.9553
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.37281861
Sophos	Andr/Banker-HAD
Ikarus	Trojan-Banker.AndroidOS.Hydra
GData	Trojan.GenericKD.37281861
Avira	ANDROID/Dropper.FJRL.Gen
Microsoft	Trojan:AndroidOS/Multiverze
ZoneAlarm	HEUR:Trojan-Banker.AndroidOS.Bian.h
Avast-Mobile	Android:Evo-gen [Trj]
Cynet	Malicious (score: 99)
BitDefenderFalx	Android.Trojan.Banker.WA
AhnLab-V3	Trojan/Android.Banker.1002024
Fortinet	Android/Agent.GYY!tr

vodafone

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All