Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 4, 2021, 1:55 p.m.	Sept. 4, 2021, 2 p.m.

Size	1.2MB
Type	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
MD5	`9eb8c2ce21be0b6f778806b9875f1368`
SHA256	`6cfbe997d6be386d879f4221237877ee194b91fc75320edc1c0b58d7af824614`
CRC32	`E6E242BC`
ssdeep	`24576:e845rGHu6gVJKG75oFpA0VWeX482y1q2rJp0:745vRVJKGtSA0VWeozu9p0`
Yara	IsELF - Executable and Linking Format executable file (Linux/Unix) Malicious_Library_Zero - Malicious_Library

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "COQQ" C:\Users\test22\AppData\Local\Temp\syn
1852
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\syn
  1040
  - editplus.exe "editplus.exe"
    1636

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 4, 2021, 1:55 p.m.			0	0
IsDebuggerPresent Sept. 4, 2021, 1:55 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 4, 2021, 1:55 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73531000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x737d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72203000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735c2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 4, 2021, 1:55 p.m.	process_identifier: 1636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72203000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1852 resumed a thread in remote process 1040
NtResumeThread Sept. 4, 2021, 1:55 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 1040	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

MicroWorld-eScan	Trojan.Linux.GenericA.36989
FireEye	Trojan.Linux.GenericA.36989
McAfee	Linux/Gates
Sangfor	Suspicious.Linux.Save.a
Cyren	E32/Ganiw.A.gen!Camelot
Symantec	Linux.Chikdos.B!gen2
ESET-NOD32	Linux/Setag.B.Gen
TrendMicro-HouseCall	ELF_SETAG.SM
Avast	ELF:Elknot-AE [Trj]
ClamAV	Unix.Trojan.Agent-37008
Kaspersky	HEUR:Backdoor.Linux.Ganiw.d
BitDefender	Trojan.Linux.GenericA.36989
NANO-Antivirus	Trojan.Elf32.Ganiw.ditcrf
Tencent	Trojan.Linux.Ganiw.a
Ad-Aware	Trojan.Linux.GenericA.36989
Emsisoft	Trojan.Linux.GenericA.36989 (B)
DrWeb	Linux.BackDoor.Gates.9
Zillya	Trojan.Agent.Linux.12
TrendMicro	ELF_SETAG.SM
McAfee-GW-Edition	Linux/Gates
Sophos	Linux/DDoS-BD
Ikarus	Trojan.Linux.Agent
Jiangmin	Backdoor/Linux.io
Avira	LINUX/Setag.ztrec
Antiy-AVL	Trojan/Generic.ASELF.199
Microsoft	Backdoor:Linux/Setag!rfn
ZoneAlarm	HEUR:Backdoor.Linux.Ganiw.d
GData	Linux.Trojan.Siggen.D
Cynet	Malicious (score: 99)
AhnLab-V3	Linux/Backdoor.1223123.B
ALYac	Trojan.Linux.GenericA.36989
MAX	malware (ai score=83)
Rising	Backdoor.Linux.Flood.a (CLASSIC)
SentinelOne	Static AI - Malicious ELF
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	ELF/Ganiw.A!tr
AVG	ELF:Elknot-AE [Trj]

syn

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All