FireFoxExtension.exe| Category | Machine | Started | Completed |
|---|---|---|---|
| FILE | s1_win7_x6402 | Sept. 29, 2021, 10:37 a.m. | Sept. 29, 2021, 10:39 a.m. |
-
-
FireFoxExtension.tmp "C:\Users\test22\AppData\Local\Temp\is-S15H0.tmp\FireFoxExtension.tmp" /SL5="$5037C,19610817,831488,C:\Users\test22\AppData\Local\Temp\FireFoxExtension.exe"
1644-
-
mountvol.exe mountvol P: /D
2240
-
-
cmd.exe "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
2220 -
-
setx.exe setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\util\cmd;C:\Python27;C:\util\cmd;C:\Python27C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp"
240
-
-
cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" remove "ROOT\bareflank""
732 -
cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\bareflank.inf" "ROOT\bareflank""
1192 -
cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" remove "ROOT\bfbuilder""
2964 -
cmd.exe "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\bfbuilder.inf" "ROOT\bfbuilder""
1100
-
-
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| imagizer.imageshack.com | 151.139.128.11 |
Suricata Alerts
| Flow | SID | Signature | Category |
|---|---|---|---|
| TCP 151.139.128.11:443 -> 192.168.56.102:49182 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
| TCP 192.168.56.102:49184 -> 151.139.128.11:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49183 -> 151.139.128.11:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 192.168.56.102:49181 -> 151.139.128.11:443 | 906200056 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
| TCP 151.139.128.11:443 -> 192.168.56.102:49185 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
Suricata TLS
No Suricata TLS
| section | .itext |
| section | .didata |
| file | C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\googlesystem.exe |
| file | C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\express.dll |
| cmdline | setx /m PATH "C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\util\cmd;C:\Python27;C:\util\cmd;C:\Python27C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp" |
| cmdline | "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" remove "ROOT\bareflank"" |
| cmdline | "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\bfbuilder.inf" "ROOT\bfbuilder"" |
| cmdline | "cmd.exe" /C mountvol P: /D |
| cmdline | "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi |
| cmdline | "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" remove "ROOT\bfbuilder"" |
| cmdline | "cmd.exe" /C setx /m PATH "%PATH%C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp" |
| cmdline | "cmd.exe" /C ""C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\devcon.exe" install "C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\bareflank.inf" "ROOT\bareflank"" |
| file | C:\Users\test22\AppData\Local\Temp\is-S15H0.tmp\FireFoxExtension.tmp |
| file | C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\express.dll |
| file | C:\Users\test22\AppData\Local\Temp\is-L90BT.tmp\googlesystem.exe |
| file | C:\Users\test22\AppData\Local\Temp\is-S15H0.tmp\FireFoxExtension.tmp |
| command | "cmd.exe" /c bcdedit /set {bootmgr} path \efi\boot\bareflank.efi |
| Lionic | Trojan.Win32.Penguish.a!c |
| DrWeb | Trojan.DownLoad4.14556 |
| K7AntiVirus | Riskware ( 00584baa1 ) |
| Alibaba | TrojanDownloader:Win32/Penguish.0ba0fed2 |
| K7GW | Riskware ( 00584baa1 ) |
| Symantec | Trojan.Gen.MBT |
| Kaspersky | Trojan-Downloader.Win32.Penguish.wa |
| NANO-Antivirus | Virus.Win32.Gen.ccmw |
| Avast | Win32:Malware-gen |
| Sophos | Mal/Generic-S |
| Comodo | TrojWare.Win32.Agent.vumsr@0 |
| TrendMicro | Trojan.Win32.PENGUISH.B |
| McAfee-GW-Edition | Artemis |
| Emsisoft | MalCert-S.MA (A) |
| Ikarus | Trojan.Win32.Crypt |
| Webroot | W32.Malware.Gen |
| Avira | TR/AD.NsisInject.rwqyd |
| Kingsoft | Win32.TrojDownloader.Penguish.wa.(kcloud) |
| GData | Win32.Trojan.Kryptik.KN3FFB |
| McAfee | Artemis!2E309F6569AD |
| TrendMicro-HouseCall | Trojan.Win32.PENGUISH.B |
| Tencent | Win32.Trojan-downloader.Penguish.Hsiq |
| Fortinet | W32/Penguish.WA!tr.dldr |
| AVG | Win32:Malware-gen |