Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 4, 2021, 10:11 a.m.	Oct. 4, 2021, 10:28 a.m.

Size	1.2MB
Type	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped
MD5	`6c3a8a55969e4251cd8c8bd3802efb9a`
SHA256	`501d43c75037aae168a4e6547143dd93b4a2b31be94457ab18a8d42b2a075338`
CRC32	`464BF625`
ssdeep	`24576:e845rGHu6gVJKG75oFpA0VWIX4N2y1q2rJp0:745vRVJKGtSA0VWIoEu9p0`
Yara	Malicious_Library_Zero - Malicious_Library IsELF - Executable and Linking Format executable file (Linux/Unix)

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "sYjduTuqKkWjEyzs" C:\Users\test22\AppData\Local\Temp\qingdi1
1548
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\qingdi1
  2880
  - editplus.exe "editplus.exe"
    2532

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 4, 2021, 10:11 a.m.			0	0
IsDebuggerPresent Oct. 4, 2021, 10:11 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2021, 10:11 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (15 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f90000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73321000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76ec1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72031000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72033000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2021, 10:11 a.m.	process_identifier: 2532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72033000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1548 resumed a thread in remote process 2880
NtResumeThread Oct. 4, 2021, 10:11 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2880	1	0	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Elastic	Linux.Trojan.Ganiw
MicroWorld-eScan	Trojan.Linux.GenericA.36989
FireEye	Trojan.Linux.GenericA.36989
ALYac	Trojan.Linux.GenericA.36989
Zillya	Trojan.Agent.Linux.12
Sangfor	Suspicious.Linux.Save.a
Cyren	E32/Ganiw.A.gen!Camelot
Symantec	Linux.Chikdos.B!gen2
ESET-NOD32	Linux/Setag.B.Gen
TrendMicro-HouseCall	ELF_SETAG.SM
Avast	ELF:Elknot-AE [Trj]
ClamAV	Unix.Trojan.Agent-37008
Kaspersky	HEUR:Backdoor.Linux.Ganiw.d
BitDefender	Trojan.Linux.GenericA.36989
NANO-Antivirus	Trojan.Elf32.Ganiw.ditcrf
Rising	Backdoor.Linux.Flood.a (CLASSIC)
Ad-Aware	Trojan.Linux.GenericA.36989
DrWeb	Linux.BackDoor.Gates.9
TrendMicro	ELF_SETAG.SM
McAfee-GW-Edition	Linux/Gates
Emsisoft	Trojan.Linux.GenericA.36989 (B)
Ikarus	Trojan.Linux.Agent
Jiangmin	Backdoor/Linux.io
Avira	LINUX/Setag.ztrec
Antiy-AVL	Trojan/Generic.ASELF.199
Microsoft	Backdoor:Linux/Setag!rfn
GData	Linux.Trojan.Siggen.D
Cynet	Malicious (score: 99)
AhnLab-V3	Linux/Backdoor.1223123.B
McAfee	Linux/Gates
MAX	malware (ai score=80)
Tencent	Trojan.Linux.Ganiw.a
SentinelOne	Static AI - Malicious ELF
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	ELF/Ganiw.A!tr
AVG	ELF:Elknot-AE [Trj]

qingdi1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All