Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 11, 2021, 12:31 p.m.	Nov. 11, 2021, 12:41 p.m.

Size	85.1KB
Type	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
MD5	`e0b0a24315b11b46f1e3ab3ed8073ce4`
SHA256	`49b2053d60e358bce150f8ed3f97c5fd6f3f3d68f396099d4bfe058eb2969888`
CRC32	`C4A6C53F`
ssdeep	`1536:NySHwrZKkRozEsK3ufU33eZtU5SWmAHPeTriW/SnvL:NySQ9Koe83w9yPe31KL`
Yara	IsELF - Executable and Linking Format executable file (Linux/Unix)

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "vWjBmiEQJHHIw" C:\Users\test22\AppData\Local\Temp\arm
2776
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\arm
  2908
  - editplus.exe "editplus.exe"
    3036

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2021, 12:31 p.m.			0	0
IsDebuggerPresent Nov. 11, 2021, 12:31 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2021, 12:31 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (14 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x739f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73494000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a82000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73331000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76a81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74871000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 3036 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a82000 process_handle: 0xffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook\Capabilities\FileAssociations

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2776 resumed a thread in remote process 2908
NtResumeThread Nov. 11, 2021, 12:31 p.m.	thread_handle: 0x0000028c suspend_count: 1 process_identifier: 2908	1	0	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

Lionic	Trojan.Linux.Mirai.K!c
Elastic	Linux.Trojan.Gafgyt
Cynet	Malicious (score: 99)
CAT-QuickHeal	Elf.Trojan.A2849914
ALYac	Trojan.Linux.Mirai.1
Sangfor	Malware.ELF-Script.Save.74add8dd
Cyren	E32/Mirai.BC.gen!Camelot
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of Linux/Mirai.L
TrendMicro-HouseCall	Backdoor.Linux.GAFGYT.SMMR3
Avast	ELF:Mirai-AIR [Trj]
ClamAV	Unix.Dropper.Mirai-7136015-0
Kaspersky	HEUR:Backdoor.Linux.Mirai.b
BitDefender	Trojan.Linux.Mirai.1
MicroWorld-eScan	Trojan.Linux.Mirai.1
Tencent	Backdoor.Linux.Mirai.waw
Ad-Aware	Trojan.Linux.Mirai.1
Emsisoft	Trojan.Linux.Mirai.1 (B)
DrWeb	Linux.Mirai.58
TrendMicro	Backdoor.Linux.GAFGYT.SMMR3
McAfee-GW-Edition	GenericRXQK-WK!E0B0A24315B1
FireEye	Trojan.Linux.Mirai.1
GData	Trojan.Linux.Mirai.1
Jiangmin	Backdoor.Linux.hdqb
Avira	LINUX/Mirai.dhvgq
Microsoft	Backdoor:Linux/Mirai.YA!MTB
Gridinsoft	Suspicious.XOR_Encoded.bot!yf
Arcabit	Trojan.Linux.Mirai.1
Avast-Mobile	ELF:Mirai-DN [Trj]
AhnLab-V3	Linux/Mirai.Gen13
McAfee	GenericRXQK-WK!E0B0A24315B1
MAX	malware (ai score=83)
Ikarus	Trojan.Linux.Mirai
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	ELF/Mirai.H!tr
BitDefenderTheta	Gen:NN.Mirai.34266
AVG	ELF:Mirai-AIR [Trj]

arm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All