Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2021, 12:31 p.m.	Nov. 11, 2021, 12:35 p.m.

Size	97.1KB
Type	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
MD5	`18b8693d4bf16821e6d279e0020bdcd7`
SHA256	`4a4bd0e011a39a8830334f40e4143c5795c5264d2d8ebb96abc6bbd6582f538c`
CRC32	`9C943F0D`
ssdeep	`1536:a3CsfyUa59wr+aZMJAcr0wRmPoT6ajOcFetbLBw0tBeZWugYdiORPAWe+nig4q8z:a3CsaUa5aLqXF03w3gYLe+D8/T`
Yara	IsELF - Executable and Linking Format executable file (Linux/Unix)

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "zbdPjiqp" C:\Users\test22\AppData\Local\Temp\shiko.arm
2460
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\shiko.arm
  2592
  - editplus.exe "editplus.exe"
    2788
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 11, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Nov. 11, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2021, 12:31 p.m.			0	0
IsDebuggerPresent Nov. 11, 2021, 12:33 p.m.			0	0

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ec0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2021, 12:31 p.m.	process_identifier: 2592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2021, 12:28 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Nov. 11, 2021, 12:27 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 10238877696 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Nov. 11, 2021, 12:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Linux.Mirai.K!c
Cynet	Malicious (score: 99)
McAfee	Linux/Mirai.f
Sangfor	Malware.ELF-Script.Save.74add8dd
Cyren	E32/Mirai.BC.gen!Camelot
Symantec	Trojan.Gen.NPE
ESET-NOD32	a variant of Linux/Mirai.A
TrendMicro-HouseCall	Possible_MIRAI.SMLBO20
Avast	ELF:Mirai-ACU [Trj]
ClamAV	Unix.Trojan.Mirai-6976991-0
Kaspersky	HEUR:Backdoor.Linux.Mirai.b
BitDefender	Trojan.Linux.Mirai.1
MicroWorld-eScan	Trojan.Linux.Mirai.1
Tencent	Backdoor.Linux.Mirai.waw
Ad-Aware	Trojan.Linux.Mirai.1
Emsisoft	Trojan.Linux.Mirai.1 (B)
F-Secure	Malware.LINUX/Mirai.bonb
DrWeb	Linux.Mirai.58
TrendMicro	Possible_MIRAI.SMLBO20
McAfee-GW-Edition	Linux/Mirai.f
FireEye	Trojan.Linux.Mirai.1
Sophos	Linux/DDoS-CI
GData	Trojan.Linux.Mirai.1
Avira	LINUX/Mirai.bonb
Microsoft	Trojan:Linux/Multiverze
Gridinsoft	Suspicious.XOR_Encoded.bot!yf
Arcabit	Trojan.Linux.Mirai.1
Avast-Mobile	ELF:Mirai-FY [Trj]
AhnLab-V3	Linux/Mirai.Gen10
ALYac	Trojan.Linux.Mirai.1
MAX	malware (ai score=84)
Ikarus	Trojan.Linux.Mirai
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	ELF/Mirai.IA!tr
BitDefenderTheta	Gen:NN.Mirai.34266
AVG	ELF:Mirai-ACU [Trj]

shiko.arm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All