Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 1, 2022, 7:48 p.m.	Jan. 1, 2022, 7:53 p.m.

Size	223.4KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5	`aff7cf93b494c088fb991bebde49df9a`
SHA256	`ae5f6a5007c02c48f4bba3dd694c528f500f8e12ec106661149e4a3d1f678c8d`
CRC32	`F2617F78`
ssdeep	`6144:/QqaV8iAkW9+rk/BOtrgHyI/cXqUul/R0dPE1Nxw/:QVykk+YVy5hWRecPxw/`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file Win_Backdoor_GhostCringe_Zero - Win Backdoor GhostCringe NSIS_Installer - Null Soft Installer

Selap.exe "C:\Users\test22\AppData\Local\Temp\Selap.exe"
2312
- server.exe "C:\Windows\temp\server.exe"
  2408
- Cacrk.exe "C:\Windows\temp\Cacrk.exe"
  2444
  - 8848Diao.exe 8848Diao.exe
    2636

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
110.76.158.13	Active	Moloch
110.76.158.75	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49163 -> 110.76.158.75:11024	2013214	ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 110.76.158.75:11024	2016922	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 110.76.158.75:11024	2021716	ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 102	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 110.76.158.13:8848	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 110.76.158.13:8848 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 110.76.158.13:8848 -> 192.168.56.103:49164	2020500	ET EXPLOIT_KIT DRIVEBY Likely Evil EXE with no referer from HFS webserver (used by Unknown EK)	Exploit Kit Activity Detected
TCP 110.76.158.13:8848 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 110.76.158.13:8848 -> 192.168.56.103:49164	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49166 -> 110.76.158.13:8848	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 1, 2022, 7:49 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 1, 2022, 7:48 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.ndata

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 1, 2022, 7:48 p.m.	stacktrace: Host+0x14c @ 0x10002bfc exception.instruction_r: 0f 3f 07 0b 85 db 0f 94 45 e4 5b eb 24 8b 45 ec exception.exception_code: 0xc000001d exception.symbol: Host-0x1307 exception.address: 0x100017a9 registers.esp: 1637528 registers.edi: 0 registers.eax: 1 registers.ebp: 1637580 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 1988572373 registers.ecx: 2412	1	0	0
__exception__ Jan. 1, 2022, 7:48 p.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1988572373 registers.ecx: 10	1	0	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 58 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73a01000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74d71000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75191000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75261000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74171000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b11000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100fa000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10120000 process_handle: 0xffffffff		3221225713
NtAllocateVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72df1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742d1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74211000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74181000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74171000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74151000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b11000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 942080 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 217088 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x100e7000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 8982528 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b11000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3653632 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1011a000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 782336 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff		3221225496
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 122880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cd1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f80000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f80000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Jan. 1, 2022, 7:49 p.m.	process_identifier: 2636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0

A process attempted to delay the analysis task. (1 event)

description

server.exe tried to sleep 234 seconds, actually delayed analysis time by 234 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Jan. 1, 2022, 7:49 p.m.	total_number_of_free_bytes: 10226057216 free_bytes_available: 10226057216 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0
GetDiskFreeSpaceExW Jan. 1, 2022, 7:50 p.m.	total_number_of_free_bytes: 10226630656 free_bytes_available: 10226630656 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

Creates executable files on the filesystem (4 events)

file	C:\Windows\Temp\Cacrk.exe
file	C:\Program Files\Cacrk\Cacrk.dll
file	C:\Windows\Temp\8848Diao.exe
file	C:\Windows\Temp\server.exe

Drops a binary and executes it (2 events)

file	C:\Windows\Temp\server.exe
file	C:\Windows\Temp\Cacrk.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (23 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000114 process_name: mobsync.exe process_identifier: 1428	1	1
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000114 process_name: pw.exe process_identifier: 2084	1	1
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000114 process_name: sdclt.exe process_identifier: 2140	1	1
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000114 process_name: conhost.exe process_identifier: 2248	1	1
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000114 process_name: pw.exe process_identifier: 2328	1	1
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000114 process_name: server.exe process_identifier: 2408	1	1
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000114 process_name: Cacrk.exe process_identifier: 2444	1	1
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 2636	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: mscorsvw.exe process_identifier: 2596	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: mscorsvw.exe process_identifier: 2608	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: sppsvc.exe process_identifier: 2244	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: conhost.exe process_identifier: 2024	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 2736	1	1
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000001c8 process_name: cmd.exe process_identifier: 2696	1	1
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000001c8 process_name: pw.exe process_identifier: 2728	1	1
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000001d4 process_name: conhost.exe process_identifier: 2844	1	1
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000001d4 process_name: cmd.exe process_identifier: 2888	1	1
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000001d4 process_name: pw.exe process_identifier: 2920	1	1
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000001d4 process_name: conhost.exe process_identifier: 3020	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x000001d4 process_name: cmd.exe process_identifier: 3060	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x000001d4 process_name: conhost.exe process_identifier: 3068	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x000001d4 process_name: cmd.exe process_identifier: 2292	1	1
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x000001d4 process_name: conhost.exe process_identifier: 2304	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 1, 2022, 7:48 p.m.	process_identifier: 2408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 434176 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process cacrk.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Jan. 1, 2022, 7:48 p.m.	buffer: MZÿÿ¸@(º´ Í!¸LÍ!This program cannot be run in DOS mode. $LNáî ²î ²î ²gñ+²î ²gñ²î ²>È²Âî ²ò.²$î ²>È+²Tî ²sò,² î ²^ñ3²$î ²jñ3²î ²î!²¤ì ²æ}²î ²ôÎ2² î ²àñ+²iî ²àñ*²î ²î ²Sî ²Ïè&² î ²Richî ²PELóøß`àðJ0`^Qp`Q@QÔQ`QÔ UPX0`àUPX1ðJpðJ@à.rsrc0`Q$ôJ@À3.95UPX! vAåÃWöPòíJ@M&} request_handle: 0x00cc000c	1	1	0

Expresses interest in specific running processes (1 event)

process

server.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 174 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Jan. 1, 2022, 7:48 p.m.	snapshot_handle: 0x00000144 process_name: Cacrk.exe process_identifier: 6684769		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 7536688		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 3014768		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 7274573		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 5046390		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6815859		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6881397		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 7602277		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6619235		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 4456552		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 7536758		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6684769		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 4390992		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: process_identifier: 5439572		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6619182		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6553715		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 5046338		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6619246		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6750273		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 7471220		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 7733331		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 4980808		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6619251		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 7864421		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 3342387		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 3014722		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: process_identifier: 7733362		0	0
Process32NextW Jan. 1, 2022, 7:49 p.m.	snapshot_handle: 0x000003cc process_name: 8848Diao.exe process_identifier: 6553705		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 7602224		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 7536688		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 3014768		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 7274573		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 5046390		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6815859		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6881397		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 7602277		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6619235		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 4456552		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 7536758		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6684769		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 4390992		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: process_identifier: 5439572		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6619182		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6553715		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 5046338		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6619246		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 6750273		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 7471220		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 7733331		0	0
Process32NextW Jan. 1, 2022, 7:50 p.m.	snapshot_handle: 0x00000358 process_name: pw.exe process_identifier: 4980808		0	0

Communicates with host for which no DNS query was performed (2 events)

host	110.76.158.13
host	110.76.158.75

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XXXXXXE3539977

reg_value

C:\Windows\XXXXXXE3539977\svchsot.exe

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 1, 2022, 7:48 p.m.	stacktrace: Host+0x155 @ 0x10002c05 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: Host-0x1268 exception.address: 0x10001848 registers.esp: 1637528 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637580 registers.edx: 22104 registers.ebx: 0 registers.esi: 1988572373 registers.ecx: 10	1	0	0

Creates known Zegost files, registry changes and/or mutexes (1 event)

mutex

AAAAAArq6vvbS1va6yp720sqmurq+xs58=

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 events)

Lionic	Trojan.Win32.Generic.luIV
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Magania.18692
McAfee	Artemis!AFF7CF93B494
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan-Downloader ( 0055e3da1 )
Alibaba	Backdoor:Win32/Farfli.1b0b7f62
K7GW	Trojan-Downloader ( 0055e3da1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.DA347
Baidu	Win32.Trojan.Dialer.d
Cyren	W32/Zegost.MYEI-4034
Symantec	Backdoor.Trojan
ESET-NOD32	multiple detections
APEX	Malicious
Paloalto	generic.ml
ClamAV	Win.Trojan.Farfli-9811912-0
Kaspersky	Backdoor.Win32.Farfli.afgz
BitDefender	MemScan:Trojan.GenericKDZ.41799
NANO-Antivirus	Trojan.Win32.Dwn.eahibw
MicroWorld-eScan	MemScan:Trojan.GenericKDZ.41799
Avast	Win32:Malware-gen
Tencent	Win32.Backdoor.Farfli.Lsvv
Ad-Aware	MemScan:Trojan.GenericKDZ.41799
Sophos	Mal/Generic-S
Comodo	TrojWare.Win32.Agent.PDSB@4q3i1w
DrWeb	Trojan.DownLoader19.23899
TrendMicro	BKDR_ZEGOST.SM50
McAfee-GW-Edition	BackDoor-EMA.gen.e
FireEye	MemScan:Trojan.GenericKDZ.41799
Emsisoft	MemScan:Trojan.GenericKDZ.41799 (B)
Ikarus	Trojan.Win32.Farfli
Jiangmin	Trojan/Dialer.mgr
eGambit	Unsafe.AI_Score_99%
Avira	HEUR/AGEN.1124319
Antiy-AVL	Trojan/Generic.ASMalwS.17175DA
Kingsoft	Win32.Heur.KVM005.a.(kcloud)
Microsoft	Trojan:Win32/Farfli.MA!MTB
ViRobot	Trojan.Win32.Z.Farfli.228777
GData	Win32.Trojan-Downloader.Agent.WC
AhnLab-V3	Trojan/Win.Generic.R419237
BitDefenderTheta	Gen:NN.ZexaF.34114.bq0@aOpfi5ob
ALYac	MemScan:Trojan.GenericKDZ.41799
MAX	malware (ai score=82)
VBA32	BScope.Trojan.Downloader
Malwarebytes	Malware.AI.1781735438
TrendMicro-HouseCall	BKDR_ZEGOST.SM50
Rising	Trojan.Win32.Lebag.b (CLASSIC:mHprowbc8Vc29trPrwbMqQ)

Selap.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All