Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.06 06:07
build.exe
07.06 06:07
CoronaVirus.exe
07.06 06:07
RedLineStealer.exe
07.06 06:07
stealc_zov.exe
07.06 06:07
newbuild.exe
07.06 06:07
setup.exe
07.06 06:07
leva.exe
07.06 06:07
CryptoWall.exe
07.06 06:07
univ.exe
07.06 06:07
inte.exe

Latest News
07.06 10:07
Researchers Discover C...
07.06 10:07
New Mallox Ransomware ...
07.06 09:07
[한 주를 관통하는 보안 소식] 2024...
07.06 09:07
[퀴즈 이·보·소] 최근 벌어진 국내외 ...
07.06 08:07
김포시, 70만 김포시대 대비해 최첨단 ...
07.06 08:07
식약처, ‘체외진단의료기기 품질관리 및 ...
07.06 08:07
코레일, 정보보호의 날 맞아 ‘사이버 안...
07.06 08:07
소프트웨어 가치 보장, 발주자가 앞장선다
07.06 08:07
‘AI 과학기술 강군 육성’을 위한 발돋...
07.06 06:07
The Problem With Bug B...

Summary | ZeroBOX

snake.docx

Word 2007 file format(docx)

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 8, 2022, 9:45 a.m.	Dec. 8, 2022, 9:47 a.m.

Size	36.3KB
Type	Microsoft OOXML
MD5	`3b853ae547346befe5f3d06290635cf6`
SHA256	`bc9d4eb09711f92e4e260efcf7e48906dca6bf239841e976972fd74dac412e2f`
CRC32	`6F19B80D`
ssdeep	`768:gXs7D7R7l3Dkd+d5pCM1OpoeySh3uJvPtKzggQpw6DF0v66vJDE/i6I1:R175AcHpSoeySVG3ggN/Y6RiZ`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\snake.docx
3028

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 23.44.173.97 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 23.44.173.113	23.43.165.105
paknavy-gov-pk.downld.net	A 185.205.187.234	185.205.187.234

IP Address	Status	Action
164.124.101.2	Active	Moloch
185.205.187.234	Active	Moloch
23.44.173.97	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49168 -> 185.205.187.234:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49162 -> 185.205.187.234:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49166 -> 185.205.187.234:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49168 185.205.187.234:443	None	None	None
TLSv1 192.168.56.102:49162 185.205.187.234:443	C=US, O=Let's Encrypt, CN=R3	CN=*.downld.net	04:a5:76:5d:da:67:11:3c:f9:61:b0:5f:bb:45:55:38:d3:a7:2a:ee
TLSv1 192.168.56.102:49166 185.205.187.234:443	C=US, O=Let's Encrypt, CN=R3	CN=*.downld.net	04:a5:76:5d:da:67:11:3c:f9:61:b0:5f:bb:45:55:38:d3:a7:2a:ee

Performs some HTTP requests (1 event)

request

GET http://apps.identrust.com/roots/dstrootcax3.p7c

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Dec. 8, 2022, 9:45 a.m.	process_identifier: 3028 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a16a000 process_handle: 0xffffffff	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$snake.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Dec. 8, 2022, 9:45 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000454 filepath: C:\Users\test22\AppData\Local\Temp\~$snake.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$snake.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0