Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 19, 2023, 8:11 a.m.	Jan. 19, 2023, 8:14 a.m.

Size	933.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`e0e3ca76d27943d890cad7e341d3a477`
SHA256	`cedf2f478d0acc217522682a10f37c28894733f15f80df85333c7894043dcd98`
CRC32	`762BB2FE`
ssdeep	`24576:XucvBP7N6G7Thv+aHnL4oL/80naUviycsak1/uWpW1f:l79MoLxnNKW`
Yara	OS_Processor_Check_Zero - OS Processor Check PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library IsPE64 - (no description) UPX_Zero - UPX packed file

111.exe "C:\Users\test22\AppData\Local\Temp\111.exe"
160

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 182.162.106.33 CNAME a1952.dscq.akamai.net A 182.162.106.32 CNAME identrust.edgesuite.net	23.53.228.9
jumptoupd.com	A 80.77.25.65	80.77.25.65

IP Address	Status	Action
164.124.101.2	Active	Moloch
182.162.106.32	Active	Moloch
80.77.25.65	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49177 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49178 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49179 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49200 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49201 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49168 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49205 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49185 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49208 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49209 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49216 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49217 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49189 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49221 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49197 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49198 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49211 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49219 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49192 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49193 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49202 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49206 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49214 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49220 -> 80.77.25.65:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49162 80.77.25.65:443	C=US, O=Let's Encrypt, CN=R3	CN=jumptoupd.com	8d:51:57:ea:43:d2:9e:e6:e0:ce:12:76:3d:6c:87:0d:72:35:e3:a4
TLSv1 192.168.56.103:49171 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49164 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49176 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49188 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49170 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49167 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49177 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49190 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49173 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49178 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49179 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49200 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49181 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49180 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49187 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49165 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49201 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49182 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49199 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49186 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49168 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49205 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49185 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49212 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49208 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49172 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49209 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49213 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49215 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49210 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49174 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49175 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49216 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49169 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49184 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49217 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49189 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49221 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49194 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49197 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49198 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49211 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49218 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49219 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49183 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49191 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49192 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49193 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49195 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49196 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49202 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49203 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49204 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49206 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49207 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49214 80.77.25.65:443	None	None	None
TLSv1 192.168.56.103:49220 80.77.25.65:443	None	None	None

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Jan. 19, 2023, 8:11 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 19, 2023, 8:11 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

KXDSAKO

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET https://jumptoupd.com/jquery-3.3.1.min.js

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 19, 2023, 8:11 a.m.	process_identifier: 160 region_size: 266240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001c20000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0
NtAllocateVirtualMemory Jan. 19, 2023, 8:11 a.m.	process_identifier: 160 region_size: 4661248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000001e20000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1	0	0

Foreign language identified in PE resource (4 events)

name

KXDSAKO

language

LANG_ARABIC

filetype

data

sublanguage

SUBLANG_ARABIC_SYRIA

offset

0x000accb0

size

0x00040e09

name

RT_MENU

language

LANG_ARABIC

filetype

data

sublanguage

SUBLANG_ARABIC_SYRIA

offset

0x000edac0

size

0x0000004a

name

RT_STRING

language

LANG_ARABIC

filetype

data

sublanguage

SUBLANG_ARABIC_SYRIA

offset

0x000edb20

size

0x0000006c

name

RT_ACCELERATOR

language

LANG_ARABIC

filetype

data

sublanguage

SUBLANG_ARABIC_SYRIA

offset

0x000edb10

size

0x00000010

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Elastic	malicious (moderate confidence)
Kaspersky	UDS:Trojan.Win32.CobaltStrike
Sophos	Mal/Generic-S
Webroot	W32.Obfuscated.Gen
ZoneAlarm	UDS:Trojan.Win32.CobaltStrike
Microsoft	HackTool:Win64/CobaltStrike.B
MaxSecure	Trojan.Malware.300983.susgen
CrowdStrike	win/malicious_confidence_100% (W)

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 19, 2023, 8:11 a.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00042000', u'virtual_address': u'0x000ac000', u'entropy': 7.819637506944125, u'name': u'.rsrc', u'virtual_size': u'0x00041e18'}

entropy

7.81963750694

description

A section with a high entropy has been found

entropy

0.283261802575

description

Overall entropy of this PE file is high

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

111.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All