Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

mokkshk.vbs

Antivirus

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 20, 2023, 9:34 a.m.	June 20, 2023, 9:36 a.m.

Size	192.7KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
MD5	`0cdf35374e4c56f3d0beaa3a449e5c8d`
SHA256	`ded012ce4854f02123ae84ba22760c7f4975901d0527a7920e9d241efaf2d231`
CRC32	`1C2B58D1`
ssdeep	`1536:eXZccvQvgpdpPZU+ogsUJW4Wrle/PhG+/kery+bGW:bgpdpe+og0S7N`
Yara	Antivirus - Contains references to security software

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\mokkshk.vbs
2568

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
195.178.120.24	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 20, 2023, 9:34 a.m.	computer_name: TEST22-PC	1	1	0

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_OperatingSystem

Communicates with host for which no DNS query was performed (1 event)

host

195.178.120.24

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

CAT-QuickHeal	VBS.Trojan.45344
Sangfor	Malware.Generic-VBS.Save.d9d6afc4
Symantec	ISB.Downloader!gen285
Avast	JS:Boxter-A [Drp]
Kaspersky	HEUR:Trojan-Downloader.Script.Generic
BitDefender	VB:Trojan.Valyria.8281
MicroWorld-eScan	VB:Trojan.Valyria.8281
Emsisoft	VB:Trojan.Valyria.8281 (B)
DrWeb	VBS.DownLoader.2418
VIPRE	VB:Trojan.Valyria.8281
FireEye	VB:Trojan.Valyria.8281
MAX	malware (ai score=84)
Arcabit	VB:Trojan.Valyria.D2059
GData	VB:Trojan.Valyria.8281
Google	Detected
ALYac	VB:Trojan.Valyria.8281
Ikarus	Trojan.VBS.Agent
AVG	JS:Boxter-A [Drp]

One or more non-whitelisted processes were created (1 event)

parent_process

wscript.exe

martian_process

C:\Users\Public\mojooooo.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

195.178.120.24:80

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\Public\mojooooo.exe