Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 25, 2023, 12:17 p.m.	Oct. 25, 2023, 12:19 p.m.

Size	250.8KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5	`c8bb8a34766ec04c304597c76d179f4b`
SHA256	`fd16b16c7ca1e83c7daee8a04409cc1501fe3b178154b93f68b0c22b215733b7`
CRC32	`0796C1CE`
ssdeep	`3072:d+oIRR7775e8eu77777777IRR7775e8eu77777777IRR7775e8ej7Zj:d5`
Yara	Javascript_ActiveXObject - Use ActiveXObject JavaScript

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Comprobante_transfer.pdf.js
2004

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.17
wtools.io	A 104.21.6.247 A 172.67.135.130	104.21.6.247
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.68.143

IP Address	Status	Action
121.254.136.9	Active	Moloch
164.124.101.2	Active	Moloch
172.67.135.130	Active	Moloch
172.67.34.170	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 172.67.34.170:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 172.67.135.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2034938	ET POLICY Observed DNS Query to Pastebin-style Service (wtools .io)	Potential Corporate Privacy Violation

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	c7:af:cc:81:4d:27:d1:4c:7c:f4:bf:5d:55:9d:80:50:3b:6f:6c:cd
TLSv1 192.168.56.103:49163 172.67.135.130:443	C=US, O=Let's Encrypt, CN=E1	CN=wtools.io	3a:58:36:cd:4b:ef:eb:18:c3:bf:78:bd:93:e9:a1:d0:70:e3:b8:13

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 25, 2023, 12:17 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25 wscript+0x2fbd @ 0xff2fbd BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x750d3ef4 registers.esp: 1439848 registers.edi: 0 registers.eax: 47079848 registers.ebp: 1439876 registers.edx: 1 registers.ebx: 0 registers.esi: 7201136 registers.ecx: 1943614844	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 25, 2023, 12:17 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x750bd08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x750b964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x750a4d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x750a6f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x750ae825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x750a6002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x750a5fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x750a49e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x750a5a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x778d9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x778f8f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x778f8e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x757f7a25
wscript+0x2fbd @ 0xff2fbd
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x750d3ef4
registers.esp: 1439848
registers.edi: 0
registers.eax: 47079848
registers.ebp: 1439876
registers.edx: 1
registers.ebx: 0
registers.esi: 7201136
registers.ecx: 1943614844

Performs some HTTP requests (2 events)

request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET https://pastebin.com/raw/NVAgzFRR

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 25, 2023, 12:17 p.m.	flags: 15 family: 0		111	0

Wscript.exe initiated network communications indicative of a script based payload download (6 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: oke8®þU(¼ô7yõ¯ËX#ìT }_Ü¢TÒ¡n2 /5 ÀÀÀ À 28*ÿpastebin.com socket: 592		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: FBAÇ'UÄøqháh=Ô Õcé.t2e:-=À$³Æ×¯¥/rù?.±i¶ìG0êaG6°VAe9û0³Ø{ý!>ûFE¶ûÇKÖó´"ù·m7\|ðûþ]FÍ'$°¤ÊSÄ socket: 592		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: Ðk¯¤èRû VuÇI©T©þ ÌgD3Ç>3oúÕyjxÿ¶õÆVD>ûíe¤^DúäO±å7ØHA7÷Ñ·n³}ïì¤Kvwq&rBÒkÓNþÛxE¹¼¹¨ÃÇÃ®áúYî]FwsQ{(*Bò\½ô§Ì4&¢lµÁ$ðæ5-eÛA³ÏÍåÎ°?Åó/_ååDYrõC9ÕyS+¶Ú34Üµæy¡?FlzÕ#8Ê socket: 592		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: lhe8¯ì?ÁÁHÊLµ`UÂÄþÎæ¯øb©/5 ÀÀÀ À 28'ÿ wtools.io socket: 1104		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: FBAþ.Áù<Lä\RzÉ~¼É\|TzÃBýKä¬¹³znW6Îü7À&9ÉÄ2þ\]fû½0ÊfXS¡ÀzgÙx9:æJ\è)Úz«möt5ùVái³Û^{:a©×)+ú socket: 1104		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1156		0	0

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

FireEye	JS:Trojan.Cryxos.12968
ALYac	JS:Trojan.Cryxos.12968
VIPRE	JS:Trojan.Cryxos.12968
Avast	JS:Obfuscated-IA [Cryp]
Kaspersky	HEUR:Trojan.Script.Generic
BitDefender	JS:Trojan.Cryxos.12968
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
MicroWorld-eScan	JS:Trojan.Cryxos.12968
Emsisoft	JS:Trojan.Cryxos.12968 (B)
GData	JS:Trojan.Cryxos.12968
MAX	malware (ai score=84)
Arcabit	JS:Trojan.Cryxos.D32A8
Google	Detected
Ikarus	Trojan-Downloader.JS.Agent
AVG	JS:Obfuscated-IA [Cryp]

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (6 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: oke8®þU(¼ô7yõ¯ËX#ìT }_Ü¢TÒ¡n2 /5 ÀÀÀ À 28*ÿpastebin.com socket: 592		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: FBAÇ'UÄøqháh=Ô Õcé.t2e:-=À$³Æ×¯¥/rù?.±i¶ìG0êaG6°VAe9û0³Ø{ý!>ûFE¶ûÇKÖó´"ù·m7\|ðûþ]FÍ'$°¤ÊSÄ socket: 592		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: Ðk¯¤èRû VuÇI©T©þ ÌgD3Ç>3oúÕyjxÿ¶õÆVD>ûíe¤^DúäO±å7ØHA7÷Ñ·n³}ïì¤Kvwq&rBÒkÓNþÛxE¹¼¹¨ÃÇÃ®áúYî]FwsQ{(*Bò\½ô§Ì4&¢lµÁ$ðæ5-eÛA³ÏÍåÎ°?Åó/_ååDYrõC9ÕyS+¶Ú34Üµæy¡?FlzÕ#8Ê socket: 592		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: lhe8¯ì?ÁÁHÊLµ`UÂÄþÎæ¯øb©/5 ÀÀÀ À 28'ÿ wtools.io socket: 1104		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: FBAþ.Áù<Lä\RzÉ~¼É\|TzÃBýKä¬¹³znW6Îü7À&9ÉÄ2þ\]fû½0ÊfXS¡ÀzgÙx9:æJ\è)Úz«möt5ùVái³Û^{:a©×)+ú socket: 1104		0	0
WSASend Oct. 25, 2023, 12:17 p.m.	buffer: GET /roots/dstrootcax3.p7c HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: apps.identrust.com socket: 1156		0	0

Comprobante_transfer.pdf.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All