Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 15, 2023, 6:14 p.m.	Dec. 15, 2023, 6:18 p.m.

Size	14.2KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`6a23b6e2536f7027a8506c87245eea5d`
SHA256	`7d044f688c9c50f08f18bcda8ac384edc065d498b6ef1b1ff84c413da3bba75e`
CRC32	`AE96A7F7`
ssdeep	`192:y+8o9QKLn4omNPhjg8BPP5rsls4I1E6SnYe+PjPQu7qrPyIAm+vy6QEr9ZCspE+z:hFLshjg8BPhgTq5SnYPLQjyIANweM`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature

DNS1.exe "C:\Users\test22\AppData\Local\Temp\DNS1.exe"
2548
- Jinbcck.exe "C:\Program Files (x86)\Microsoft Jhmbbb\Jinbcck.exe"
  2676

Name	Response	Post-Analysis Lookup
www.996m2m2.top	A 163.197.245.240	163.197.245.240
users.qzone.qq.com	A 43.129.2.81 CNAME ins-sg5lt470.ias.tencent-cloud.net A 43.159.233.101	43.159.233.101
www.996-m2.xyz	A 163.197.245.130	163.197.245.130

IP Address	Status	Action
163.197.245.130	Active	Moloch
163.197.245.240	Active	Moloch
164.124.101.2	Active	Moloch
43.129.2.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 163.197.245.130:1881 -> 192.168.56.101:49161	2400015	ET DROP Spamhaus DROP Listed Traffic Inbound group 16	Misc Attack
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 43.129.2.81:443 -> 192.168.56.101:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 43.129.2.81:443 -> 192.168.56.101:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 43.129.2.81:443 -> 192.168.56.101:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 163.197.245.130:1881 -> 192.168.56.101:49161	2045860	ET HUNTING Rejetto HTTP File Sever Response	A Network Trojan was detected

Suricata TLS

No Suricata TLS

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Performs some HTTP requests (1 event)

request

GET http://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.996m2m2.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 15, 2023, 6:14 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 6:14 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 6:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 3203072 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 15, 2023, 6:14 p.m.	process_identifier: 2676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1030f000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Program Files\AppPatch\logng.dll

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Dec. 15, 2023, 6:14 p.m.	service_start_name: start_type: 2 password: display_name: Zxcqrr zlavmtjfuodckeeplh filepath: C:\Program Files (x86)\Microsoft Jhmbbb\Jinbcck.exe service_name: Wsrggg oapklizk filepath_r: C:\Program Files (x86)\Microsoft Jhmbbb\Jinbcck.exe desired_access: 983551 service_handle: 0x00325cd0 error_control: 0 service_type: 272 service_manager_handle: 0x00325c30	1	3300560	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00001400', u'virtual_address': u'0x00005000', u'entropy': 7.524816536611518, u'name': u'UPX1', u'virtual_size': u'0x00002000'}

entropy

7.52481653661

description

A section with a high entropy has been found

entropy

0.909090909091

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 15, 2023, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 15, 2023, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Installs itself for autorun at Windows startup (1 event)

service_name

Wsrggg oapklizk

service_path

C:\Program Files (x86)\Microsoft Jhmbbb\Jinbcck.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

163.197.245.240:9090

File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Zegost.a!c
tehtris	Generic.Malware
MicroWorld-eScan	Trojan.Cud.Gen.2
FireEye	Generic.mg.6a23b6e2536f7027
CAT-QuickHeal	Trojan.Mauvaise.SL1
Skyhigh	BehavesLike.Win32.Downloader.lc
ALYac	Trojan.Cud.Gen.2
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_100% (W)
Baidu	Win32.Trojan-Downloader.Agent.bh
Symantec	SMG.Heur!gen
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Agent.BJJ
APEX	Malicious
ClamAV	Win.Trojan.Agent-6443182-0
Kaspersky	Trojan-Downloader.Win32.Agent.hgxz
BitDefender	Trojan.Cud.Gen.2
NANO-Antivirus	Trojan.Win32.Dwn.dygxrv
Avast	Win32:Adware-gen [Adw]
Tencent	Win32.Trojan-Downloader.Agent.Aujl
Sophos	Troj/Zegost-ID
F-Secure	Trojan.TR/Downloader.Gen
DrWeb	Trojan.AVKill.63253
VIPRE	Trojan.Cud.Gen.2
TrendMicro	BKDR_ZEGOST.SM14
Trapmine	malicious.high.ml.score
Emsisoft	Trojan.Cud.Gen.2 (B)
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=81)
Jiangmin	Trojan.Generic.batqb
Google	Detected
Avira	TR/Downloader.Gen
Varist	W32/Zegost.DY.gen!Eldorado
Antiy-AVL	Trojan[Backdoor]/Win32.BigBadWolf.a
Kingsoft	malware.kb.b.899
Microsoft	Trojan:Win32/Farfli.AW!MTB
Xcitium	TrojWare.Win32.TrojanDownloader.Redosdru.FG@6j5x7c
Arcabit	Trojan.Cud.Gen.2
ZoneAlarm	Trojan-Downloader.Win32.Agent.hgxz
GData	Win32.Trojan-Downloader.Agent.WC
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Redosdru.R147282
McAfee	GenericRXAA-AA!6A23B6E2536F
VBA32	TrojanDownloader.Agent
Cylance	unsafe
Panda	Trj/CI.A
TrendMicro-HouseCall	BKDR_ZEGOST.SM14

DNS1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All