Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 2, 2024, 7:36 a.m.	Jan. 2, 2024, 7:38 a.m.

Size	100.0KB
Type	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, with debug_info, not stripped
MD5	`ba8542b6e1f1e16090485a52b989ce3d`
SHA256	`b1044204587a76f22658c2a43379b7d093512e2fda64e62ddec4faf278991e71`
CRC32	`E3EACFAC`
ssdeep	`1536:xfRuqNM5h7t/RiRt4nFphaQoRKzO6F6OXj6ufeRTe:OqN8jRiRGphaQoRKzO6F6OXGufcTe`
Yara	IsELF - Executable and Linking Format executable file (Linux/Unix)

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "BTJFljOzyfeskw" C:\Users\test22\AppData\Local\Temp\fuckjewishpeople.sparc
1800
- rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\test22\AppData\Local\Temp\fuckjewishpeople.sparc
  2156
  - editplus.exe "editplus.exe"
    2700
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 2, 2024, 7:37 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Jan. 2, 2024, 7:37 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 2, 2024, 7:36 a.m.			0	0
IsDebuggerPresent Jan. 2, 2024, 7:37 a.m.			0	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74490000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74381000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74501000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x740a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74351000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 2, 2024, 7:36 a.m.	process_identifier: 2156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013\Word 2013.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Jan. 2, 2024, 7:37 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Attempts to modify browser security settings (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\EDITPLUS.EXE

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Lionic	Trojan.Linux.Mirai.K!c
Elastic	Linux.Trojan.Gafgyt
MicroWorld-eScan	Gen:Variant.Trojan.Linux.Gafgyt.9
FireEye	Gen:Variant.Trojan.Linux.Gafgyt.9
Skyhigh	Linux/Mirai.au
ALYac	Gen:Variant.Trojan.Linux.Gafgyt.9
K7GW	Password-Stealer ( 0040f0aa1 )
Arcabit	Trojan.Trojan.Linux.Gafgyt.9
BitDefenderTheta	Gen:NN.Mirai.36608
VirIT	Linux.BackDoor.Fgt.CDP
Symantec	Linux.Lightaidra!g1
ESET-NOD32	a variant of Linux/Gafgyt.AXJ
TrendMicro-HouseCall	Backdoor.Linux.GAFGYT.SMMR2
Avast	ELF:Agent-AYQ [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Backdoor.Linux.Gafgyt.bj
BitDefender	Gen:Variant.Trojan.Linux.Gafgyt.9
Rising	Backdoor.Gafgyt/Linux!1.C997 (CLASSIC)
Sophos	Linux/DDoS-BI
F-Secure	Exploit.EXP/ELF.Mirai.Gen.Z.A
DrWeb	Linux.Siggen.9999
VIPRE	Gen:Variant.Trojan.Linux.Gafgyt.9
TrendMicro	Backdoor.Linux.GAFGYT.SMMR2
Emsisoft	Gen:Variant.Trojan.Linux.Gafgyt.9 (B)
Ikarus	Trojan.Linux.Gafgyt
Avast-Mobile	ELF:Gafgyt-KS [Trj]
Jiangmin	Backdoor.Linux.foby
Varist	E32/Gafgyt.AU.gen!Camelot
Avira	EXP/ELF.Mirai.Gen.Z.A
Antiy-AVL	Trojan/Linux.Mirai.a
Kingsoft	elf.Mirai.2002004
Gridinsoft	Malware.U.Gafgyt.tr
Microsoft	Backdoor:Linux/DemonBot.Aa!MTB
ZoneAlarm	HEUR:Backdoor.Linux.Gafgyt.bj
GData	Gen:Variant.Trojan.Linux.Gafgyt.9
Google	Detected
McAfee	Linux/Mirai.au
MAX	malware (ai score=86)
Tencent	Linux.Backdoor.Gafgyt.Zolw
Fortinet	ELF/Gafgyt.ARN!tr
AVG	ELF:Agent-AYQ [Trj]

fuckjewishpeople.sparc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All