Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 1, 2024, 9:19 a.m.	July 1, 2024, 9:21 a.m.

Size	259.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`f9f5342074462fa1048fea806eef535f`
SHA256	`5d87bd723f8267c3c0bef75f2b502321c518ac6a09696f3971ace53d0ba505cd`
CRC32	`84D19DD5`
ssdeep	`6144:r+k9IKKJPa1DyKHC055swEUkezQ12rqyFWaiwV:ik9IKKJip9C0kmzQ12rqyQaX`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

TQ.jpg.exe "C:\Users\test22\AppData\Local\Temp\TQ.jpg.exe"
3048
- MSSQLH.exe C:\Users\test22\AppData\Local\Temp\MSSQLH.exe
  932

Name	Response	Post-Analysis Lookup
www.362-com.com	A 1.226.84.135	1.226.84.135
web.362-com.com	A 110.11.158.238	110.11.158.238
opendata.baidu.com	CNAME open.a.shifen.com A 45.113.194.189 A 45.113.194.127	45.113.194.189
download.microsoft.com	A 23.219.69.110 CNAME download.microsoft.com.edgekey.net CNAME dlc-shim.trafficmanager.net CNAME e12671.dscd.akamaiedge.net CNAME main.dl.ms.akadns.net	23.199.6.55
members.3322.org	CNAME members.3322.net A 118.184.169.48	118.184.169.48
down.ftp21.cc	A 119.203.212.165	119.203.212.165
www.4i7i.com	A 1.226.84.135	1.226.84.135
ipv6-api.iproyal.com
ssl.ftp21.cc	CNAME cl-gl6dcaf7d1.gcdn.co A 31.184.207.62	31.184.207.62
gtxvdqvuweqs.com	A 16.162.201.176	16.162.201.176
api.iproyal.com	A 93.189.62.83 A 193.228.196.69	193.228.196.69

IP Address	Status	Action
1.226.84.135	Active	Moloch
110.11.158.238	Active	Moloch
118.184.169.48	Active	Moloch
119.203.212.165	Active	Moloch
16.162.201.176	Active	Moloch
164.124.101.2	Active	Moloch
18.163.3.159	Active	Moloch
193.228.196.69	Active	Moloch
23.219.69.110	Active	Moloch
31.184.207.62	Active	Moloch
31.222.226.20	Active	Moloch
45.113.194.189	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 31.184.207.62:80 -> 192.168.56.102:49164	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 31.184.207.62:80 -> 192.168.56.102:49164	2022053	ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2	A Network Trojan was detected
TCP 31.184.207.62:80 -> 192.168.56.102:49164	2023672	ET MALWARE JS/WSF Downloader Dec 08 2016 M4	A Network Trojan was detected
UDP 192.168.56.102:56630 -> 8.8.8.8:53	2012171	ET INFO DYNAMIC_DNS Query to 3322.org Domain	Misc activity
TCP 192.168.56.102:49372 -> 192.168.0.207:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity
UDP 192.168.56.102:50014 -> 164.124.101.2:53	2027758	ET DNS Query for .cc TLD	Potentially Bad Traffic
TCP 119.203.212.165:80 -> 192.168.56.102:50256	2026537	ET HUNTING Suspicious EXE Download Content-Type image/jpeg	Potential Corporate Privacy Violation
TCP 192.168.56.102:51913 -> 192.168.0.74:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:56369 -> 192.168.0.209:135	2001581	ET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:54811 -> 192.168.6.155:445	2001569	ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection	Misc activity
TCP 192.168.56.102:63245 -> 192.168.12.148:1433	2001583	ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:51901 193.228.196.69:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	75:ce:fc:4e:72:d9:c8:06:65:40:3b:ca:5a:f6:97:bf:df:c3:e8:ae
TLS 1.2 192.168.56.102:50293 193.228.196.69:443	C=US, O=Let's Encrypt, CN=E5	CN=api.iproyal.com	75:ce:fc:4e:72:d9:c8:06:65:40:3b:ca:5a:f6:97:bf:df:c3:e8:ae
TLSv1 192.168.56.102:50115 23.219.69.110:443	C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=akamai.download.microsoft.com	2c:c1:3d:3d:70:5a:9a:56:25:7c:d3:41:93:bc:76:f2:78:8b:81:63

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	Connection to IP address				suspicious_request	GET http://118.184.169.48/dyndns/getip
suspicious_features	Connection to IP address				suspicious_request	GET http://45.113.194.189/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8

Connects to a Dynamic DNS Domain (1 event)

domain

members.3322.org

Performs some HTTP requests (8 events)

request	GET http://ssl.ftp21.cc/MpMgDLL.jpg
request	GET http://ssl.ftp21.cc/MpMgSvc.jpg
request	GET http://118.184.169.48/dyndns/getip
request	GET http://45.113.194.189/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8
request	GET http://ssl.ftp21.cc/Hooks.jpg
request	GET http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe
request	GET http://down.ftp21.cc/64.jpg
request	GET http://down.ftp21.cc/Update.txt

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x000ce05c

size

0x000002e4

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\MSSQLH.exe
file	C:\Windows\Logs\RunDllExe.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\MSSQLH.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (32 events)

Time & API	Arguments	Status	Return
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: smss.exe process_identifier: 228	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 656	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 740	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 1000	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: spoolsv.exe process_identifier: 1036	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 1080	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: taskhost.exe process_identifier: 1352	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: IMEDICTUPDATE.EXE process_identifier: 1492	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 1908	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: pw.exe process_identifier: 1200	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: SearchIndexer.exe process_identifier: 736	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: SearchProtocolHost.exe process_identifier: 1364	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: mobsync.exe process_identifier: 2440	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: tvnserver.exe process_identifier: 2588	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: tvnserver.exe process_identifier: 2664	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: pw.exe process_identifier: 2696	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: wsqmcons.exe process_identifier: 2752	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: sdclt.exe process_identifier: 2772	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: taskhost.exe process_identifier: 2864	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: cmd.exe process_identifier: 2956	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: conhost.exe process_identifier: 2964	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: pw.exe process_identifier: 3020	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: TQ.jpg.exe process_identifier: 3048	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: MSSQLH.exe process_identifier: 932	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svchost.exe process_identifier: 2228	1	1
Process32NextW July 1, 2024, 9:19 a.m.	snapshot_handle: 0x00000104 process_name: svch禸Vt. process_identifier: 934		0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00040200', u'virtual_address': u'0x0008d000', u'entropy': 7.93453844052451, u'name': u'UPX1', u'virtual_size': u'0x00041000'}

entropy

7.93453844052

description

A section with a high entropy has been found

entropy

0.994186046512

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (2 events)

host	18.163.3.159
host	31.222.226.20

Generates some ICMP traffic

Disables Windows Security features (1 event)

description

attempts to modify windows defender policies

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware

File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Scar.lpjJ
Elastic	malicious (moderate confidence)
Cynet	Malicious (score: 99)
CAT-QuickHeal	Ransom.Genasom.16527
Skyhigh	BehavesLike.Win32.Generic.dc
ALYac	Gen:Variant.Application.Babar.18581
Cylance	Unsafe
VIPRE	Gen:Variant.Application.Babar.18581
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	CryptoMiner ( 00593f811 )
Alibaba	Exploit:Win64/CVE-2021-1675.713aff85
K7GW	CryptoMiner ( 00593f811 )
Cybereason	malicious.074462
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/CoinMiner.CIB
APEX	Malicious
McAfee	FE_HackTool_Win_JAYPOTATO_1
Paloalto	generic.ml
ClamAV	Win.Dropper.Tiggre-9845940-0
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.Application.Babar.18581
NANO-Antivirus	Trojan.Win32.JuicyPotato.kpccps
MicroWorld-eScan	Gen:Variant.Application.Babar.18581
Rising	HackTool.JuicyPotato!1.BD74 (CLOUD)
Emsisoft	Gen:Variant.Application.Babar.18581 (B)
F-Secure	Heuristic.HEUR/AGEN.1369711
DrWeb	Trojan.Siggen28.55597
Zillya	Trojan.CoinMiner.Win32.52039
McAfeeD	Real Protect-LS!F9F534207446
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.f9f5342074462fa1
Sophos	Mal/Generic-S
Ikarus	Trojan.WinGo.Ranumbot
Google	Detected
Avira	HEUR/AGEN.1369711
Antiy-AVL	Trojan/Win32.Blamon.a
Kingsoft	Win32.Trojan.Generic.a
Gridinsoft	Trojan.Win32.CoinMiner.sa
Xcitium	Packed.Win32.MUPX.Gen@24tbus
Arcabit	Trojan.Application.Babar.D4895
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Win32.Trojan.PSE.11N2JTZ
Varist	W32/ABRisk.POED-2097
BitDefenderTheta	Gen:NN.ZexaF.36808.qmKfa89emHkb
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.BlackMoon
Malwarebytes	Trojan.BitCoinMiner
TrendMicro-HouseCall	TrojanSpy.Win32.BLACKMOON.YXEFVZ
Tencent	Malware.Win32.Gencirc.140f9f19

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (50 out of 450 events)

dead_host	192.168.18.152:445
dead_host	192.168.18.209:445
dead_host	192.168.3.122:135
dead_host	192.168.12.249:445
dead_host	192.168.12.148:445
dead_host	192.168.10.151:445
dead_host	192.168.18.238:445
dead_host	192.168.13.26:445
dead_host	192.168.14.220:445
dead_host	192.168.14.173:445
dead_host	192.168.16.5:445
dead_host	192.168.16.63:445
dead_host	192.168.7.199:445
dead_host	192.168.14.102:445
dead_host	192.168.12.141:445
dead_host	192.168.10.61:445
dead_host	192.168.13.31:445
dead_host	192.168.13.32:445
dead_host	192.168.14.111:445
dead_host	192.168.18.195:445
dead_host	192.168.14.134:445
dead_host	192.168.20.79:445
dead_host	192.168.11.215:445
dead_host	192.168.10.39:445
dead_host	192.168.14.1:445
dead_host	192.168.19.23:445
dead_host	192.168.10.139:445
dead_host	192.168.56.102:52427
dead_host	192.168.13.252:445
dead_host	192.168.18.198:445
dead_host	192.168.14.241:445
dead_host	192.168.13.253:445
dead_host	192.168.12.234:445
dead_host	192.168.13.20:445
dead_host	192.168.16.25:445
dead_host	192.168.13.21:445
dead_host	192.168.10.209:445
dead_host	192.168.3.253:445
dead_host	192.168.13.11:445
dead_host	192.168.19.18:445
dead_host	192.168.13.36:445
dead_host	192.168.10.163:445
dead_host	192.168.10.156:445
dead_host	192.168.16.187:445
dead_host	192.168.13.30:445
dead_host	192.168.7.203:445
dead_host	192.168.7.218:445
dead_host	192.168.16.57:445
dead_host	192.168.5.163:445
dead_host	192.168.7.227:445

TQ.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All