Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 1, 2024, 10:45 a.m.	July 1, 2024, 10:45 a.m.

Size	45.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`3d3aedfaeaf39544ff74fe6fe4541fc2`
SHA256	`d0a798b5e7ef375f640e4f4f2329a8e40c6ea4d9f65ce63d513fc1b00ad1da71`
CRC32	`9CAA3147`
ssdeep	`768:XQ7R4nqTvoV22QbyMhOk9w+wRGtVEhq8C5eIdp5b4Fk0v5za:w4nVV22Q+mO0wrwVEUdpaFjv5G`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

wmi.jpg.exe "C:\Users\test22\AppData\Local\Temp\wmi.jpg.exe"
2564
- netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
  2632
- netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
  2684
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
  2740
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
  2796
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
  2852
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
  2916
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
  2976
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
  3032
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
  2056
- netsh.exe "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
  2104

Name	Response	Post-Analysis Lookup
www.4i7i.com	A 1.226.84.135	1.226.84.135

IP Address	Status	Action
1.226.84.135	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (4 events)

Time & API	Arguments	Status	Return
WriteConsoleA July 1, 2024, 10:45 a.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 10:45 a.m.	buffer: Ok. console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 10:45 a.m.	buffer: ERR IPsec[05010] : console_handle: 0x00000007	1	1
WriteConsoleA July 1, 2024, 10:45 a.m.	buffer: FilterList with name 'Filter1' already exists console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 1, 2024, 10:45 a.m.		1	1	0

Foreign language identified in PE resource (1 event)

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0001f05c

size

0x000003fc

Creates executable files on the filesystem (1 event)

file	C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA July 1, 2024, 10:45 a.m.	service_start_name: start_type: 2 password: display_name: .NET Runtime Optimization Service v3.0.30317_X86 filepath: C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe service_name: clr_optimization_v3.0.30317_32 filepath_r: C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe desired_access: 983551 service_handle: 0x00549bf8 error_control: 1 service_type: 16 service_manager_handle: 0x005499f0	1	5544952	0

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add policy name=Block filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filterlist name=Filter1 filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add filteraction name=FilteraAtion1 action=block filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 filepath: netsh.exe	1	1
ShellExecuteExW July 1, 2024, 10:45 a.m.	show_type: 0 filepath_r: netsh.exe parameters: ipsec static set policy name=Block assign=y filepath: netsh.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 1, 2024, 10:45 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 69632 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00014000', u'entropy': 7.924912120479621, u'name': u'UPX1', u'virtual_size': u'0x0000b000'}

entropy

7.92491212048

description

A section with a high entropy has been found

entropy

0.966292134831

description

Overall entropy of this PE file is high

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Uses Windows utilities for basic Windows functionality (20 events)

cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
cmdline	netsh.exe ipsec static add policy name=Block
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
cmdline	netsh.exe ipsec static add filterlist name=Filter1
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block
cmdline	netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
cmdline	netsh.exe ipsec static set policy name=Block assign=y
cmdline	"C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
cmdline	netsh.exe ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
cmdline	"C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block

Installs itself for autorun at Windows startup (1 event)

service_name

clr_optimization_v3.0.30317_32

service_path

C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe

Operates on local firewall's policies and settings (4 events)

cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
cmdline	"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow

File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Farfli.4!c
Elastic	malicious (moderate confidence)
MicroWorld-eScan	Gen:Heur.Mint.Zard.30
CAT-QuickHeal	Trojan.Aksula.A
Skyhigh	BehavesLike.Win32.Generic.pc
McAfee	Artemis!3D3AEDFAEAF3
Cylance	Unsafe
VIPRE	Gen:Heur.Mint.Zard.30
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0040f7ad1 )
BitDefender	Gen:Heur.Mint.Zard.30
K7GW	Trojan ( 0040f7ad1 )
Cybereason	malicious.aeaf39
Arcabit	Trojan.Mint.Zard.30
Baidu	Win32.Trojan.Farfli.bg
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/Farfli.JU
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Cynet	Malicious (score: 100)
Kaspersky	UDS:Trojan.Win32.Generic
Alibaba	Backdoor:Win32/Zegost.24e518cf
Rising	Backdoor.Farfli!1.B6C5 (CLOUD)
Emsisoft	Gen:Heur.Mint.Zard.30 (B)
F-Secure	Trojan.TR/Crypt.FKM.Gen
DrWeb	Trojan.Siggen28.63414
Zillya	Trojan.Farfli.Win32.91278
TrendMicro	TROJ_GEN.R002C0DFL24
McAfeeD	Real Protect-LS!3D3AEDFAEAF3
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.3d3aedfaeaf39544
Sophos	Mal/Behav-160
Ikarus	Backdoor.Win32.Zegost
Jiangmin	Trojan.Generic.hoagb
Google	Detected
Avira	TR/Crypt.FKM.Gen
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	malware.kb.b.888
Gridinsoft	Trojan.Win32.Agent.sa
Xcitium	Backdoor.Win32.Zegost.c@4m3x9i
Microsoft	Backdoor:Win32/Zegost!pz
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Gen:Heur.Mint.Zard.30
Varist	W32/KillAV.AU.gen!Eldorado
AhnLab-V3	Backdoor/Win.NG.R582744
BitDefenderTheta	AI:Packer.BC223D901F
DeepInstinct	MALICIOUS
VBA32	BScope.TrojanDDoS.Macri
Malwarebytes	Trojan.Farfli.UPX

wmi.jpg.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All