Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 3, 2024, 6:36 p.m. | July 3, 2024, 6:39 p.m. |
-
-
netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
612 -
netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow
2184 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block
2252 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1
2324 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
2400 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
284 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
1596 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
1044 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1
1220 -
netsh.exe "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y
2532
-
IP Address | Status | Action |
---|---|---|
1.226.84.135 | Active | Moloch |
104.26.13.205 | Active | Moloch |
110.11.158.238 | Active | Moloch |
118.184.169.48 | Active | Moloch |
119.203.212.165 | Active | Moloch |
16.162.161.106 | Active | Moloch |
16.162.201.176 | Active | Moloch |
164.124.101.2 | Active | Moloch |
211.108.60.155 | Active | Moloch |
218.57.129.51 | Active | Moloch |
45.113.194.127 | Active | Moloch |
51.161.196.188 | Active | Moloch |
59.151.136.153 | Active | Moloch |
93.189.62.83 | Active | Moloch |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.102:49914 59.151.136.153:443 |
C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08 | C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=akamai.download.microsoft.com | 2c:c1:3d:3d:70:5a:9a:56:25:7c:d3:41:93:bc:76:f2:78:8b:81:63 |
TLS 1.2 192.168.56.102:50161 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.102:51926 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.102:54901 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.102:51838 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
TLS 1.2 192.168.56.102:54395 93.189.62.83:443 |
C=US, O=Let's Encrypt, CN=E5 | CN=api.iproyal.com | 80:b8:bd:29:30:c8:ef:b5:55:c7:42:e5:cf:b8:4a:0e:ec:00:59:23 |
suspicious_features | Connection to IP address | suspicious_request | GET http://118.184.169.48/dyndns/getip | ||||||
suspicious_features | Connection to IP address | suspicious_request | GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8 | ||||||
suspicious_features | GET method with no useragent header, Connection to IP address | suspicious_request | GET http://16.162.161.106:8080/api/node/ip_validate |
domain | members.3322.org |
request | GET http://down.ftp21.cc/445.jpg |
request | GET http://hook.ftp21.cc/MpMgSvc.dll |
request | GET http://hook.ftp21.cc/MpMgSvc.jpg |
request | GET http://118.184.169.48/dyndns/getip |
request | GET http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8 |
request | GET http://hook.ftp21.cc/Hooks.jpg |
request | GET http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe |
request | GET http://ssl.ftp21.cc/64.jpg |
request | GET http://down.ftp21.cc/Update.txt |
request | GET http://16.162.161.106:8080/api/node/ip_validate |
name | RT_VERSION | language | LANG_CHINESE | filetype | data | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | offset | 0x0001f05c | size | 0x000003fc |
domain | api.ipify.org |
file | C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe |
section | {u'size_of_data': u'0x0000ac00', u'virtual_address': u'0x00014000', u'entropy': 7.9247492476299195, u'name': u'UPX1', u'virtual_size': u'0x0000b000'} | entropy | 7.92474924763 | description | A section with a high entropy has been found | |||||||||
entropy | 0.966292134831 | description | Overall entropy of this PE file is high |
section | UPX0 | description | Section name indicates UPX | ||||||
section | UPX1 | description | Section name indicates UPX |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP |
cmdline | netsh.exe ipsec static add policy name=Block |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP |
cmdline | netsh.exe ipsec static add filterlist name=Filter1 |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe ipsec static add filteraction name=FilteraAtion1 action=block |
cmdline | netsh.exe ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add policy name=Block |
cmdline | netsh.exe ipsec static set policy name=Block assign=y |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static set policy name=Block assign=y |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP |
cmdline | netsh.exe ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filterlist name=Filter1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add rule name=Rule1 policy=Block filterlist=Filter1 filteraction=FilteraAtion1 |
cmdline | "C:\Windows\System32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block |
host | 16.162.161.106 | |||
host | 51.161.196.188 |
service_name | clr_optimization_v3.0.30317_32 | service_path | C:\Windows\Microsoft.Net\Framework\v3.5\mscorsvw.exe |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=out program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | netsh.exe advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
cmdline | "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Microsoft.Net" dir=in program="C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe" action=allow |
Bkav | W32.AIDetectMalware |
Elastic | malicious (moderate confidence) |
Cynet | Malicious (score: 100) |
CAT-QuickHeal | Trojan.Aksula.A |
Cylance | Unsafe |
VIPRE | Gen:Heur.Mint.Zard.30 |
Sangfor | Suspicious.Win32.Save.a |
K7AntiVirus | Trojan ( 0040f7ad1 ) |
K7GW | Trojan ( 0040f7ad1 ) |
Cybereason | malicious.029337 |
Baidu | Win32.Trojan.Farfli.bg |
ESET-NOD32 | a variant of Win32/Farfli.JU |
APEX | Malicious |
BitDefender | Gen:Heur.Mint.Zard.30 |
MicroWorld-eScan | Gen:Heur.Mint.Zard.30 |
Rising | Backdoor.Farfli!1.B6C5 (CLASSIC) |
Emsisoft | Gen:Heur.Mint.Zard.30 (B) |
F-Secure | Trojan.TR/Crypt.FKM.Gen |
DrWeb | Trojan.Siggen28.63607 |
McAfeeD | Real Protect-LS!1953C9702933 |
Trapmine | malicious.moderate.ml.score |
FireEye | Generic.mg.1953c97029337ec0 |
Sophos | Mal/Behav-160 |
Ikarus | Backdoor.Win32.Zegost |
Detected | |
Avira | TR/Crypt.FKM.Gen |
Kingsoft | malware.kb.b.958 |
Xcitium | Backdoor.Win32.Zegost.c@4m3x9i |
Arcabit | Trojan.Mint.Zard.30 |
ZoneAlarm | VHO:Backdoor.Win32.Lotok.gen |
Varist | W32/KillAV.AU.gen!Eldorado |
AhnLab-V3 | Trojan/Win32.OnlineGameHack.R2023 |
BitDefenderTheta | AI:Packer.8EFBDF1C1F |
DeepInstinct | MALICIOUS |
VBA32 | BScope.TrojanDDoS.Macri |
MAX | malware (ai score=87) |
MaxSecure | Trojan.Malware.300983.susgen |
Fortinet | W32/Farfli.PZA!tr |
CrowdStrike | win/malicious_confidence_100% (D) |
alibabacloud | Backdoor:Win/Parite.C |
dead_host | 192.168.3.119:445 |
dead_host | 192.168.12.223:445 |
dead_host | 192.168.1.84:445 |
dead_host | 192.168.15.160:445 |
dead_host | 192.168.12.215:445 |
dead_host | 192.168.0.224:445 |
dead_host | 192.168.3.160:445 |
dead_host | 192.168.16.99:445 |
dead_host | 192.168.12.140:445 |
dead_host | 192.168.0.173:445 |
dead_host | 192.168.3.123:445 |
dead_host | 192.168.1.59:445 |
dead_host | 192.168.0.87:445 |
dead_host | 192.168.16.80:445 |
dead_host | 192.168.15.140:445 |
dead_host | 192.168.1.101:445 |
dead_host | 192.168.0.84:445 |
dead_host | 192.168.16.149:445 |
dead_host | 192.168.12.212:445 |
dead_host | 192.168.0.90:445 |
dead_host | 192.168.16.22:445 |
dead_host | 192.168.12.138:445 |
dead_host | 192.168.56.102:52244 |
dead_host | 192.168.0.229:445 |
dead_host | 192.168.12.251:445 |
dead_host | 192.168.0.101:445 |
dead_host | 192.168.0.249:445 |
dead_host | 192.168.3.1:445 |
dead_host | 192.168.12.252:445 |
dead_host | 192.168.16.86:445 |
dead_host | 192.168.0.246:445 |
dead_host | 192.168.16.68:445 |
dead_host | 192.168.16.5:445 |
dead_host | 192.168.16.73:445 |
dead_host | 192.168.15.235:445 |
dead_host | 192.168.16.63:445 |
dead_host | 192.168.16.155:445 |
dead_host | 192.168.16.126:445 |
dead_host | 192.168.0.141:445 |
dead_host | 192.168.0.197:445 |
dead_host | 192.168.16.47:445 |
dead_host | 192.168.3.120:445 |
dead_host | 192.168.3.122:135 |
dead_host | 192.168.1.14:445 |
dead_host | 192.168.0.29:445 |
dead_host | 192.168.16.161:445 |
dead_host | 192.168.0.132:445 |
dead_host | 192.168.16.3:445 |
dead_host | 192.168.1.66:445 |
dead_host | 192.168.56.102:50067 |