Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

Summary | ZeroBOX

kz.js

Browser Login Data Stealer Generic Malware Malicious Library Downloader UPX Malicious Packer PE File OS Processor Check PE32

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 7, 2024, 1:21 p.m.	Aug. 7, 2024, 1:24 p.m.

Size	10.4MB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5	`e1e3b54f17e16c5e867a9e7ee6d196ba`
SHA256	`07b5901c21252b5d7ff5eabec26a715788954687f3f0895077b3380023599018`
CRC32	`DC1291B4`
ssdeep	`49152:Lp+LHU1WOPjbxAzaL/W3PkXI3TF+XW9q52CgY0csNx543Ze7Qlb7uxKiG3RPgZKW:y`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\kz.js
1648
- BEl.exe "C:\Users\test22\AppData\Local\Temp\BEl.exe"
  2168
  - adobe.exe "C:\ProgramData\adobe\adobe.exe"
    2224

Name	Response	Post-Analysis Lookup
kizitodavina.duckdns.org	A 46.246.84.3	46.246.84.3

IP Address	Status	Action
164.124.101.2	Active	Moloch
46.246.84.3	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Connects to a Dynamic DNS Domain (1 event)

domain

kizitodavina.duckdns.org

A process attempted to delay the analysis task. (1 event)

description

adobe.exe tried to sleep 350 seconds, actually delayed analysis time by 350 seconds

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\BEl.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\BEl.exe

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-EYFGG7				reg_value	"C:\ProgramData\adobe\adobe.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-EYFGG7				reg_value	"C:\ProgramData\adobe\adobe.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-EYFGG7				reg_value	"C:\ProgramData\adobe\adobe.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-EYFGG7				reg_value	"C:\ProgramData\adobe\adobe.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\BEl.exe

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Aug. 7, 2024, 1:21 p.m.	thread_identifier: 0 callback_function: 0x0040a2a4 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	131541	0

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Users\test22\AppData\Local\Temp\BEl.exe"
parent_process	wscript.exe				martian_process	C:\Users\test22\AppData\Local\Temp\BEl.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

46.246.84.3:8645

The process wscript.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Users\test22\AppData\Local\Temp\BEl.exe