Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 4, 2024, 10:04 a.m.	Sept. 4, 2024, 10:20 a.m.

Size	812.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7972b08246e568495d9d116fc2d0b159`
SHA256	`2a6c90c8db27e6ac04c7e339dfe4b3c2d47a292bcf6fc1c5b4e0ae62fc81ff84`
CRC32	`8905731B`
ssdeep	`24576:60oeRhL4Zihw/WaRupypku1ADMH0h0kT:60J482RuRuQMm`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

66d5df681876c_file010924.exe#file "C:\Users\test22\AppData\Local\Temp\66d5df681876c_file010924.exe#file"
2092
- 66d5df681876c_file010924.exe#file "C:\Users\test22\AppData\Local\Temp\66d5df681876c_file010924.exe#file"
  2252
  - icacls.exe icacls "C:\Users\test22\AppData\Local\58f98ec2-5925-4d0d-b77e-48e1e6b4fa00" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    2352

Name	Response	Post-Analysis Lookup
cajgtus.com	A 186.145.236.93 A 189.181.24.20 A 210.182.29.70 A 186.233.231.45 A 191.191.224.16 A 93.103.167.123 A 186.101.193.110 A 189.163.63.251 A 109.175.29.39 A 189.163.178.82	186.145.236.93
api.2ip.ua	A 104.21.65.24 A 172.67.139.220	172.67.139.220

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.139.220	Active	Moloch
186.233.231.45	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2027026	ET POLICY External IP Address Lookup DNS Query (2ip .ua)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49164 -> 172.67.139.220:443	2033214	ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI)	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 172.67.139.220:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 186.233.231.45:80	2002400	ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 186.233.231.45:80	2036334	ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key	A Network Trojan was detected
TCP 186.233.231.45:80 -> 192.168.56.103:49169	2036335	ET MALWARE Win32/Filecoder.STOP Variant Public Key Download	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 172.67.139.220:443	C=US, O=Google Trust Services, CN=WE1	CN=2ip.ua	28:d2:72:b5:5a:32:4a:f4:cf:5d:4f:69:77:19:d4:af:98:e8:0a:8b

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 4, 2024, 10:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 4, 2024, 10:05 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 4, 2024, 10:04 a.m.			0	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AFX_DIALOG_LAYOUT

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://cajgtus.com/test1/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true
request	GET https://api.2ip.ua/geo.json

Allocates read-write-execute memory (usually to unpack itself) (3 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 2092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 593920 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e90000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 2092 region_size: 1159168 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 2252 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a1000', u'virtual_address': u'0x00001000', u'entropy': 7.924714226500884, u'name': u'.text', u'virtual_size': u'0x000a0f6a'}

entropy

7.9247142265

description

A section with a high entropy has been found

entropy

0.794081381011

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (1 event)

url	http://www.openssl.org/support/faq.html

Yara rule detected in process memory (16 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 2252 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper

reg_value

"C:\Users\test22\AppData\Local\58f98ec2-5925-4d0d-b77e-48e1e6b4fa00\66d5df681876c_file010924.exe#file" --AutoStart

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 4, 2024, 10:04 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2252 process_handle: 0x00000080	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2092 called NtSetContextThread to modify thread in remote process 2252
NtSetContextThread Sept. 4, 2024, 10:04 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2252	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2092 resumed a thread in remote process 2252
NtResumeThread Sept. 4, 2024, 10:04 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2252	1	0	0

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls "C:\Users\test22\AppData\Local\58f98ec2-5925-4d0d-b77e-48e1e6b4fa00" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Sept. 4, 2024, 10:04 a.m.	thread_identifier: 2256 thread_handle: 0x0000007c process_identifier: 2252 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\66d5df681876c_file010924.exe#file track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\66d5df681876c_file010924.exe#file" filepath_r: C:\Users\test22\AppData\Local\Temp\66d5df681876c_file010924.exe#file stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000080	1	1
NtGetContextThread Sept. 4, 2024, 10:04 a.m.	thread_handle: 0x0000007c	1	0
NtUnmapViewOfSection Sept. 4, 2024, 10:04 a.m.	base_address: 0x00400000 region_size: 4096 process_identifier: 2252 process_handle: 0x00000080	1	0
NtAllocateVirtualMemory Sept. 4, 2024, 10:04 a.m.	process_identifier: 2252 region_size: 1273856 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000080	1	0
WriteProcessMemory Sept. 4, 2024, 10:04 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2252 process_handle: 0x00000080	1	1
NtSetContextThread Sept. 4, 2024, 10:04 a.m.	registers.eip: 2005598660 registers.esp: 1638384 registers.edi: 0 registers.eax: 4342081 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000007c process_identifier: 2252	1	0
NtResumeThread Sept. 4, 2024, 10:04 a.m.	thread_handle: 0x0000007c suspend_count: 1 process_identifier: 2252	1	0
CreateProcessInternalW Sept. 4, 2024, 10:04 a.m.	thread_identifier: 2356 thread_handle: 0x00000314 process_identifier: 2352 current_directory: filepath: track: 1 command_line: icacls "C:\Users\test22\AppData\Local\58f98ec2-5925-4d0d-b77e-48e1e6b4fa00" /deny *S-1-1-0:(OI)(CI)(DE,DC) filepath_r: stack_pivoted: 0 creation_flags: 72 (DETACHED_PROCESS\|IDLE_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000004fc	1	1

File has been identified by 58 AntiVirus engines on VirusTotal as malicious (50 out of 58 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Chapak.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Chapak
Skyhigh	BehavesLike.Win32.Lockbit.cc
ALYac	Gen:Variant.Zusy.558534
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.558534
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Trojan ( 005a60081 )
BitDefender	Gen:Variant.Zusy.558534
K7GW	Trojan ( 005a60081 )
Arcabit	Trojan.Zusy.D885C6
VirIT	Trojan.Win32.Genus.WJV
Symantec	Packed.Generic.620
ESET-NOD32	a variant of Win32/GenKryptik.HBDP
APEX	Malicious
McAfee	Artemis!7972B08246E5
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	HEUR:Trojan.Win32.Chapak.gen
Alibaba	Trojan:Win32/Chapak.b3749a94
MicroWorld-eScan	Gen:Variant.Zusy.558534
Rising	Malware.Obscure!1.A3BB (CLASSIC)
Emsisoft	Gen:Variant.Zusy.558534 (B)
F-Secure	Trojan.TR/Kryptik.qmzpl
DrWeb	Trojan.Siggen29.34715
TrendMicro	Ransom.Win32.STOP.YXEIBZ
McAfeeD	Real Protect-LS!7972B08246E5
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.7972b08246e56849
Sophos	Troj/Krypt-AIW
SentinelOne	Static AI - Malicious PE
Jiangmin	Trojan.PSW.Tepfer.nod
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Kryptik.qmzpl
MAX	malware (ai score=87)
Kingsoft	Win32.Trojan.Chapak.gen
Gridinsoft	Ransom.Win32.STOP.tr
Microsoft	Trojan:Win32/GCleaner.KGF!MTB
ZoneAlarm	HEUR:Trojan.Win32.Chapak.gen
GData	Win32.Trojan.PSE.1CBIMJW
Varist	W32/Kryptik.MIZ.gen!Eldorado
AhnLab-V3	Trojan/Win.Hpgen.R662980
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack.GS
Ikarus	Trojan.Win32.Glupteba
Panda	Trj/GdSda.A

66d5df681876c_file010924.exe#file

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All