Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6403_us | Sept. 4, 2024, 10:04 a.m. | Sept. 4, 2024, 10:20 a.m. |
-
66d5df681876c_file010924.exe#file "C:\Users\test22\AppData\Local\Temp\66d5df681876c_file010924.exe#file"
2092-
66d5df681876c_file010924.exe#file "C:\Users\test22\AppData\Local\Temp\66d5df681876c_file010924.exe#file"
2252-
icacls.exe icacls "C:\Users\test22\AppData\Local\58f98ec2-5925-4d0d-b77e-48e1e6b4fa00" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2352
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
cajgtus.com | 186.145.236.93 | |
api.2ip.ua | 172.67.139.220 |
Suricata Alerts
Flow | SID | Signature | Category |
---|---|---|---|
UDP 192.168.56.103:50800 -> 164.124.101.2:53 | 2027026 | ET POLICY External IP Address Lookup DNS Query (2ip .ua) | Device Retrieving External IP Address Detected |
TCP 192.168.56.103:49164 -> 172.67.139.220:443 | 2033214 | ET INFO Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) | Potentially Bad Traffic |
TCP 192.168.56.103:49164 -> 172.67.139.220:443 | 906200054 | SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) | undefined |
TCP 192.168.56.103:49169 -> 186.233.231.45:80 | 2002400 | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) | A Network Trojan was detected |
TCP 192.168.56.103:49169 -> 186.233.231.45:80 | 2036334 | ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key | A Network Trojan was detected |
TCP 186.233.231.45:80 -> 192.168.56.103:49169 | 2036335 | ET MALWARE Win32/Filecoder.STOP Variant Public Key Download | A Network Trojan was detected |
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLSv1 192.168.56.103:49164 172.67.139.220:443 |
C=US, O=Google Trust Services, CN=WE1 | CN=2ip.ua | 28:d2:72:b5:5a:32:4a:f4:cf:5d:4f:69:77:19:d4:af:98:e8:0a:8b |
resource name | AFX_DIALOG_LAYOUT |
request | GET http://cajgtus.com/test1/get.php?pid=06280D9CD13939E9B7E95CDCAA6A83CC&first=true |
request | GET https://api.2ip.ua/geo.json |
section | {u'size_of_data': u'0x000a1000', u'virtual_address': u'0x00001000', u'entropy': 7.924714226500884, u'name': u'.text', u'virtual_size': u'0x000a0f6a'} | entropy | 7.9247142265 | description | A section with a high entropy has been found | |||||||||
entropy | 0.794081381011 | description | Overall entropy of this PE file is high |
url | http://www.openssl.org/support/faq.html |
description | Communications over RAW Socket | rule | Network_TCP_Socket | ||||||
description | Communication using DGA | rule | Network_DGA | ||||||
description | Match Windows Http API call | rule | Str_Win32_Http_API | ||||||
description | Take ScreenShot | rule | ScreenShot | ||||||
description | PWS Memory | rule | Generic_PWS_Memory_Zero | ||||||
description | Communications use DNS | rule | Network_DNS | ||||||
description | (no description) | rule | DebuggerCheck__GlobalFlags | ||||||
description | (no description) | rule | DebuggerCheck__QueryInfo | ||||||
description | (no description) | rule | DebuggerHiding__Thread | ||||||
description | (no description) | rule | DebuggerHiding__Active | ||||||
description | (no description) | rule | DebuggerException__SetConsoleCtrl | ||||||
description | (no description) | rule | ThreadControl__Context | ||||||
description | (no description) | rule | SEH__vectored | ||||||
description | Checks if being debugged | rule | anti_dbg | ||||||
description | Bypass DEP | rule | disable_dep | ||||||
description | Match Windows Inet API call | rule | Str_Win32_Internet_API |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper | reg_value | "C:\Users\test22\AppData\Local\58f98ec2-5925-4d0d-b77e-48e1e6b4fa00\66d5df681876c_file010924.exe#file" --AutoStart |