Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 22, 2024, 5:18 p.m.	Sept. 22, 2024, 5:51 p.m.

Size	102.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`d42e570ec9cf6757af9fbd23f251bdbc`
SHA256	`05659d0fc78d1c952a81863433e7d9cc1570d84e931d19ff5a771627e77c8e1a`
CRC32	`4F5719B9`
ssdeep	`3072:/dCkuIzYSve0+BYJC+mcg5ARtOd/nV2aSQbWe:/dCfIBve0+BYJ/mj5A/Y2ahK`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

66e571613a5a3_Server.exe "C:\Users\test22\AppData\Local\Temp\66e571613a5a3_Server.exe"
1540

Name	Response	Post-Analysis Lookup
win.ust.cx	A 154.91.34.235	154.91.34.235
www.ipip.net	CNAME www.ipip.net.cdn.cloudflare.net A 104.22.30.153 A 172.67.22.102 A 104.22.31.153	172.67.22.102
luoyefeihua.site
en.ipip.net	A 104.22.30.153 CNAME en.ipip.net.cdn.cloudflare.net A 172.67.22.102 A 104.22.31.153	104.22.30.153
downapp.baidu.com	CNAME opencdnbaidugdownpack.jomodns.com CNAME downapp.baidu.com.a.bdydns.com A 60.190.116.35	60.190.116.35

IP Address	Status	Action
104.22.30.153	Active	Moloch
104.22.31.153	Active	Moloch
154.91.34.235	Active	Moloch
164.124.101.2	Active	Moloch
60.190.116.35	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 104.22.30.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49165 -> 104.22.31.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 104.22.30.153:443	C=US, O=Google Trust Services, CN=WR1	CN=www.ipip.net	5e:e0:4c:ad:06:35:8e:83:c1:b4:04:49:a7:cf:48:a8:e1:aa:f5:38
TLSv1 192.168.56.103:49165 104.22.31.153:443	C=US, O=Google Trust Services, CN=WR1	CN=en.ipip.net	40:22:3a:4f:77:4e:be:5b:e5:5a:f3:1e:14:9a:12:eb:20:ed:f3:68

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 22, 2024, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 22, 2024, 5:18 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Sept. 22, 2024, 5:18 p.m.	computer_name: TEST22-PC	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (4 events)

request	GET http://downapp.baidu.com/
request	GET http://downapp.baidu.com/appsearch/AndroidPhone/1.0.65.172/1/1012271b/20171027150542/appsearch_AndroidPhone_1-0-65-172_1012271b.apk?responseContentDisposition=attachment%3Bfilename%3D%22appsearch_AndroidPhone_v8.0.3%281.0.65.172%29_1012271b.apk%22&responseContentType=application%2Fvnd.android.package-archive&request_id=1516457256_8032127161&type=dynamic
request	GET https://www.ipip.net/
request	GET https://en.ipip.net/

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\test.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\test.exe

Executes one or more WMI queries (1 event)

wmi	Select MACAddress From Win32_NetworkAdapter Where ((MACAddress Is Not NULL) AND (Manufacturer <> 'Microsoft'))

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00019200', u'virtual_address': u'0x00044000', u'entropy': 7.928825616339337, u'name': u'UPX1', u'virtual_size': u'0x0001a000'}

entropy

7.92882561634

description

A section with a high entropy has been found

entropy

0.99504950495

description

Overall entropy of this PE file is high

The executable is compressed using UPX (3 events)

section	UPX0	description	Section name indicates UPX
section	UPX1	description	Section name indicates UPX
section	UPX2	description	Section name indicates UPX

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bootcon66e571613a5a3_Server.exe

reg_value

C:\Users\test22\AppData\Local\Temp\66e571613a5a3_Server.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

File has been identified by 61 AntiVirus engines on VirusTotal as malicious (50 out of 61 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.BlackMoon.4!c
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Injuke
Skyhigh	BehavesLike.Win32.Generic.cc
ALYac	Gen:Variant.Application.Graftor.799690
Cylance	Unsafe
VIPRE	Gen:Variant.Application.Graftor.799690
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
BitDefender	Gen:Variant.Application.Graftor.799690
K7GW	Trojan ( 005930da1 )
K7AntiVirus	Trojan ( 005930da1 )
Arcabit	Trojan.Application.Graftor.DC33CA
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win32/Packed.BlackMoon.A suspicious
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
ClamAV	Win.Dropper.Tiggre-9845940-0
Kaspersky	HEUR:Trojan.Win32.Injuke.vho
Alibaba	Trojan:Win32/Injuke.81ca9389
NANO-Antivirus	Trojan.Win32.Graftor.hfiybo
MicroWorld-eScan	Gen:Variant.Application.Graftor.799690
Rising	Trojan.Blamon!8.E8FB (TFE:5:4rHQxiKfRp)
Emsisoft	Gen:Variant.Application.Graftor.799690 (B)
F-Secure	Trojan.TR/Dropper.Gen
DrWeb	Trojan.Siggen18.26977
Zillya	Trojan.Injuke.Win32.360
TrendMicro	TROJ_GEN.R002C0DIK24
McAfeeD	Real Protect-LS!D42E570EC9CF
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generic
Sophos	Mal/Generic-S
Ikarus	Trojan.Win32.CoinMiner
FireEye	Generic.mg.d42e570ec9cf6757
Jiangmin	Trojan.APosT.aed
Google	Detected
Avira	TR/Dropper.Gen
Antiy-AVL	Trojan/Win32.C2Lop
Kingsoft	Win32.Trojan.Injuke.vho
Gridinsoft	Trojan.Win32.Agent.sa
Microsoft	Trojan:Win32/C2Lop.C
ViRobot	Trojan.Win.Z.Graftor.104448
ZoneAlarm	HEUR:Trojan.Win32.Injuke.vho
GData	Win32.Trojan.Agent.WP
Varist	W32/BlackMoon.DD.gen!Eldorado
AhnLab-V3	Trojan/Win32.C2Lop.R342429
McAfee	GenericRXAA-AA!D42E570EC9CF
DeepInstinct	MALICIOUS

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.103:49167
dead_host	154.91.34.235:8080

66e571613a5a3_Server.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All