Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 22, 2024, 3:02 p.m.	Nov. 22, 2024, 3:09 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`e1cf72329542de8b3004517ee07d8371`
SHA256	`301e56052cf570110e66a429c0acc2454569ff5f966af0e809bef33eb2e02baa`
CRC32	`F87B0615`
ssdeep	`24576:AMjh1rsto5Qe38G0B/xwUBKXtqiPzeQmbDZPgWRqadRRn0dxD:z4zOZa/pBKXFLFm1gWRqadRRnqxD`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet UPX_Zero - UPX packed file mzp_file_format - MZP(Delphi) file format

FunnyJellyfish.exe "C:\Users\test22\AppData\Local\Temp\FunnyJellyfish.exe"
2568
- FunnyJellyfish.tmp "C:\Users\test22\AppData\Local\Temp\is-9TIJT.tmp\FunnyJellyfish.tmp" /SL5="$80178,1097818,140800,C:\Users\test22\AppData\Local\Temp\FunnyJellyfish.exe"
  2628
  - cmd.exe "cmd.exe" /C timeout /T 3 & "C:\Users\test22\AppData\Local\Temp\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
    2700
    - timeout.exe timeout /T 3
      2760
    - FunnyJellyfish.exe "C:\Users\test22\AppData\Local\Temp\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
      2828
      - FunnyJellyfish.tmp "C:\Users\test22\AppData\Local\Temp\is-L4CRD.tmp\FunnyJellyfish.tmp" /SL5="$10192,1097818,140800,C:\Users\test22\AppData\Local\Temp\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
        2876
        
        regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\test22\AppData\Roaming\\DelightfulCard.dll"
        2932
        
        regsvr32.exe /s /i:INSTALL "C:\Users\test22\AppData\Roaming\\DelightfulCard.dll"
        2976

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 22, 2024, 3:02 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 22, 2024, 3:02 p.m.			0	0
IsDebuggerPresent Nov. 22, 2024, 3:02 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Nov. 22, 2024, 3:02 p.m.	buffer: Waiting for 3 console_handle: 0x00000007	1	1	0
WriteConsoleW Nov. 22, 2024, 3:02 p.m.	buffer: seconds, press a key to continue ... console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 22, 2024, 3:02 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.itext

Allocates read-write-execute memory (usually to unpack itself) (12 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2628 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2628 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 90112 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 53248 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2876 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bc2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 22, 2024, 3:02 p.m.	process_identifier: 2876 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-U9E68.tmp\_isetup\_shfoldr.dll
file	C:\Users\test22\AppData\Local\Temp\is-M7VFQ.tmp\_isetup\_shfoldr.dll

Creates a suspicious process (2 events)

cmdline	"cmd.exe" /C timeout /T 3 & "C:\Users\test22\AppData\Local\Temp\FunnyJellyfish.exe" /VERYSILENT /SUPPRESSMSGBOXES
cmdline	"regsvr32.exe" /s /i:INSTALL "C:\Users\test22\AppData\Roaming\\DelightfulCard.dll"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\is-L4CRD.tmp\FunnyJellyfish.tmp
file	C:\Users\test22\AppData\Local\Temp\is-U9E68.tmp\_isetup\_shfoldr.dll

Queries for potentially installed applications (6 events)

Time & API	Arguments	Return
RegOpenKeyExW Nov. 22, 2024, 3:02 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1	2
RegOpenKeyExW Nov. 22, 2024, 3:02 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1	2
RegOpenKeyExW Nov. 22, 2024, 3:02 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1	2
RegOpenKeyExW Nov. 22, 2024, 3:02 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1	2
RegOpenKeyExW Nov. 22, 2024, 3:02 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1	2
RegOpenKeyExW Nov. 22, 2024, 3:02 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000008 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1	2

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Skyhigh	BehavesLike.Win32.Dropper.tc
CrowdStrike	win/grayware_confidence_70% (W)
Elastic	malicious (moderate confidence)
ESET-NOD32	a variant of Win64/Kryptik.ESM
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Kryptik!8.8 (CLOUD)
TrendMicro	Trojan.Win32.AMADEY.YXEKVZ
McAfeeD	ti!301E56052CF5
Sophos	Generic Reputation PUA (PUA)
Google	Detected
Kingsoft	Win32.Troj.Unknown.a
GData	Win32.Malware.Donut.62A4OA
McAfee	Artemis!E1CF72329542
Ikarus	Win32.Outbreak
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXEKVZ
Fortinet	Malicious_Behavior.SB
Paloalto	generic.ml
alibabacloud	Trojan:Win/Kryptik.EBO

FunnyJellyfish.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All