Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 12, 2025, 2:31 p.m.	Jan. 12, 2025, 2:34 p.m.

Size	491.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`a40e4a8aaf476b3d9997d05489f87c2a`
SHA256	`df60b74ff96bb320d1cf8d1a511c56bae2ca8d94ebb6566eca7b51c3521c0171`
CRC32	`17B8E81F`
ssdeep	`6144:GpoMkequERu8qQ1fjYMMW9eKZH+IdISTUL24qL9cPKcPzR2RP6lZv:oDR+u8pfjYMMWNvdhUSByFPztv`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

beacon_x86.exe "C:\Users\test22\AppData\Local\Temp\beacon_x86.exe"
2056
- cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\BEACON~1.EXE > nul
  2192
  - PING.EXE ping -n 2 127.0.0.1
    2312

Name	Response	Post-Analysis Lookup
chuanqi.ydns.eu	A 122.10.119.64	122.10.119.64
hzh.0xox0xox0.com

IP Address	Status	Action
122.10.119.64	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 12, 2025, 2:31 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 12, 2025, 2:31 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713	0
NtProtectVirtualMemory Jan. 12, 2025, 2:31 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 344064 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1016d000 process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (6 events)

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0007af18

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0007af18

size

0x00000468

name

RT_ICON

language

LANG_CHINESE

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0007af18

size

0x00000468

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0007b380

size

0x00000022

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0007b380

size

0x00000022

name

RT_MANIFEST

language

LANG_CHINESE

filetype

XML 1.0 document text

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0007b3a8

size

0x0000028b

Creates a service (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceA Jan. 12, 2025, 2:31 p.m.	service_start_name: start_type: 2 password: display_name: Gwogwo Hxpgxpgx Qhyphyph Aqiy filepath: C:\Program Files\Jbrja.exe -auto service_name: Jbrjar Kbskb filepath_r: C:\\Program Files\\Jbrja.exe -auto desired_access: 18 service_handle: 0x0086b708 error_control: 0 service_type: 16 service_manager_handle: 0x0086b6b8	1	8828680	0

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\BEACON~1.EXE > nul

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\beacon_x86.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006b000', u'virtual_address': u'0x00001000', u'entropy': 7.79080369509675, u'name': u'.data', u'virtual_size': u'0x0006afce'}

entropy

7.7908036951

description

A section with a high entropy has been found

entropy

0.873469387755

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	ping -n 2 127.0.0.1
cmdline	C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\test22\AppData\Local\Temp\BEACON~1.EXE > nul

Installs itself for autorun at Windows startup (1 event)

service_name

Jbrjar Kbskb

service_path

C:\Program Files\Jbrja.exe -auto

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2056 resumed a thread in remote process 2192
NtResumeThread Jan. 12, 2025, 2:31 p.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 2192	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

122.10.119.64:10086

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Dump:Generic.KillMBR.A.BFFADF29
CTX	exe.unknown.dump
CAT-QuickHeal	Backdoor.GenericRI.S22015472
Skyhigh	BehavesLike.Win32.FakeAVSecurityTool.gc
ALYac	Dump:Generic.KillMBR.A.BFFADF29
Cylance	Unsafe
VIPRE	Dump:Generic.KillMBR.A.BFFADF29
Sangfor	Suspicious.Win32.Save.ins
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Backdoor:Win32/Farfli.0e50a659
K7GW	Trojan ( 0055d49e1 )
K7AntiVirus	Trojan ( 0055d49e1 )
Arcabit	Dump:Generic.KillMBR.A.BFFADF29
VirIT	Trojan.Win32.Genus.XLY
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Farfli.DBU
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	Backdoor.Win32.Farfli.byde
BitDefender	Dump:Generic.KillMBR.A.BFFADF29
NANO-Antivirus	Trojan.Win32.Farfli.joxpfl
Rising	Backdoor.Farfli!1.E02F (CLASSIC)
Emsisoft	Dump:Generic.KillMBR.A.BFFADF29 (B)
F-Secure	Trojan.TR/Crypt.XPACK.Gen
DrWeb	BackDoor.Farfli.147
Zillya	Trojan.Farfli.Win32.40702
McAfeeD	Real Protect-LS!A40E4A8AAF47
Trapmine	malicious.high.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.a40e4a8aaf476b3d
Jiangmin	Backdoor.Generic.cknp
Webroot	Win.Trojan.Farfli
Google	Detected
Avira	TR/Crypt.XPACK.Gen
Antiy-AVL	Trojan/Win32.Farfli
Kingsoft	Win32.Hack.Generic.a
Microsoft	Backdoor:Win32/Farfli!pz
GData	Dump:Generic.KillMBR.A.BFFADF29
AhnLab-V3	Trojan/Win.Farfli.C4702709
McAfee	GenericRXRR-WJ!A40E4A8AAF47
DeepInstinct	MALICIOUS
VBA32	BScope.Backdoor.Farfli
Malwarebytes	MachineLearning/Anomalous.97%
Ikarus	Trojan.Win32.Hrup
Tencent	Malware.Win32.Gencirc.10bd087c
huorong	Backdoor/Farfli.bq
Fortinet	W32/GenKryptik.DJUZ!tr

beacon_x86.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All