Summary

Category	Machine	Started	Completed
ARCHIVE	s1_win7_x6403_us	Jan. 22, 2025, 5:22 p.m.	Jan. 22, 2025, 5:24 p.m.

Archive OEBPS/17_Chapter_09.xhtml @ Cuckoo.epub

Size	44.6KB
Type	HTML document, UTF-8 Unicode text, with very long lines
MD5	`9c671725f7d7b5db5c0907bbb7e5838f`
SHA1	`b34fd75c13a230fcbc97376d247c60474dff20cd`
SHA256	`c97aa5a163170f45de9da0ab6eb5a40d9c30aad18b23d2a9d70c5ffa481439e2`
SHA512	`a44a35ae64934c36fc90ccd97bdf288525fb6f27c8dc0af46ae3535c27e5a5c3605a814912a356b99d2026cf72522c3dc66a10befa9b9f8bd6c43f3eecf923cb`
CRC32	`A3076338`
ssdeep	`768:3xIMO13BKepk5wylmPiGBVmRgfVUW/0VM57rAjEt:813sep+MPiGBEgim77`
Yara	None matched

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\test22\AppData\Local\Temp\OEBPS/17_Chapter_09.xhtml.html
1492
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1492 CREDAT:145409
  2108

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49174 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49175	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 117.18.232.200:443 -> 192.168.56.103:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49173 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Performs some HTTP requests (1 event)

request

GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml

Allocates read-write-execute memory (usually to unpack itself) (50 out of 51 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 region_size: 7081984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000027f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002eb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077264000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe4f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 1492 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 region_size: 7278592 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000025e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000772b1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007725d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077264000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077282000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefc7d5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe4f4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007feff871000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724f000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724d000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724b000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd6000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077706000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076fd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000077250000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007724a000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776df000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000776eb000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe1a7000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe494000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe491000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe496000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefe491000 process_handle: 0xffffffffffffffff	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 21, 2025, 12:25 p.m.	process_identifier: 2108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x000007fffff80000 process_handle: 0xffffffffffffffff	1	0	0

Potentially malicious URLs were found in the process memory dump (50 out of 1338 events)

url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://uk.ask.com/favicon.ico
url	http://wwwimages.adobe.com/www.adobe.com/swf/software/flash/about/flash_about_793x170.swf
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1031%2Fupload_20063893240744871RiJjV.jpg%22
url	http://175.208.134.150:8282/test/test.eml
url	http://www.mercadolibre.com.mx/
url	http://www.iask.com/favicon.ico
url	http://ocsp.infonotary.com/responder.cgi0V
url	http://www3.fnac.com/
url	http://www.najdi.si/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/905.png
url	http://www.merlin.com.pl/favicon.ico
url	https://s.pstatic.net/static/www/mobile/edit/2020/1103/mobile_142459883835.gif
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://blogimgs.naver.net/nblog/guestbook/btn_close2.gif
url	https://ssl.pstatic.net/static/nid/login/rw_captcha01.png
url	http://www.snee.com/xml/xslt/sample.doc
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	http://t.static.blog.naver.net/mylog/versioning/nhn.keywordHighlighter-99428789.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://www.firmaprofesional.com0
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	http://ns.adobe.com/exif/1.0/
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	http://www.etmall.com.tw/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	https://s.pstatic.net/dthumb.phinf/?src=%22https%3A%2F%2Fs.pstatic.net%2Fstatic%2Fwww%2Fmobile%2Fedit%2F2020%2F1021%2Fupload_19201541624342101mWI1T.jpg%22
url	http://www.buzzadnetwork.com/jump/next.php?stamat=m%7CM-4iM-4jaQdHQBH0dEdHP3xP.0e7%2CboDB7XrVJDfRqYwVNhmAc8QRCrIuseXl_bWuTf_latOFYiGEzPpb7ikp5t8RPmTHyMRYDe1i9EJZLC6LSuccW1-YPggnMxkcwVirdNVGfgK3hFUbeKvFvqNv0-u8VxfrNUFB1gFhMN_8GLCn1znxf5_p0FJe0MYRI7nbfyajoqg_H3fvzrjsMsC0vAMYn2un8v5vcBfzwM-DewoZ7WId7geGlrySfAHx5KiJ5Hm90CU%2C
url	https://s.pstatic.net/shopping.phinf/20200720_22/e2297359-375a-403a-86c5-44ff86c708fc.jpg
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	https://s.pstatic.net/shopping.phinf/20201103_21/701f9083-a72b-4ef6-ac1c-0daf1907c51d.jpg?type=f214_292
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	http://search.chol.com/favicon.ico
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	http://purl.org/rss/1.0/
url	http://search.interpark.com/
url	https://www.google.com/pagead/drt/ui
url	https://s.pstatic.net/shopping.phinf/20201102_18/6131e135-0b61-4b61-86ca-480bf7612785.jpg

Yara rule detected in process memory (50 out of 75 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1492 CREDAT:145409

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (5 events)

url	http://175.208.134.150:8282/test/test.eml
url	http://175.208.134.150:8282/favicon.ico
url	http://192.168.3.119/
url	http://175.208.134.150:8282/test/exe1.zip
url	https://192.168.3.119/

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1492 resumed a thread in remote process 2108
NtResumeThread Jan. 21, 2025, 12:25 p.m.	thread_handle: 0x0000000000000370 suspend_count: 1 process_identifier: 2108	1	0	0

Archive OEBPS/17_Chapter_09.xhtml @ Cuckoo.epub

Summary

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All