Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 22, 2025, 5:19 p.m.	Jan. 22, 2025, 5:21 p.m.

Size	116.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`170766dd706bef08f2d36bb530ea2ac6`
SHA256	`b11ef309a0b65e448d06275293b125714f6a9a796eed61aba45b70eca4ec9176`
CRC32	`08EAD0BC`
ssdeep	`3072:XzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HILx:XLV6Bta6dtJmakIM5I`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) IsPE32 - (no description)

jij.exe "C:\Users\test22\AppData\Local\Temp\jij.exe"
2548

Name	Response	Post-Analysis Lookup
mim.no-ip.net

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:52815 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:53850 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:58297 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:61950 -> 164.124.101.2:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:54148 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:51901 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:53381 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:52797 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:57081 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:49278 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:49209 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:55146 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:57986 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:58166 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:58887 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:61500 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:61775 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:59002 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:58120 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:54883 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:52753 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:54915 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:53767 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:56334 -> 8.8.8.8:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic
UDP 192.168.56.101:58269 -> 8.8.4.4:53	2013743	ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Jan. 21, 2025, 5:55 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 21, 2025, 5:55 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 21, 2025, 5:55 p.m.		1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

mim.no-ip.net

Allocates read-write-execute memory (usually to unpack itself) (50 out of 63 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00453000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00454000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00456000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00466000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00458000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00585000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04be0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00459000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 21, 2025, 5:55 p.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

jij.exe tried to sleep 303 seconds, actually delayed analysis time by 303 seconds

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00000400', u'virtual_address': u'0x00022000', u'entropy': 6.991299250236704, u'name': u'.rsrc', u'virtual_size': u'0x00000308'}

entropy

6.99129925024

description

A section with a high entropy has been found

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 21, 2025, 5:55 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\jij.exe:Zone.Identifier

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.mhUN
tehtris	Generic.Malware
CAT-QuickHeal	Trojan.Orbus.C3
Skyhigh	BehavesLike.Win32.Generic.ch
ALYac	Backdoor.MSIL.Agent.GD
Cylance	Unsafe
VIPRE	Backdoor.MSIL.Agent.GD
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75486749
K7GW	Trojan ( 005b2a921 )
K7AntiVirus	Trojan ( 005b2a921 )
Arcabit	Backdoor.MSIL.Agent.GD
VirIT	Trojan.Win32.DownLoader12.BSON
Symantec	Trojan.Nancrat
Elastic	Windows.Trojan.Nanocore
ESET-NOD32	MSIL/NanoCore.E
APEX	Malicious
Avast	MSIL:NanoCore-B [Trj]
ClamAV	Win.Trojan.NanoCore-9852758-0
Kaspersky	Trojan.MSIL.Agent.fpar
Alibaba	Malware:Win32/Dorpal.ali1000029
NANO-Antivirus	Trojan.Win32.NanoBot.hmqoyu
MicroWorld-eScan	Trojan.GenericKD.75486749
Rising	Backdoor.NanoCore!1.B6F9 (CLASSIC)
Emsisoft	Trojan.NanoCore (A)
F-Secure	Trojan.TR/Dropper.MSIL.Gen7
DrWeb	Trojan.Nanocore.23
TrendMicro	BKDR_NOANCOOE.SMUPS
McAfeeD	Real Protect-LS!170766DD706B
Trapmine	malicious.high.ml.score
CTX	exe.trojan.nanocore
Sophos	Troj/NanoCor-BT
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.170766dd706bef08
Jiangmin	Backdoor.Generic.zwu
Webroot	Trojan.Nano.Core
Google	Detected
Avira	TR/Dropper.MSIL.Gen7
Antiy-AVL	GrayWare/MSIL.NanoCore.a
Kingsoft	malware.kb.c.1000
Gridinsoft	Trojan.Win32.NanoCore.tr
Xcitium	Backdoor.MSIL.Noancooe.JDE@5s4u9t
Microsoft	Backdoor:MSIL/Nanocore!atmn
ViRobot	Backdoor.Win32.NanoCore.Gen.A
GData	MSIL.Backdoor.Nancat.A
Varist	W32/NanoCore.C.gen!Eldorado
AhnLab-V3	Win-Trojan/Nanocore.Exp
McAfee	GenericRXAA-CZ!170766DD706B

jij.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All