Report - ZeroBOX

ScreenShot

Info
Location map


Created	2024.07.03 18:41	Machine	s1_win7_x6402
Filename	wmi.jpg.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
AI Score	9	Behavior Score	11.2
ZERO API	file : malware
VT API (file)	40 detected (AIDetectMalware, malicious, moderate confidence, score, Aksula, Unsafe, Mint, Zard, Save, Farfli, CLASSIC, Siggen28, Real Protect, moderate, Behav, Zegost, Detected, c@4m3x9i, Lotok, KillAV, Eldorado, OnlineGameHack, R2023, BScope, TrojanDDoS, Macri, ai score=87, susgen, confidence, 100%, Parite)
md5	1953c97029337ec04a8d4b69911d843f
sha256	cd8c11ec94b74fd3357e4b9ed00dfb2c1d94d9b1bba9f6fc4d6c415aa8437b96
ssdeep	768:XKm1dZvlQNI897NooQ7l6f6VW+Y5/gtp/Xy8QcXa6953qWJKQtACa:XKIdZdQC4NS7wjfQp/Xy8pa67qNQqv
imphash	d386d846ec8bc17cdf65ba35a0ab134d
impfuzzy	3:swBJAEPw1MO/OywS9KTXzhAXwEQaxRGU3LbK1dV:dBJAEoZ/OEGDzyR5Lb2X

Network IP location

Signature (21cnts)

Level	Description
danger	Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger	File has been identified by 40 AntiVirus engines on VirusTotal as malicious
warning	Generates some ICMP traffic
watch	Communicates with host for which no DNS query was performed
watch	Connects to an IRC server
watch	Installs itself for autorun at Windows startup
watch	Operates on local firewall's policies and settings
notice	A process created a hidden window
notice	Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice	Connects to a Dynamic DNS Domain
notice	Creates a service
notice	Creates executable files on the filesystem
notice	Foreign language identified in PE resource
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Looks up the external IP address
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer
notice	The executable is compressed using UPX
notice	Uses Windows utilities for basic Windows functionality
info	Checks amount of memory in system
info	Command line console output was observed

Rules (6cnts)

Level	Name	Description	Collection
watch	UPX_Zero	UPX packed file	binaries (download)
watch	UPX_Zero	UPX packed file	binaries (upload)
info	IsPE32	(no description)	binaries (download)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (download)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (37cnts) ?

Request	ASN Co	IP4	ZERO ?
http://118.184.169.48/dyndns/getip whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
http://16.162.161.106:8080/api/node/ip_validate whois		16.162.161.106	clean
http://ssl.ftp21.cc/64.jpg whois	CHINA UNICOM China169 Backbone	218.57.129.51	clean
http://down.ftp21.cc/445.jpg whois	PONYNET	107.189.29.100	malware
http://download.microsoft.com/download/E/4/1/E4173890-A24A-4936-9FC9-AF930FE3FA40/NDP461-KB3102436-x86-x64-AllOS-ENU.exe whois	AKAMAI-AS	72.247.96.197	clean
http://hook.ftp21.cc/MpMgSvc.dll whois	SK Broadband Co Ltd	211.108.60.155	mailcious
http://down.ftp21.cc/Update.txt whois	PONYNET	107.189.29.100	mailcious
http://45.113.194.127/api.php?query=175.208.134.152&co=&resource_id=6006&oe=utf8 whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.127	clean
http://hook.ftp21.cc/Hooks.jpg whois	SK Broadband Co Ltd	211.108.60.155	malware
http://hook.ftp21.cc/MpMgSvc.jpg whois	SK Broadband Co Ltd	211.108.60.155	malware
gtxvdqvuweqs.com whois		16.162.201.176	mailcious
members.3322.org whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
down.ftp21.cc whois	PONYNET	107.189.29.100	malware
ipv6-api.iproyal.com whois			clean
api.ipify.org whois	CLOUDFLARENET	172.67.74.152	clean
download.microsoft.com whois	AKAMAI-AS	72.247.96.197	clean
hook.ftp21.cc whois	SK Broadband Co Ltd	211.108.60.155	malware
api6.my-ip.io whois			clean
www.362-com.com whois	SK Broadband Co Ltd	1.226.84.135	clean
web.362-com.com whois	SK Broadband Co Ltd	110.11.158.238	clean
opendata.baidu.com whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.189	clean
www.4i7i.com whois	SK Broadband Co Ltd	1.226.84.135	clean
api.iproyal.com whois	Melbikomas UAB	93.189.62.83	clean
ssl.ftp21.cc whois	SK Broadband Co Ltd	211.108.60.155	malware
16.162.161.106 whois		16.162.161.106	clean
104.26.13.205 whois	CLOUDFLARENET	104.26.13.205	clean
211.108.60.155 whois	SK Broadband Co Ltd	211.108.60.155	malware
59.151.136.153 whois	AKAMAI-AS	59.151.136.153	clean
51.161.196.188 whois		51.161.196.188	clean
45.113.194.127 whois	Beijing Baidu Netcom Science and Technology Co., Ltd.	45.113.194.127	clean
16.162.201.176 whois		16.162.201.176	mailcious
1.226.84.135 whois	SK Broadband Co Ltd	1.226.84.135	clean
218.57.129.51 whois	CHINA UNICOM China169 Backbone	218.57.129.51	clean
93.189.62.83 whois	Melbikomas UAB	93.189.62.83	clean
118.184.169.48 whois	AS Number for CHINANET jiangsu province backbone	118.184.169.48	clean
110.11.158.238 whois	SK Broadband Co Ltd	110.11.158.238	clean
119.203.212.165 whois	Korea Telecom	119.203.212.165	malware

Suricata ids

PE API

IAT(Import Address Table) Library

KERNEL32.DLL
0x41f4a8 LoadLibraryA
0x41f4ac ExitProcess
0x41f4b0 GetProcAddress
0x41f4b4 VirtualProtect
MSVCRT.dll
0x41f4bc exit
SHELL32.dll
0x41f4c4 None

EAT(Export Address Table) is none

Report - wmi.jpg.exe

Signature (21cnts)

Rules (6cnts)

Network (37cnts) ?

Suricata ids

PE API

Similarity measure (PE file only) - Checking for service failure