| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| McAfee | GenericRXKJ-CY!56CA13666918 | 20201229 | 6.0.6.653 |
| Alibaba | Trojan:Win32/DropperX.0c93e499 | 20190527 | 0.3.0.5 |
| Baidu | 20190318 | 1.0.0.2 | |
| Avast | Win32:DropperX-gen [Drp] | 20201228 | 21.1.5827.0 |
| Tencent | Malware.Win32.Gencirc.115a925f | 20201229 | 1.0.0.1 |
| Kingsoft | Win32.Heur.KVM003.a.(kcloud) | 20201229 | 2017.9.26.565 |
| CrowdStrike | win/malicious_confidence_60% (W) | 20190702 | 1.0 |
| pdb_path | D:\workspace\workspace_c\Fjgolgg\Release\Fjgolgg.pdb |
| resource name | PPP |
| suspicious_features | POST method with no referer header | suspicious_request | POST http://hfuie32.2ihsfa.com/api/?sid=112110&key=569bc5ec4b9e1ab1b3cc5d4230872188 | ||||||
| request | GET http://ip-api.com/json/ |
| request | GET http://hfuie32.2ihsfa.com/api/fbtime |
| request | POST http://hfuie32.2ihsfa.com/api/?sid=112110&key=569bc5ec4b9e1ab1b3cc5d4230872188 |
| request | POST http://hfuie32.2ihsfa.com/api/?sid=112110&key=569bc5ec4b9e1ab1b3cc5d4230872188 |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies-journal |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies |
| name | PPP | language | LANG_CHINESE | offset | 0x0005c0b0 | filetype | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | sublanguage | SUBLANG_CHINESE_SIMPLIFIED | size | 0x0002e000 | ||||||||||||||||||
| domain | ip-api.com |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\jfiag_gg.exe |
| file | C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\jfiag_gg.exe |
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1619426988.776812 GetAdaptersAddresses |
flags:
15
family: 0 |
failed | 111 | 0 |
| entropy | 7.838221562094594 | section | {'size_of_data': '0x0002e400', 'virtual_address': '0x0005c000', 'entropy': 7.838221562094594, 'name': '.rsrc', 'virtual_size': '0x0002e230'} | description | A section with a high entropy has been found | |||||||||
| entropy | 0.33213644524236985 | description | Overall entropy of this PE file is high | |||||||||||
| host | 172.217.24.14 | |||
| reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kissq | reg_value | C:\Users\ADMINI~1.OSK\AppData\Local\Temp\kissq.exe������������������������������������� | ||||||
| Bkav | W32.FamVT.BitminRP.Worm |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Trojan.Agent.EPTZ |
| FireEye | Generic.mg.56ca13666918d622 |
| McAfee | GenericRXKJ-CY!56CA13666918 |
| Cylance | Unsafe |
| Sangfor | Malware |
| K7AntiVirus | Trojan ( 004cb1d21 ) |
| Alibaba | Trojan:Win32/DropperX.0c93e499 |
| K7GW | Trojan ( 004cb1d21 ) |
| Cybereason | malicious.66918d |
| Arcabit | Trojan.Agent.EPTZ |
| Cyren | W32/Ursu.EB.gen!Eldorado |
| Symantec | ML.Attribute.HighConfidence |
| APEX | Malicious |
| Avast | Win32:DropperX-gen [Drp] |
| Kaspersky | HEUR:Trojan-Dropper.Win32.Agent.vho |
| BitDefender | Trojan.Agent.EPTZ |
| NANO-Antivirus | Trojan.Win32.Dwn.hjbccu |
| Paloalto | generic.ml |
| AegisLab | Trojan.Multi.Generic.4!c |
| Tencent | Malware.Win32.Gencirc.115a925f |
| Ad-Aware | Trojan.Agent.EPTZ |
| Emsisoft | Trojan.Agent.EPTZ (B) |
| DrWeb | Trojan.DownLoader33.35834 |
| VIPRE | Trojan.Win32.Generic!BT |
| TrendMicro | TROJ_GEN.R06EC0DIK20 |
| McAfee-GW-Edition | BehavesLike.Win32.Generic.hc |
| Sophos | Mal/Generic-S |
| SentinelOne | Static AI - Malicious PE |
| Jiangmin | TrojanDropper.Agent.gjve |
| Webroot | W32.Trojan.Gen |
| Avira | TR/Agent.xrnqi |
| MAX | malware (ai score=83) |
| Antiy-AVL | Trojan/Win32.Wacatac |
| Kingsoft | Win32.Heur.KVM003.a.(kcloud) |
| Gridinsoft | Adware.Win32.Downloader.vb |
| Microsoft | Trojan:Win32/Johnnie.A!MTB |
| ZoneAlarm | HEUR:Trojan-Dropper.Win32.Agent.vho |
| GData | Win32.Trojan-Dropper.Johnnie.B |
| Cynet | Malicious (score: 100) |
| AhnLab-V3 | Trojan/Win32.Agent.C4090193 |
| VBA32 | BScope.Trojan.Infospy |
| ALYac | Trojan.Agent.EPTZ |
| Malwarebytes | Trojan.Downloader |
| ESET-NOD32 | a variant of Win32/Agent.UAW |
| TrendMicro-HouseCall | TROJ_GEN.R06EC0DIK20 |
| Rising | Stealer.Facebook!1.CC5B (CLASSIC) |
| Ikarus | Trojan.Win32.Agent |
| MaxSecure | Trojan.Malware.7164915.susgen |
No hosts contacted.
| Name | Response | Post-Analysis Lookup |
|---|---|---|
| time.windows.com |
A 20.189.79.72
CNAME time.microsoft.akadns.net |
|
| dns.msftncsi.com | A 131.107.255.255 | 131.107.255.255 |
| hfuie32.2ihsfa.com | A 207.246.80.14 | 207.246.80.14 |
| dns.msftncsi.com | AAAA fd3e:4f5a:5b81::1 | 131.107.255.255 |
| www.facebook.com | A 31.13.82.52 | 31.13.95.17 |
| ip-api.com | A 208.95.112.1 | 208.95.112.1 |
| teredo.ipv6.microsoft.com | 127.0.0.1 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49183 | 207.246.80.14 hfuie32.2ihsfa.com | 80 |
| 192.168.56.101 | 49177 | 208.95.112.1 ip-api.com | 80 |
| 192.168.56.101 | 49180 | 31.13.82.52 www.facebook.com | 443 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49713 | 114.114.114.114 | 53 |
| 192.168.56.101 | 50534 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51378 | 114.114.114.114 | 53 |
| 192.168.56.101 | 55368 | 114.114.114.114 | 53 |
| 192.168.56.101 | 56539 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57756 | 114.114.114.114 | 53 |
| 192.168.56.101 | 58367 | 114.114.114.114 | 53 |
| 192.168.56.101 | 65004 | 114.114.114.114 | 53 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 123 | 20.189.79.72 time.windows.com | 123 |
| 192.168.56.101 | 49235 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 50002 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 50568 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 53237 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 53657 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 56804 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 60123 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 62191 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 1900 | 239.255.255.250 | 1900 |
| URI | Data |
|---|---|
| http://hfuie32.2ihsfa.com/api/?sid=112110&key=569bc5ec4b9e1ab1b3cc5d4230872188 | POST /api/?sid=112110&key=569bc5ec4b9e1ab1b3cc5d4230872188 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Content-Length: 265 Host: hfuie32.2ihsfa.com |
| http://ip-api.com/json/ | GET /json/ HTTP/1.1 Connection: Keep-Alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 viewport-width: 1920 Host: ip-api.com |
| http://hfuie32.2ihsfa.com/api/fbtime | GET /api/fbtime HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36 Host: hfuie32.2ihsfa.com |
No ICMP traffic performed.
No IRC requests performed.
No Suricata Alerts
No Suricata TLS
No Snort Alerts