Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Malicious"
- * MalScore: 10.0
- * File Name: "Troldesh_ed4d6fc3405022e04b9c1de62e61c7e3.jpg"
- * File Size: 1089712
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "5d9f69350810bdb5ee1a861b2dc58822e01ee6edee5c6d13dd43f4beef583103"
- * MD5: "ed4d6fc3405022e04b9c1de62e61c7e3"
- * SHA1: "b3c3969377a112f97b393f55db520b713676d88c"
- * SHA512: "631367c1a5cf56769cb6cd16f5eae2dbc93b2ed211fb4a4a6522b3eb6f92f1ea1277f57b30fefbf108cba173e4ba1ffe02dcc369dcc7c76a4f76c69a040d5f48"
- * CRC32: "29713375"
- * SSDEEP: "24576:I/7TbYcDa6BSSEkmfSRmjNr0HmO0g9miDnP9GA061MU8Hx:M7TajSENNO79FDPzr+t"
- * Process Execution:
- "Troldesh_ed4d6fc3405022e04b9c1de62e61c7e3.jpg"
- * Executed Commands:
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "Troldesh_ed4d6fc3405022e04b9c1de62e61c7e3.jpg tried to sleep 504 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Attempts to connect to a dead IP:Port (7 unique times)",
- "Details":
- "IP": "208.83.223.34:80"
- "IP": "195.201.141.166:443"
- "IP": "144.76.71.91:8443"
- "IP": "173.56.36.10:9031"
- "IP": "154.35.32.5:443"
- "IP": "86.59.21.38:443"
- "IP": "171.25.193.9:80"
- "Description": "Starts servers listening on 127.0.0.1:58209",
- "Details":
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: Troldesh_ed4d6fc3405022e04b9c1de62e61c7e3.jpg, pid: 2040, offset: 0x00000000, length: 0x0010a0b0"
- "Description": "The binary likely contains encrypted or compressed data.",
- "Details":
- "section": "name: .rdata, entropy: 7.99, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000d8a00, virtual_size: 0x000d88e2"
- "section": "name: .rsrc, entropy: 7.04, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00023000, virtual_size: 0x0011fea8"
- "Description": "Installs Tor on the infected machine",
- "Details":
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem"
- "data": "\"C:\\ProgramData\\Windows\\csrss.exe\""
- "Description": "Collects information about installed applications",
- "Details":
- "Program": "Google Update Helper"
- "Program": "Microsoft Excel MUI 2013"
- "Program": "Microsoft Outlook MUI 2013"
- "Program": "Google Chrome"
- "Program": "Adobe Flash Player 29 NPAPI"
- "Program": "Adobe Flash Player 29 ActiveX"
- "Program": "Microsoft DCF MUI 2013"
- "Program": "Microsoft Access MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - English"
- "Program": "Adobe Acrobat Reader DC"
- "Program": "Microsoft Publisher MUI 2013"
- "Program": "Microsoft Office Shared MUI 2013"
- "Program": "Microsoft Office OSM MUI 2013"
- "Program": "Microsoft InfoPath MUI 2013"
- "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
- "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
- "Program": "Microsoft Word MUI 2013"
- "Program": "Microsoft OneDrive"
- "Program": "Microsoft Groove MUI 2013"
- "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
- "Program": "Microsoft Access Setup Metadata MUI 2013"
- "Program": "Microsoft Office OSM UX MUI 2013"
- "Program": "Java Auto Updater"
- "Program": "Microsoft PowerPoint MUI 2013"
- "Program": "Microsoft Office Professional Plus 2013"
- "Program": "Adobe Refresh Manager"
- "Program": "Microsoft Office Proofing 2013"
- "Program": "Microsoft Lync MUI 2013"
- "Program": "Microsoft OneNote MUI 2013"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\ProgramData\\Windows\\"
- "Description": "File has been identified by 21 Antiviruses on VirusTotal as malicious",
- "Details":
- "McAfee": "GenericRXII-JX!ED4D6FC34050"
- "CrowdStrike": "win/malicious_confidence_70% (D)"
- "F-Prot": "W32/Agent.BAE.gen!Eldorado"
- "Symantec": "Packed.Generic.459"
- "ESET-NOD32": "a variant of Win32/Kryptik.GLWT"
- "APEX": "Malicious"
- "Invincea": "heuristic"
- "Trapmine": "malicious.high.ml.score"
- "FireEye": "Generic.mg.ed4d6fc3405022e0"
- "Emsisoft": "Trojan-Ransom.Shade (A)"
- "SentinelOne": "DFI - Suspicious PE"
- "Cyren": "W32/Agent.BAE.gen!Eldorado"
- "Antiy-AVL": "Trojan/Win32.AGeneric"
- "Endgame": "malicious (high confidence)"
- "Acronis": "suspicious"
- "VBA32": "Malware-Cryptor.Kirgudu"
- "Rising": "Trojan.Generic@ML.100 (RDML:1vKBTeJ23iChxD854QJl2g)"
- "Ikarus": "Trojan-Ransom.Crypted007"
- "eGambit": "PE.Heur.InvalidSig"
- "Fortinet": "W32/Kryptik.GLWT!tr"
- "Qihoo-360": "HEUR/QVM10.1.3A81.Malware.Gen"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\ProgramData\\Windows\\csrss.exe"
- "Description": "Harvests information related to installed mail clients",
- "Details":
- "file": "C:\\Users\\user\\Documents\\Outlook Files\\Outlook.pst"
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 659"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 154"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 191"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 295"
- "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 201"
- * Started Service:
- * Mutexes:
- * Modified Files:
- "\\??\\PIPE\\wkssvc",
- "C:\\ProgramData\\Windows\\csrss.exe",
- "\\??\\PIPE\\srvsvc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\lock",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdescs.new"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
- "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp"
- * Modified Registry Keys:
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\System32\\Configuration\\",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xi",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion"
- * Deleted Registry Keys:
- * DNS Communications:
- * Domains:
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement