Unconventionial binary language: Chinese (Simplified)
Attempts to connect to a dead IP:Port (11 unique times) Show sources
| network_host_ip | 78.46.39.215:443 (Germany) |
| network_host_ip | 222.85.26.208:80 (China) |
| network_host_ip | 127.0.0.1:49172 |
| network_host_ip | 125.88.146.188:80 (China) |
| network_host_ip | 125.88.146.63:80 (China) |
| network_host_ip | 203.119.206.95:80 (China) |
| network_host_ip | 120.26.167.216:8012 (China) |
| network_host_ip | 47.97.218.41:80 (Canada) |
| network_host_ip | 116.207.118.89:80 (China) |
| network_host_ip | 222.85.26.209:80 (China) |
| network_host_ip | 120.26.167.216:80 (China) |
Starts servers listening on 127.0.0.1:0
Performs some HTTP requests Show sources
| network_url | http://yulv.net/WHAD.html |
| network_url | http://weixin0452.com/s.php?id=186 |
| network_url | http://mingwangedu.com/s.php?id=192 |
| network_url | http://cloud.zyiis.net/v.js?laZwak5XnZJWIdK7ZskDSR1rVOdwoHTC2dPOFR9Y1Uw= |
| network_url | http://mybaol.com/stats.php?adsid=273&planid=169&uid=1285&siteid=&plantype=cpm&zoneid=186&adtplid=8&sep=10 |
| network_url | http://yulv.net/WHAD.gif |
| network_url | http://s131.cnzz.com/stat.php?id=1252129&web_id=1252129&show=pic |
| network_url | http://hzs12.cnzz.com/stat.htm?id=1252129&r=&lg=en-us&ntime=none&cnzz_eid=338705755-1560176988-&showp=800x600&p=http%3A%2F%2Fyulv.net%2FWHAD.html&t=WarHelper%20%E8%BD%AF%E4%BB%B6%E6%9B%B4%E6%96%B0%E4%B8%8B%E8%BD%BD%E9%A1%B5%E9%9D%A2&umuuid=16b43bac9271d2-0179f277e643774-26596759-75300-16b43bac9383d3&h=1&rnd=308552283 |
| network_url | http://c.cnzz.com/core.php?web_id=1252129&show=pic&t=z |
| network_url | http://icon.cnzz.com/img/pic.gif |
Tries to unhook or modify Windows functions monitored by Cuckoo Show sources
| function_modify | function_name: LdrLoadDll, type: modification |
Attempts to repeatedly call a single API many times in order to delay analysis time Show sources
| api_process_name | firefox.exe (2580) called API GetSystemTime 405486 times |
| api_process_name | firefox.exe (2580) called API NtQuerySystemTime 11469 times |
| api_process_name | firefox.exe (2580) called API GetSystemTimeAsFileTime 586449 times |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Collects information to fingerprint the system Show sources
| registry_read | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate |
Attempts to modify proxy settings