Analysis

Category Package Started Completed Duration Options Log
FILE js 2019-12-03 05:48:45 2019-12-03 05:50:29 104 seconds Show Options Show Log
procmemdump = 1
procdump = 1
route = internet
2019-12-03 05:48:46,015 [root] INFO: Date set to: 12-03-19, time set to: 05:48:46, timeout set to: 200
2019-12-03 05:48:46,483 [root] DEBUG: Starting analyzer from: C:\javokkz
2019-12-03 05:48:46,483 [root] DEBUG: Storing results at: C:\xqEFFmimZ
2019-12-03 05:48:46,483 [root] DEBUG: Pipe server name: \\.\PIPE\odeIOkC
2019-12-03 05:48:46,483 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-12-03 05:48:46,483 [root] INFO: Automatically selected analysis package "js"
2019-12-03 05:49:03,799 [root] DEBUG: Started auxiliary module Browser
2019-12-03 05:49:03,799 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 05:49:03,799 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 05:49:12,019 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-12-03 05:49:12,019 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 05:49:12,019 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Human
2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Usage
2019-12-03 05:49:12,036 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option
2019-12-03 05:49:12,036 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option
2019-12-03 05:49:13,299 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\scan.js"" with pid 1352
2019-12-03 05:49:15,328 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2019-12-03 05:49:15,328 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:49:15,328 [lib.api.process] INFO: 32-bit DLL to inject is C:\javokkz\dll\WpQrPU.dll, loader C:\javokkz\bin\OBVdkqk.exe
2019-12-03 05:49:15,342 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\odeIOkC.
2019-12-03 05:49:15,342 [root] DEBUG: Loader: Injecting process 1352 (thread 532) with C:\javokkz\dll\WpQrPU.dll.
2019-12-03 05:49:15,342 [root] DEBUG: Process image base: 0x00860000
2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\javokkz\dll\WpQrPU.dll.
2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00886000 - 0x77110000
2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00890000.
2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:49:15,342 [root] DEBUG: Successfully injected DLL C:\javokkz\dll\WpQrPU.dll.
2019-12-03 05:49:15,342 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1352
2019-12-03 05:49:17,355 [lib.api.process] INFO: Successfully resumed process with pid 1352
2019-12-03 05:49:17,355 [root] INFO: Added new process to list with pid: 1352
2019-12-03 05:49:17,512 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:49:17,512 [root] DEBUG: Full process memory dumps enabled.
2019-12-03 05:49:17,512 [root] DEBUG: Process dumps enabled.
2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping.
2019-12-03 05:49:17,776 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping.
2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping.
2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping.
2019-12-03 05:49:17,776 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1352 at 0x74880000, image base 0x860000, stack from 0x3c6000-0x3d0000
2019-12-03 05:49:17,776 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\scan.js".
2019-12-03 05:49:17,776 [root] INFO: Monitor successfully loaded in process with pid 1352.
2019-12-03 05:49:17,885 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-12-03 05:49:17,885 [root] DEBUG: DLL unloaded from 0x00860000.
2019-12-03 05:49:17,901 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-12-03 05:49:17,947 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:49:18,401 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-12-03 05:49:18,556 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-12-03 05:49:18,556 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2019-12-03 05:49:18,556 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-12-03 05:49:18,556 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-12-03 05:49:18,556 [root] DEBUG: DLL unloaded from 0x74450000.
2019-12-03 05:49:18,556 [root] DEBUG: DLL unloaded from 0x74480000.
2019-12-03 05:49:18,556 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1352
2019-12-03 05:49:18,556 [root] DEBUG: GetHookCallerBase: thread 532 (handle 0x0), return address 0x00862FBD, allocation base 0x00860000.
2019-12-03 05:49:18,556 [root] DEBUG: DoProcessDump: Created dump file for full process memory dump: C:\xqEFFmimZ\memory\1352.dmp.
2019-12-03 05:49:18,805 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00860000.
2019-12-03 05:49:18,805 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:49:18,805 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00860000.
2019-12-03 05:49:18,805 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B.
2019-12-03 05:49:18,822 [root] INFO: Added new CAPE file to list with path: C:\xqEFFmimZ\CAPE\1352_185581276028301132122019
2019-12-03 05:49:18,822 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21600.
2019-12-03 05:49:48,368 [root] DEBUG: DoProcessDump: Full process memory dump saved to file: C:\xqEFFmimZ\memory\1352.dmp.
2019-12-03 05:49:48,368 [root] DEBUG: DLL unloaded from 0x75140000.
2019-12-03 05:49:48,368 [root] INFO: Notified of termination of process with pid 1352.
2019-12-03 05:49:53,875 [root] INFO: Process list is empty, terminating analysis.
2019-12-03 05:49:55,075 [root] INFO: Created shutdown mutex.
2019-12-03 05:49:56,089 [root] INFO: Shutting down package.
2019-12-03 05:49:56,089 [root] INFO: Stopping auxiliary modules.
2019-12-03 05:49:56,089 [root] INFO: Finishing auxiliary modules.
2019-12-03 05:49:56,089 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-12-03 05:49:56,089 [root] WARNING: File at path "C:\xqEFFmimZ\debugger" does not exist, skip.
2019-12-03 05:49:56,089 [root] INFO: Analysis completed.

MalScore

0.5

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-12-03 05:48:45 2019-12-03 05:50:28

File Details

File Name scan.js
File Size 352 bytes
File Type ASCII text, with CRLF line terminators
MD5 d9942ce8b4643d49d12e286c8a75ad44
SHA1 85bb9b4e12ca9fb00bf5f7a2c317929fb0d906c7
SHA256 52e585a9b25892e395f58f77c67d1f0490fb8fa8696ef8fb4f90c06746cfe80b
SHA512 fdcb095e010d018919b40f4a0733c2d2d6f429b7d270ac32994e01184783c62972523d7b10ccfe1feb52d45d4d3468e5512ec498560e87880452d2061dd04fe8
CRC32 E8C849C5
Ssdeep 6:qvcAX4nNwmCjODo0nyj7kOJ5NotsssovsEgqXyHSq6XSAVF2QaVa:gc/mXKDoPTatNso0DqXyyq6XhVQQF
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\scan.js
C:\Users\user\AppData\Local\Temp\scan.js
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
advapi32.dll.UnregisterTraceGuids
oleaut32.dll.#500
cryptsp.dll.CryptReleaseContext

Process Tree

  • wscript.exe 1352 "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\scan.js"

wscript.exe, PID: 1352, Parent PID: 2480
Full Path: C:\Windows\SysWOW64\wscript.exe
Command Line: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\scan.js"

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name wscript.exe
PID 1352
Dump Size 136704 bytes
Module Path C:\Windows\SysWOW64\wscript.exe
Type PE image: 32-bit executable
MD5 78c4d93bf50c53b63a2602f75e92ab5a
SHA1 fc18ef4d32b212386fcc83e29a28808044fa280e
SHA256 bbde3666af65b1bacd67c2ced09928605c5d1ffbe81a06b3979f06dacf7cfdef
CRC32 183BD09D
Ssdeep 3072:MWwjiTrjmowAggtTUoVbt925EvSc6O2PM0+JSxuwbXrrasm/CDkucr5Txt:n/mowAVTx9aEv708Sx/bXr+sm1NT
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename bbde3666af65b1bacd67c2ced09928605c5d1ffbe81a06b3979f06dacf7cfdef

Comments



No comments posted

Processing ( 0.468 seconds )

  • 0.165 CAPE
  • 0.152 ProcDump
  • 0.081 TrID
  • 0.032 Deduplicate
  • 0.012 TargetInfo
  • 0.011 BehaviorAnalysis
  • 0.007 NetworkAnalysis
  • 0.006 AnalysisInfo
  • 0.001 Debug
  • 0.001 Static

Signatures ( 0.047 seconds )

  • 0.008 antiav_detectreg
  • 0.008 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name

Reporting ( 0.0 seconds )

Task ID 115341
Mongo ID 5de5f7b438b1e1182f3b1535
Cuckoo release 1.3-CAPE
Delete