Analysis
| Category | Package | Started | Completed | Duration | Options | Log |
|---|---|---|---|---|---|---|
| FILE | js | 2019-12-03 05:48:45 | 2019-12-03 05:50:29 | 104 seconds | Show Options | Show Log |
procmemdump = 1
procdump = 1
route = internet
2019-12-03 05:48:46,015 [root] INFO: Date set to: 12-03-19, time set to: 05:48:46, timeout set to: 200 2019-12-03 05:48:46,483 [root] DEBUG: Starting analyzer from: C:\javokkz 2019-12-03 05:48:46,483 [root] DEBUG: Storing results at: C:\xqEFFmimZ 2019-12-03 05:48:46,483 [root] DEBUG: Pipe server name: \\.\PIPE\odeIOkC 2019-12-03 05:48:46,483 [root] DEBUG: No analysis package specified, trying to detect it automagically. 2019-12-03 05:48:46,483 [root] INFO: Automatically selected analysis package "js" 2019-12-03 05:49:03,799 [root] DEBUG: Started auxiliary module Browser 2019-12-03 05:49:03,799 [root] DEBUG: Started auxiliary module Curtain 2019-12-03 05:49:03,799 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature. 2019-12-03 05:49:12,019 [modules.auxiliary.digisig] DEBUG: File is not signed. 2019-12-03 05:49:12,019 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2019-12-03 05:49:12,019 [root] DEBUG: Started auxiliary module DigiSig 2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Disguise 2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Human 2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Screenshots 2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Sysmon 2019-12-03 05:49:12,036 [root] DEBUG: Started auxiliary module Usage 2019-12-03 05:49:12,036 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option 2019-12-03 05:49:12,036 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option 2019-12-03 05:49:13,299 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\scan.js"" with pid 1352 2019-12-03 05:49:15,328 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2019-12-03 05:49:15,328 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor 2019-12-03 05:49:15,328 [lib.api.process] INFO: 32-bit DLL to inject is C:\javokkz\dll\WpQrPU.dll, loader C:\javokkz\bin\OBVdkqk.exe 2019-12-03 05:49:15,342 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\odeIOkC. 2019-12-03 05:49:15,342 [root] DEBUG: Loader: Injecting process 1352 (thread 532) with C:\javokkz\dll\WpQrPU.dll. 2019-12-03 05:49:15,342 [root] DEBUG: Process image base: 0x00860000 2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\javokkz\dll\WpQrPU.dll. 2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00886000 - 0x77110000 2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00890000. 2019-12-03 05:49:15,342 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT. 2019-12-03 05:49:15,342 [root] DEBUG: Successfully injected DLL C:\javokkz\dll\WpQrPU.dll. 2019-12-03 05:49:15,342 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1352 2019-12-03 05:49:17,355 [lib.api.process] INFO: Successfully resumed process with pid 1352 2019-12-03 05:49:17,355 [root] INFO: Added new process to list with pid: 1352 2019-12-03 05:49:17,512 [root] DEBUG: Terminate processes on terminate_event enabled. 2019-12-03 05:49:17,512 [root] DEBUG: Full process memory dumps enabled. 2019-12-03 05:49:17,512 [root] DEBUG: Process dumps enabled. 2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping. 2019-12-03 05:49:17,776 [root] DEBUG: RestoreHeaders: Restored original import table. 2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping. 2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping. 2019-12-03 05:49:17,776 [root] INFO: Disabling sleep skipping. 2019-12-03 05:49:17,776 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1352 at 0x74880000, image base 0x860000, stack from 0x3c6000-0x3d0000 2019-12-03 05:49:17,776 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\scan.js". 2019-12-03 05:49:17,776 [root] INFO: Monitor successfully loaded in process with pid 1352. 2019-12-03 05:49:17,885 [root] DEBUG: DLL unloaded from 0x75D60000. 2019-12-03 05:49:17,885 [root] DEBUG: DLL unloaded from 0x00860000. 2019-12-03 05:49:17,901 [root] DEBUG: DLL loaded at 0x74820000: C:\Windows\SysWOW64\SXS (0x5f000 bytes). 2019-12-03 05:49:17,947 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes). 2019-12-03 05:49:18,401 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\SysWOW64\jscript (0xb2000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL unloaded from 0x751B0000. 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\wshext (0x16000 bytes). 2019-12-03 05:49:18,526 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes). 2019-12-03 05:49:18,556 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes). 2019-12-03 05:49:18,556 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes). 2019-12-03 05:49:18,556 [root] DEBUG: DLL unloaded from 0x76C00000. 2019-12-03 05:49:18,556 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes). 2019-12-03 05:49:18,556 [root] DEBUG: DLL unloaded from 0x74450000. 2019-12-03 05:49:18,556 [root] DEBUG: DLL unloaded from 0x74480000. 2019-12-03 05:49:18,556 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1352 2019-12-03 05:49:18,556 [root] DEBUG: GetHookCallerBase: thread 532 (handle 0x0), return address 0x00862FBD, allocation base 0x00860000. 2019-12-03 05:49:18,556 [root] DEBUG: DoProcessDump: Created dump file for full process memory dump: C:\xqEFFmimZ\memory\1352.dmp. 2019-12-03 05:49:18,805 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00860000. 2019-12-03 05:49:18,805 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image. 2019-12-03 05:49:18,805 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00860000. 2019-12-03 05:49:18,805 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B. 2019-12-03 05:49:18,822 [root] INFO: Added new CAPE file to list with path: C:\xqEFFmimZ\CAPE\1352_185581276028301132122019 2019-12-03 05:49:18,822 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21600. 2019-12-03 05:49:48,368 [root] DEBUG: DoProcessDump: Full process memory dump saved to file: C:\xqEFFmimZ\memory\1352.dmp. 2019-12-03 05:49:48,368 [root] DEBUG: DLL unloaded from 0x75140000. 2019-12-03 05:49:48,368 [root] INFO: Notified of termination of process with pid 1352. 2019-12-03 05:49:53,875 [root] INFO: Process list is empty, terminating analysis. 2019-12-03 05:49:55,075 [root] INFO: Created shutdown mutex. 2019-12-03 05:49:56,089 [root] INFO: Shutting down package. 2019-12-03 05:49:56,089 [root] INFO: Stopping auxiliary modules. 2019-12-03 05:49:56,089 [root] INFO: Finishing auxiliary modules. 2019-12-03 05:49:56,089 [root] INFO: Shutting down pipe server and dumping dropped files. 2019-12-03 05:49:56,089 [root] WARNING: File at path "C:\xqEFFmimZ\debugger" does not exist, skip. 2019-12-03 05:49:56,089 [root] INFO: Analysis completed.
MalScore
0.5
Benign
Machine
| Name | Label | Manager | Started On | Shutdown On |
|---|---|---|---|---|
| target-01 | target-01 | ESX | 2019-12-03 05:48:45 | 2019-12-03 05:50:28 |
File Details
| File Name | scan.js |
|---|---|
| File Size | 352 bytes |
| File Type | ASCII text, with CRLF line terminators |
| MD5 | d9942ce8b4643d49d12e286c8a75ad44 |
| SHA1 | 85bb9b4e12ca9fb00bf5f7a2c317929fb0d906c7 |
| SHA256 | 52e585a9b25892e395f58f77c67d1f0490fb8fa8696ef8fb4f90c06746cfe80b |
| SHA512 | fdcb095e010d018919b40f4a0733c2d2d6f429b7d270ac32994e01184783c62972523d7b10ccfe1feb52d45d4d3468e5512ec498560e87880452d2061dd04fe8 |
| CRC32 | E8C849C5 |
| Ssdeep | 6:qvcAX4nNwmCjODo0nyj7kOJ5NotsssovsEgqXyHSq6XSAVF2QaVa:gc/mXKDoPTatNso0DqXyyq6XhVQQF |
| TrID |
|
| ClamAV | None matched |
| Yara | None matched |
| CAPE Yara | None matched |
| Resubmit sample |
Signatures
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: ADVAPI32.dll/UnregisterTraceGuids
DynamicLoader: OLEAUT32.dll/
DynamicLoader: CRYPTSP.dll/CryptReleaseContext
Screenshots
Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
C:\Users\user\AppData\Local\Temp\scan.js
C:\Users\user\AppData\Local\Temp\scan.js
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
advapi32.dll.UnregisterTraceGuids
oleaut32.dll.#500
cryptsp.dll.CryptReleaseContext
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
advapi32.dll.UnregisterTraceGuids
oleaut32.dll.#500
cryptsp.dll.CryptReleaseContext
Process Tree
- wscript.exe 1352 "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\scan.js"
Hosts
No hosts contacted.
TCP
No TCP connections recorded.
UDP
No UDP connections recorded.
DNS
No domains contacted.
HTTP Requests
No HTTP requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
ICMP traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No dropped Suricata Extracted files.
JA3
No JA3 hashes found.
Sorry! No dropped files.
Sorry! No CAPE files.
| Process Name | wscript.exe |
|---|---|
| PID | 1352 |
| Dump Size | 136704 bytes |
| Module Path | C:\Windows\SysWOW64\wscript.exe |
| Type | PE image: 32-bit executable |
| MD5 | 78c4d93bf50c53b63a2602f75e92ab5a |
| SHA1 | fc18ef4d32b212386fcc83e29a28808044fa280e |
| SHA256 | bbde3666af65b1bacd67c2ced09928605c5d1ffbe81a06b3979f06dacf7cfdef |
| CRC32 | 183BD09D |
| Ssdeep | 3072:MWwjiTrjmowAggtTUoVbt925EvSc6O2PM0+JSxuwbXrrasm/CDkucr5Txt:n/mowAVTx9aEv708Sx/bXr+sm1NT |
| ClamAV | None |
| Yara | None matched |
| CAPE Yara | None matched |
| Dump Filename | bbde3666af65b1bacd67c2ced09928605c5d1ffbe81a06b3979f06dacf7cfdef |
Comments
No comments posted
Processing ( 0.468 seconds )
- 0.165 CAPE
- 0.152 ProcDump
- 0.081 TrID
- 0.032 Deduplicate
- 0.012 TargetInfo
- 0.011 BehaviorAnalysis
- 0.007 NetworkAnalysis
- 0.006 AnalysisInfo
- 0.001 Debug
- 0.001 Static
Signatures ( 0.047 seconds )
- 0.008 antiav_detectreg
- 0.008 ransomware_files
- 0.003 persistence_autorun
- 0.003 antiav_detectfile
- 0.003 infostealer_ftp
- 0.003 ransomware_extensions
- 0.002 browser_security
- 0.002 infostealer_bitcoin
- 0.002 infostealer_im
- 0.002 infostealer_mail
- 0.001 tinba_behavior
- 0.001 rat_nanocore
- 0.001 cerber_behavior
- 0.001 antianalysis_detectfile
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 bot_drive
- 0.001 disables_browser_warn
- 0.001 masquerade_process_name
Reporting ( 0.0 seconds )
| Task ID | 115341 |
|---|---|
| Mongo ID | 5de5f7b438b1e1182f3b1535 |
| Cuckoo release | 1.3-CAPE |
| Delete |