Analysis

Category Package Started Completed Duration Options Log
FILE js 2019-12-03 05:55:35 2019-12-03 05:59:38 243 seconds Show Options Show Log
route = internet
procdump = 1
2019-12-03 05:55:46,000 [root] INFO: Date set to: 12-03-19, time set to: 05:55:46, timeout set to: 200
2019-12-03 05:55:46,046 [root] DEBUG: Starting analyzer from: C:\rstcpmmgr
2019-12-03 05:55:46,046 [root] DEBUG: Storing results at: C:\znaYDyRgc
2019-12-03 05:55:46,046 [root] DEBUG: Pipe server name: \\.\PIPE\bkgoLyE
2019-12-03 05:55:46,046 [root] INFO: Analysis package "js" has been specified.
2019-12-03 05:55:52,894 [root] DEBUG: Started auxiliary module Browser
2019-12-03 05:55:52,910 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 05:55:52,910 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 05:55:53,815 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-12-03 05:55:53,815 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 05:55:53,815 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 05:55:53,831 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 05:55:53,831 [root] DEBUG: Started auxiliary module Human
2019-12-03 05:55:53,831 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 05:55:53,845 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 05:55:53,845 [root] DEBUG: Started auxiliary module Usage
2019-12-03 05:55:53,845 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option
2019-12-03 05:55:53,845 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option
2019-12-03 05:55:54,017 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\Eedut.js"" with pid 1964
2019-12-03 05:55:54,049 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:55:54,049 [lib.api.process] INFO: 32-bit DLL to inject is C:\rstcpmmgr\dll\YLHNjeu.dll, loader C:\rstcpmmgr\bin\HmLSBRs.exe
2019-12-03 05:55:54,142 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\bkgoLyE.
2019-12-03 05:55:54,142 [root] DEBUG: Loader: Injecting process 1964 (thread 420) with C:\rstcpmmgr\dll\YLHNjeu.dll.
2019-12-03 05:55:54,142 [root] DEBUG: Process image base: 0x002B0000
2019-12-03 05:55:54,157 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\rstcpmmgr\dll\YLHNjeu.dll.
2019-12-03 05:55:54,157 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x002D6000 - 0x00410000
2019-12-03 05:55:54,157 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x002E0000.
2019-12-03 05:55:54,157 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:55:54,157 [root] DEBUG: Successfully injected DLL C:\rstcpmmgr\dll\YLHNjeu.dll.
2019-12-03 05:55:54,157 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1964
2019-12-03 05:55:56,171 [lib.api.process] INFO: Successfully resumed process with pid 1964
2019-12-03 05:55:56,171 [root] INFO: Added new process to list with pid: 1964
2019-12-03 05:55:56,263 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:55:56,263 [root] DEBUG: Process dumps enabled.
2019-12-03 05:55:56,686 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:56,686 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:56,686 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:56,686 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:55:56,686 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:56,700 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1964 at 0x74880000, image base 0x2b0000, stack from 0x506000-0x510000
2019-12-03 05:55:56,700 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\Eedut.js".
2019-12-03 05:55:56,700 [root] INFO: Monitor successfully loaded in process with pid 1964.
2019-12-03 05:55:56,717 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-12-03 05:55:56,732 [root] DEBUG: DLL unloaded from 0x002B0000.
2019-12-03 05:55:56,747 [root] DEBUG: DLL loaded at 0x74810000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-12-03 05:55:56,779 [root] DEBUG: DLL loaded at 0x74EB0000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:55:56,934 [root] DEBUG: DLL loaded at 0x74480000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-12-03 05:55:56,982 [root] DEBUG: DLL loaded at 0x75470000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-12-03 05:55:56,982 [root] DEBUG: DLL loaded at 0x75790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:55:56,982 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:55:56,982 [root] DEBUG: DLL loaded at 0x74C70000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:55:56,997 [root] DEBUG: DLL loaded at 0x74C30000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:55:56,997 [root] DEBUG: DLL loaded at 0x747F0000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-12-03 05:55:57,013 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-12-03 05:55:57,013 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-12-03 05:55:57,013 [root] DEBUG: DLL loaded at 0x74970000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-12-03 05:55:57,013 [root] DEBUG: DLL loaded at 0x75E70000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-12-03 05:55:57,075 [root] DEBUG: DLL loaded at 0x74450000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2019-12-03 05:55:57,075 [root] DEBUG: DLL unloaded from 0x76C00000.
2019-12-03 05:55:57,075 [root] DEBUG: DLL loaded at 0x74800000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-12-03 05:55:57,138 [root] DEBUG: DLL loaded at 0x74420000: C:\Windows\SysWOW64\scrrun (0x2a000 bytes).
2019-12-03 05:56:17,121 [root] DEBUG: DLL unloaded from 0x751B0000.
2019-12-03 05:56:27,042 [root] DEBUG: DLL unloaded from 0x747F0000.
2019-12-03 05:56:27,042 [root] DEBUG: DLL unloaded from 0x747D0000.
2019-12-03 05:56:27,059 [root] DEBUG: DLL unloaded from 0x75790000.
2019-12-03 05:58:59,236 [root] DEBUG: DLL loaded at 0x742E0000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-12-03 05:58:59,579 [root] DEBUG: DLL loaded at 0x74A40000: C:\Windows\SysWOW64\winhttp (0x58000 bytes).
2019-12-03 05:58:59,579 [root] DEBUG: DLL loaded at 0x74290000: C:\Windows\SysWOW64\webio (0x4f000 bytes).
2019-12-03 05:58:59,720 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-12-03 05:58:59,720 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-12-03 05:58:59,720 [root] DEBUG: DLL unloaded from 0x75D60000.
2019-12-03 05:58:59,720 [root] DEBUG: DLL loaded at 0x74A30000: C:\Windows\SysWOW64\credssp (0x8000 bytes).
2019-12-03 05:58:59,736 [root] DEBUG: DLL unloaded from 0x74C70000.
2019-12-03 05:58:59,736 [root] DEBUG: DLL loaded at 0x74BF0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-12-03 05:58:59,736 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-12-03 05:58:59,736 [root] DEBUG: DLL loaded at 0x74A20000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-12-03 05:58:59,813 [root] DEBUG: DLL loaded at 0x747D0000: C:\Windows\system32\mlang (0x2e000 bytes).
2019-12-03 05:58:59,907 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2019-12-03 05:58:59,907 [root] DEBUG: DLL loaded at 0x74A00000: C:\Windows\SysWOW64\IPHLPAPI (0x1c000 bytes).
2019-12-03 05:58:59,907 [root] DEBUG: DLL loaded at 0x74280000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-12-03 05:58:59,907 [root] DEBUG: DLL loaded at 0x74270000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-12-03 05:59:00,032 [root] DEBUG: DLL loaded at 0x74230000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-12-03 05:59:17,115 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-12-03 05:59:17,115 [root] INFO: Created shutdown mutex.
2019-12-03 05:59:18,128 [lib.api.process] INFO: Terminate event set for process 1964
2019-12-03 05:59:18,128 [root] DEBUG: Terminate Event: Attempting to dump process 1964
2019-12-03 05:59:18,128 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x002B0000.
2019-12-03 05:59:18,128 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:59:18,128 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x002B0000.
2019-12-03 05:59:18,128 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B.
2019-12-03 05:59:18,160 [root] INFO: Added new CAPE file to list with path: C:\znaYDyRgc\CAPE\1964_12595256001859532122019
2019-12-03 05:59:18,160 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21600.
2019-12-03 05:59:18,160 [lib.api.process] INFO: Termination confirmed for process 1964
2019-12-03 05:59:18,160 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1964
2019-12-03 05:59:18,160 [root] INFO: Terminate event set for process 1964.
2019-12-03 05:59:18,160 [root] INFO: Terminating process 1964 before shutdown.
2019-12-03 05:59:18,160 [root] INFO: Waiting for process 1964 to exit.
2019-12-03 05:59:19,174 [root] INFO: Shutting down package.
2019-12-03 05:59:19,174 [root] INFO: Stopping auxiliary modules.
2019-12-03 05:59:19,174 [root] INFO: Finishing auxiliary modules.
2019-12-03 05:59:19,174 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-12-03 05:59:19,174 [root] WARNING: File at path "C:\znaYDyRgc\debugger" does not exist, skip.
2019-12-03 05:59:19,174 [root] INFO: Analysis completed.

MalScore

1.3

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-12-03 05:55:35 2019-12-03 05:59:37

File Details

File Name 인적성검사_기출문제_(4pui96kkskvlna76gtr0j9awv541y78ng5zejso4cg6gz).js
File Size 1704 bytes
File Type ASCII text, with very long lines, with CRLF line terminators
MD5 96796be57daee4f98d13bfd6ef4dde8f
SHA1 430270c7d86a0d788802262740d627db0bed2b2c
SHA256 e6645e06de02a403ba67111ccfa743c281d8d1a183ea586ed8342c1b143149bf
SHA512 1b94df53bd824cea0b1c695a2557b24f3c1b3a9ea8c6ca55430262bc142b7300ee1e32744c56f5c04d81def6c99cb27b589059b3cf979c3e5a07872241afc8e9
CRC32 720475B7
Ssdeep 48:RL03Ju8WnMQiFxEDmxqgpTMpFfDoqCK/7MBkJ:W88rtymxqYITDRR/7MB6
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Attempts to connect to a dead IP:Port (1 unique times)
IP: 31.216.35.3:80 (Sweden)
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: winhttp.dll/WinHttpCheckPlatform
DynamicLoader: winhttp.dll/WinHttpOpen
DynamicLoader: winhttp.dll/WinHttpConnect
DynamicLoader: winhttp.dll/WinHttpOpenRequest
DynamicLoader: winhttp.dll/WinHttpCloseHandle
DynamicLoader: winhttp.dll/WinHttpSendRequest
DynamicLoader: winhttp.dll/WinHttpReceiveResponse
DynamicLoader: winhttp.dll/WinHttpAddRequestHeaders
DynamicLoader: winhttp.dll/WinHttpQueryHeaders
DynamicLoader: winhttp.dll/WinHttpReadData
DynamicLoader: winhttp.dll/WinHttpWriteData
DynamicLoader: winhttp.dll/WinHttpQueryDataAvailable
DynamicLoader: winhttp.dll/WinHttpQueryOption
DynamicLoader: winhttp.dll/WinHttpSetOption
DynamicLoader: winhttp.dll/WinHttpSetTimeouts
DynamicLoader: winhttp.dll/WinHttpCrackUrl
DynamicLoader: winhttp.dll/WinHttpCreateUrl
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
Performs some HTTP requests
url: http://magnawood.byggwebben.se/main.php?resygeqslfwuj=15431207683698733

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

Summary

C:\Users\user\AppData\Local\Temp\Eedut.js
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\XG56133.tmp
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\Eedut.js
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\XG56133.tmp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
winhttp.dll.WinHttpCheckPlatform
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpWriteData
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpCreateUrl
oleaut32.dll.#8
oleaut32.dll.#12
shlwapi.dll.StrRChrA
shlwapi.dll.StrCmpNW
oleaut32.dll.#4
oleaut32.dll.#6
kernel32.dll.RegQueryValueExW
oleaut32.dll.#2
kernel32.dll.RegCloseKey
oleaut32.dll.#9
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
ws2_32.dll.#22
ole32.dll.CreateStreamOnHGlobal

Process Tree

  • wscript.exe 1964 "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\Eedut.js"

wscript.exe, PID: 1964, Parent PID: 2480
Full Path: C:\Windows\SysWOW64\wscript.exe
Command Line: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\Eedut.js"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

TCP

Source Source Port Destination Destination Port
192.168.35.21 49165 31.216.35.3 magnawood.byggwebben.se 80

UDP

Source Source Port Destination Destination Port
192.168.35.21 58094 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

HTTP Requests

URI Data
http://magnawood.byggwebben.se/main.php?resygeqslfwuj=15431207683698733
GET /main.php?resygeqslfwuj=15431207683698733 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: magnawood.byggwebben.se

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name XG56133.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\XG56133.tmp
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name wscript.exe
PID 1964
Dump Size 136704 bytes
Module Path C:\Windows\SysWOW64\wscript.exe
Type PE image: 32-bit executable
MD5 4ac4af1decbd21180b2f35d9d3329754
SHA1 427979f783b689d0fe69ca65b3263e5baee17353
SHA256 f3c28df2ea0bcca1da933cf36e247261e9f14961b130f149b0da6dd88dd78886
CRC32 D7175FFF
Ssdeep 3072:KBa+8SKbeuAhTUI9paZxSld/3eM2H6X6Y+sm/CDku+r5Txt:K8+8SMoHAj+2aX6Nsm/NT
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename f3c28df2ea0bcca1da933cf36e247261e9f14961b130f149b0da6dd88dd78886

Comments



No comments posted

Processing ( 0.639 seconds )

  • 0.235 CAPE
  • 0.195 ProcDump
  • 0.101 TrID
  • 0.038 Deduplicate
  • 0.025 BehaviorAnalysis
  • 0.015 TargetInfo
  • 0.013 NetworkAnalysis
  • 0.009 Strings
  • 0.006 AnalysisInfo
  • 0.001 Debug
  • 0.001 Static

Signatures ( 0.062 seconds )

  • 0.008 antiav_detectreg
  • 0.008 ransomware_files
  • 0.005 persistence_autorun
  • 0.004 infostealer_ftp
  • 0.003 antianalysis_detectreg
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 cerber_behavior
  • 0.002 antianalysis_detectfile
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 NewtWire Behavior
  • 0.001 network_anomaly
  • 0.001 api_spamming
  • 0.001 betabot_behavior
  • 0.001 decoy_document
  • 0.001 stealth_timeout
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name
  • 0.001 network_torgateway

Reporting ( 0.0 seconds )

Task ID 115351
Mongo ID 5de5f9cc38b1e1182f3b162e
Cuckoo release 1.3-CAPE
Delete