Analysis

Category Package Started Completed Duration Options Log
FILE js 2019-12-03 05:54:57 2019-12-03 05:59:42 285 seconds Show Options Show Log
route = internet
procdump = 1
2019-12-03 05:54:58,000 [root] INFO: Date set to: 12-03-19, time set to: 05:54:58, timeout set to: 200
2019-12-03 05:54:58,030 [root] DEBUG: Starting analyzer from: C:\jivmqc
2019-12-03 05:54:58,030 [root] DEBUG: Storing results at: C:\cNfXeU
2019-12-03 05:54:58,030 [root] DEBUG: Pipe server name: \\.\PIPE\RjvbRczRvm
2019-12-03 05:54:58,030 [root] INFO: Analysis package "js" has been specified.
2019-12-03 05:54:58,529 [root] DEBUG: Started auxiliary module Browser
2019-12-03 05:54:58,529 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 05:54:58,529 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 05:54:59,045 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-12-03 05:54:59,045 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 05:54:59,045 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 05:54:59,045 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 05:54:59,045 [root] DEBUG: Started auxiliary module Human
2019-12-03 05:54:59,045 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 05:54:59,045 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 05:54:59,045 [root] DEBUG: Started auxiliary module Usage
2019-12-03 05:54:59,045 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option
2019-12-03 05:54:59,045 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option
2019-12-03 05:54:59,092 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\oU6RT5ItMLupWpB.js"" with pid 2896
2019-12-03 05:54:59,122 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:54:59,122 [lib.api.process] INFO: 32-bit DLL to inject is C:\jivmqc\dll\guHIGP.dll, loader C:\jivmqc\bin\wcVvdWZ.exe
2019-12-03 05:54:59,138 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\RjvbRczRvm.
2019-12-03 05:54:59,138 [root] DEBUG: Loader: Injecting process 2896 (thread 1480) with C:\jivmqc\dll\guHIGP.dll.
2019-12-03 05:54:59,138 [root] DEBUG: Process image base: 0x006C0000
2019-12-03 05:54:59,138 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\jivmqc\dll\guHIGP.dll.
2019-12-03 05:54:59,154 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x006E6000 - 0x77380000
2019-12-03 05:54:59,154 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x006F0000.
2019-12-03 05:54:59,154 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:54:59,154 [root] DEBUG: Successfully injected DLL C:\jivmqc\dll\guHIGP.dll.
2019-12-03 05:54:59,154 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2896
2019-12-03 05:55:01,259 [lib.api.process] INFO: Successfully resumed process with pid 2896
2019-12-03 05:55:01,276 [root] INFO: Added new process to list with pid: 2896
2019-12-03 05:55:01,290 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:55:01,290 [root] DEBUG: Process dumps enabled.
2019-12-03 05:55:01,384 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:55:01,384 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:01,384 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:01,384 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:01,384 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:01,384 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2896 at 0x747a0000, image base 0x6c0000, stack from 0x3c6000-0x3d0000
2019-12-03 05:55:01,384 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\oU6RT5ItMLupWpB.js".
2019-12-03 05:55:01,384 [root] INFO: Monitor successfully loaded in process with pid 2896.
2019-12-03 05:55:01,400 [root] DEBUG: DLL unloaded from 0x77050000.
2019-12-03 05:55:01,400 [root] DEBUG: DLL unloaded from 0x006C0000.
2019-12-03 05:55:01,400 [root] DEBUG: DLL loaded at 0x74B30000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-12-03 05:55:01,447 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:55:01,588 [root] DEBUG: DLL loaded at 0x746E0000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-12-03 05:55:01,588 [root] DEBUG: DLL loaded at 0x76DD0000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-12-03 05:55:01,588 [root] DEBUG: DLL loaded at 0x76790000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:55:01,588 [root] DEBUG: DLL loaded at 0x768B0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:55:01,602 [root] DEBUG: DLL loaded at 0x74F80000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:55:01,602 [root] DEBUG: DLL loaded at 0x74F40000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:55:01,602 [root] DEBUG: DLL loaded at 0x74B20000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-12-03 05:55:01,602 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-12-03 05:55:01,602 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-12-03 05:55:01,602 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-12-03 05:55:01,618 [root] DEBUG: DLL loaded at 0x75B20000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-12-03 05:55:01,634 [root] DEBUG: DLL loaded at 0x746B0000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2019-12-03 05:55:01,634 [root] DEBUG: DLL unloaded from 0x75760000.
2019-12-03 05:55:01,650 [root] DEBUG: DLL loaded at 0x74AF0000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-12-03 05:55:01,665 [root] DEBUG: DLL loaded at 0x74680000: C:\Windows\SysWOW64\scrrun (0x2a000 bytes).
2019-12-03 05:55:21,680 [root] DEBUG: DLL unloaded from 0x76A70000.
2019-12-03 05:55:31,618 [root] DEBUG: DLL unloaded from 0x74B20000.
2019-12-03 05:55:31,618 [root] DEBUG: DLL unloaded from 0x74B00000.
2019-12-03 05:55:31,618 [root] DEBUG: DLL unloaded from 0x76790000.
2019-12-03 05:57:56,479 [root] DEBUG: DLL loaded at 0x74540000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-12-03 05:57:56,838 [root] DEBUG: DLL loaded at 0x74D40000: C:\Windows\SysWOW64\winhttp (0x58000 bytes).
2019-12-03 05:57:56,838 [root] DEBUG: DLL loaded at 0x744F0000: C:\Windows\SysWOW64\webio (0x4f000 bytes).
2019-12-03 05:57:56,915 [root] DEBUG: DLL loaded at 0x752D0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-12-03 05:57:56,915 [root] DEBUG: DLL loaded at 0x75850000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-12-03 05:57:56,915 [root] DEBUG: DLL unloaded from 0x77050000.
2019-12-03 05:57:56,915 [root] DEBUG: DLL loaded at 0x74D30000: C:\Windows\SysWOW64\credssp (0x8000 bytes).
2019-12-03 05:57:56,915 [root] DEBUG: DLL unloaded from 0x74F80000.
2019-12-03 05:57:56,915 [root] DEBUG: DLL loaded at 0x74F00000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-12-03 05:57:56,931 [root] DEBUG: DLL loaded at 0x74EF0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-12-03 05:57:56,931 [root] DEBUG: DLL loaded at 0x74D20000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-12-03 05:57:57,040 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\system32\mlang (0x2e000 bytes).
2019-12-03 05:57:57,102 [root] DEBUG: DLL loaded at 0x74DB0000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2019-12-03 05:57:57,118 [root] DEBUG: DLL loaded at 0x74D00000: C:\Windows\SysWOW64\IPHLPAPI (0x1c000 bytes).
2019-12-03 05:57:57,134 [root] DEBUG: DLL loaded at 0x744E0000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-12-03 05:57:57,150 [root] DEBUG: DLL loaded at 0x744D0000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-12-03 05:57:57,447 [root] DEBUG: DLL loaded at 0x74490000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-12-03 05:58:21,345 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-12-03 05:58:21,345 [root] INFO: Created shutdown mutex.
2019-12-03 05:58:22,359 [lib.api.process] INFO: Terminate event set for process 2896
2019-12-03 05:58:22,359 [root] DEBUG: Terminate Event: Attempting to dump process 2896
2019-12-03 05:58:22,359 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x006C0000.
2019-12-03 05:58:22,359 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:58:22,359 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x006C0000.
2019-12-03 05:58:22,359 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B.
2019-12-03 05:58:22,359 [root] INFO: Added new CAPE file to list with path: C:\cNfXeU\CAPE\2896_8217061362258532122019
2019-12-03 05:58:22,359 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21600.
2019-12-03 05:58:22,359 [lib.api.process] INFO: Termination confirmed for process 2896
2019-12-03 05:58:22,359 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2896
2019-12-03 05:58:22,359 [root] INFO: Terminate event set for process 2896.
2019-12-03 05:58:22,359 [root] INFO: Terminating process 2896 before shutdown.
2019-12-03 05:58:22,359 [root] INFO: Waiting for process 2896 to exit.
2019-12-03 05:58:23,374 [root] INFO: Shutting down package.
2019-12-03 05:58:23,374 [root] INFO: Stopping auxiliary modules.
2019-12-03 05:58:23,374 [root] INFO: Finishing auxiliary modules.
2019-12-03 05:58:23,374 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-12-03 05:58:23,374 [root] WARNING: File at path "C:\cNfXeU\debugger" does not exist, skip.
2019-12-03 05:58:23,374 [root] INFO: Analysis completed.

MalScore

1.3

Benign

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2019-12-03 05:54:57 2019-12-03 05:59:42

File Details

File Name 인적성검사_기출문제_(4pui96kkskvlna76gtr0j9awv541y78ng5zejso4cg6gz).js
File Size 1704 bytes
File Type ASCII text, with very long lines, with CRLF line terminators
MD5 96796be57daee4f98d13bfd6ef4dde8f
SHA1 430270c7d86a0d788802262740d627db0bed2b2c
SHA256 e6645e06de02a403ba67111ccfa743c281d8d1a183ea586ed8342c1b143149bf
SHA512 1b94df53bd824cea0b1c695a2557b24f3c1b3a9ea8c6ca55430262bc142b7300ee1e32744c56f5c04d81def6c99cb27b589059b3cf979c3e5a07872241afc8e9
CRC32 720475B7
Ssdeep 48:RL03Ju8WnMQiFxEDmxqgpTMpFfDoqCK/7MBkJ:W88rtymxqYITDRR/7MB6
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Attempts to connect to a dead IP:Port (1 unique times)
IP: 31.216.35.3:80 (Sweden)
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: winhttp.dll/WinHttpCheckPlatform
DynamicLoader: winhttp.dll/WinHttpOpen
DynamicLoader: winhttp.dll/WinHttpConnect
DynamicLoader: winhttp.dll/WinHttpOpenRequest
DynamicLoader: winhttp.dll/WinHttpCloseHandle
DynamicLoader: winhttp.dll/WinHttpSendRequest
DynamicLoader: winhttp.dll/WinHttpReceiveResponse
DynamicLoader: winhttp.dll/WinHttpAddRequestHeaders
DynamicLoader: winhttp.dll/WinHttpQueryHeaders
DynamicLoader: winhttp.dll/WinHttpReadData
DynamicLoader: winhttp.dll/WinHttpWriteData
DynamicLoader: winhttp.dll/WinHttpQueryDataAvailable
DynamicLoader: winhttp.dll/WinHttpQueryOption
DynamicLoader: winhttp.dll/WinHttpSetOption
DynamicLoader: winhttp.dll/WinHttpSetTimeouts
DynamicLoader: winhttp.dll/WinHttpCrackUrl
DynamicLoader: winhttp.dll/WinHttpCreateUrl
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
Performs some HTTP requests
url: http://magnawood.byggwebben.se/main.php?resygeqslfwuj=8324207939092247

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

Summary

C:\Users\user\AppData\Local\Temp\oU6RT5ItMLupWpB.js
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\XG56133.tmp
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\oU6RT5ItMLupWpB.js
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\XG56133.tmp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
winhttp.dll.WinHttpCheckPlatform
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpWriteData
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpCreateUrl
oleaut32.dll.#8
oleaut32.dll.#12
shlwapi.dll.StrRChrA
shlwapi.dll.StrCmpNW
oleaut32.dll.#4
oleaut32.dll.#6
kernel32.dll.RegQueryValueExW
oleaut32.dll.#2
kernel32.dll.RegCloseKey
oleaut32.dll.#9
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
ws2_32.dll.#22
ole32.dll.CreateStreamOnHGlobal

Process Tree

  • wscript.exe 2896 "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\oU6RT5ItMLupWpB.js"

wscript.exe, PID: 2896, Parent PID: 1256
Full Path: C:\Windows\SysWOW64\wscript.exe
Command Line: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\oU6RT5ItMLupWpB.js"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

TCP

Source Source Port Destination Destination Port
192.168.35.22 49164 31.216.35.3 magnawood.byggwebben.se 80

UDP

Source Source Port Destination Destination Port
192.168.35.22 58774 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

HTTP Requests

URI Data
http://magnawood.byggwebben.se/main.php?resygeqslfwuj=8324207939092247
GET /main.php?resygeqslfwuj=8324207939092247 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: magnawood.byggwebben.se

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name XG56133.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\XG56133.tmp
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name wscript.exe
PID 2896
Dump Size 136704 bytes
Module Path C:\Windows\SysWOW64\wscript.exe
Type PE image: 32-bit executable
MD5 3fc7be1b23312c41a25e91bc830b4b54
SHA1 21fb6d6a9407ef0496679e7d5c857f6970fa8965
SHA256 2c4c4a6589dc5aacaa32ada5ce33f956c8bbb26c1ad31f5c243dc7d487fdc428
CRC32 0A4FC940
Ssdeep 3072:xflqEYAu3n0hTU4Vkzzshh54oWp218IgZ8EorgTrGsm/CDkuXr5Txt:x9qEYArnkvg5BEU2asmONT
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 2c4c4a6589dc5aacaa32ada5ce33f956c8bbb26c1ad31f5c243dc7d487fdc428

Comments



No comments posted

Processing ( 0.576 seconds )

  • 0.215 CAPE
  • 0.157 ProcDump
  • 0.094 TrID
  • 0.041 Deduplicate
  • 0.026 BehaviorAnalysis
  • 0.014 TargetInfo
  • 0.011 Strings
  • 0.01 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.002 Static
  • 0.001 Debug

Signatures ( 0.093 seconds )

  • 0.014 antiav_detectreg
  • 0.013 ransomware_files
  • 0.006 infostealer_ftp
  • 0.006 ransomware_extensions
  • 0.005 antiav_detectfile
  • 0.004 persistence_autorun
  • 0.003 antianalysis_detectreg
  • 0.003 browser_security
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_im
  • 0.003 infostealer_mail
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 antianalysis_detectfile
  • 0.002 antivm_vbox_files
  • 0.002 disables_browser_warn
  • 0.002 masquerade_process_name
  • 0.002 network_torgateway
  • 0.001 NewtWire Behavior
  • 0.001 api_spamming
  • 0.001 betabot_behavior
  • 0.001 shifu_behavior
  • 0.001 decoy_document
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 modify_proxy
  • 0.001 modify_uac_prompt

Reporting ( 0.0 seconds )

Task ID 115352
Mongo ID 5de5f9d1a04cefe70a3b0a0a
Cuckoo release 1.3-CAPE
Delete