Analysis

Category Package Started Completed Duration Options Log
FILE js 2019-12-03 05:54:59 2019-12-03 05:59:08 249 seconds Show Options Show Log
route = internet
procdump = 1
2019-12-03 05:55:03,000 [root] INFO: Date set to: 12-03-19, time set to: 05:55:03, timeout set to: 200
2019-12-03 05:55:03,326 [root] DEBUG: Starting analyzer from: C:\tqqzvrwdk
2019-12-03 05:55:03,326 [root] DEBUG: Storing results at: C:\oyvYbj
2019-12-03 05:55:03,342 [root] DEBUG: Pipe server name: \\.\PIPE\wTEapLf
2019-12-03 05:55:03,342 [root] INFO: Analysis package "js" has been specified.
2019-12-03 05:55:12,016 [root] DEBUG: Started auxiliary module Browser
2019-12-03 05:55:12,016 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 05:55:12,016 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 05:55:16,509 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-12-03 05:55:16,509 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 05:55:16,509 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 05:55:16,509 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 05:55:16,509 [root] DEBUG: Started auxiliary module Human
2019-12-03 05:55:16,509 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 05:55:16,509 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 05:55:16,509 [root] DEBUG: Started auxiliary module Usage
2019-12-03 05:55:16,509 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option
2019-12-03 05:55:16,509 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option
2019-12-03 05:55:17,180 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\5qIVJ.js"" with pid 1844
2019-12-03 05:55:17,226 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:55:17,226 [lib.api.process] INFO: 32-bit DLL to inject is C:\tqqzvrwdk\dll\HTtlRS.dll, loader C:\tqqzvrwdk\bin\pYSefck.exe
2019-12-03 05:55:17,273 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\wTEapLf.
2019-12-03 05:55:17,273 [root] DEBUG: Loader: Injecting process 1844 (thread 716) with C:\tqqzvrwdk\dll\HTtlRS.dll.
2019-12-03 05:55:17,273 [root] DEBUG: Process image base: 0x00130000
2019-12-03 05:55:17,273 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\tqqzvrwdk\dll\HTtlRS.dll.
2019-12-03 05:55:17,273 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00156000 - 0x00280000
2019-12-03 05:55:17,273 [root] DEBUG: InjectDllViaIAT: Allocated 0x1dc bytes for new import table at 0x00160000.
2019-12-03 05:55:17,273 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:55:17,273 [root] DEBUG: Successfully injected DLL C:\tqqzvrwdk\dll\HTtlRS.dll.
2019-12-03 05:55:17,273 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1844
2019-12-03 05:55:19,286 [lib.api.process] INFO: Successfully resumed process with pid 1844
2019-12-03 05:55:19,286 [root] INFO: Added new process to list with pid: 1844
2019-12-03 05:55:19,519 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:55:19,519 [root] DEBUG: Process dumps enabled.
2019-12-03 05:55:19,707 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:19,707 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:55:19,707 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:19,707 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:19,707 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:19,707 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1844 at 0x74ed0000, image base 0x130000, stack from 0x416000-0x420000
2019-12-03 05:55:19,707 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\5qIVJ.js".
2019-12-03 05:55:19,707 [root] INFO: Monitor successfully loaded in process with pid 1844.
2019-12-03 05:55:19,723 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 05:55:19,723 [root] DEBUG: DLL unloaded from 0x00130000.
2019-12-03 05:55:19,723 [root] DEBUG: DLL loaded at 0x74E60000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-12-03 05:55:19,894 [root] DEBUG: DLL loaded at 0x77090000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:55:20,160 [root] DEBUG: DLL loaded at 0x74DA0000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x77220000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x75820000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x76C80000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x74D90000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL unloaded from 0x76EC0000.
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x74D70000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-12-03 05:55:20,283 [root] DEBUG: DLL loaded at 0x74FC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-12-03 05:55:20,299 [root] DEBUG: DLL loaded at 0x759C0000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-12-03 05:55:20,517 [root] DEBUG: DLL loaded at 0x74D40000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2019-12-03 05:55:20,565 [root] DEBUG: DLL unloaded from 0x77570000.
2019-12-03 05:55:20,565 [root] DEBUG: DLL loaded at 0x74D20000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-12-03 05:55:20,674 [root] DEBUG: DLL loaded at 0x74CF0000: C:\Windows\SysWOW64\scrrun (0x2a000 bytes).
2019-12-03 05:55:40,595 [root] DEBUG: DLL unloaded from 0x76EC0000.
2019-12-03 05:55:50,579 [root] DEBUG: DLL unloaded from 0x74D90000.
2019-12-03 05:55:50,579 [root] DEBUG: DLL unloaded from 0x74D70000.
2019-12-03 05:55:50,579 [root] DEBUG: DLL unloaded from 0x75820000.
2019-12-03 05:58:12,289 [root] DEBUG: DLL loaded at 0x74BB0000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-12-03 05:58:12,336 [root] DEBUG: DLL loaded at 0x75090000: C:\Windows\SysWOW64\winhttp (0x58000 bytes).
2019-12-03 05:58:12,336 [root] DEBUG: DLL loaded at 0x74B60000: C:\Windows\SysWOW64\webio (0x4f000 bytes).
2019-12-03 05:58:12,352 [root] DEBUG: DLL loaded at 0x774A0000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-12-03 05:58:12,352 [root] DEBUG: DLL loaded at 0x77020000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-12-03 05:58:12,352 [root] DEBUG: DLL unloaded from 0x76C90000.
2019-12-03 05:58:12,368 [root] DEBUG: DLL loaded at 0x75080000: C:\Windows\SysWOW64\credssp (0x8000 bytes).
2019-12-03 05:58:12,368 [root] DEBUG: DLL unloaded from 0x755F0000.
2019-12-03 05:58:12,368 [root] DEBUG: DLL loaded at 0x75570000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-12-03 05:58:12,368 [root] DEBUG: DLL loaded at 0x75560000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-12-03 05:58:12,368 [root] DEBUG: DLL loaded at 0x75070000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-12-03 05:58:12,430 [root] DEBUG: DLL loaded at 0x74D70000: C:\Windows\system32\mlang (0x2e000 bytes).
2019-12-03 05:58:12,430 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2019-12-03 05:58:12,446 [root] DEBUG: DLL loaded at 0x75050000: C:\Windows\SysWOW64\IPHLPAPI (0x1c000 bytes).
2019-12-03 05:58:12,446 [root] DEBUG: DLL loaded at 0x74B50000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-12-03 05:58:12,461 [root] DEBUG: DLL loaded at 0x74B40000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-12-03 05:58:12,835 [root] DEBUG: DLL loaded at 0x74B00000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-12-03 05:58:40,276 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-12-03 05:58:40,276 [root] INFO: Created shutdown mutex.
2019-12-03 05:58:41,290 [lib.api.process] INFO: Terminate event set for process 1844
2019-12-03 05:58:41,290 [root] DEBUG: Terminate Event: Attempting to dump process 1844
2019-12-03 05:58:41,290 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00130000.
2019-12-03 05:58:41,290 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:58:41,290 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00130000.
2019-12-03 05:58:41,290 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B.
2019-12-03 05:58:41,305 [root] INFO: Added new CAPE file to list with path: C:\oyvYbj\CAPE\1844_8159923564158532122019
2019-12-03 05:58:41,305 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21600.
2019-12-03 05:58:41,305 [lib.api.process] INFO: Termination confirmed for process 1844
2019-12-03 05:58:41,305 [root] INFO: Terminate event set for process 1844.
2019-12-03 05:58:41,322 [root] INFO: Terminating process 1844 before shutdown.
2019-12-03 05:58:41,322 [root] INFO: Waiting for process 1844 to exit.
2019-12-03 05:58:41,322 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 1844
2019-12-03 05:58:42,335 [root] INFO: Shutting down package.
2019-12-03 05:58:42,335 [root] INFO: Stopping auxiliary modules.
2019-12-03 05:58:42,335 [root] INFO: Finishing auxiliary modules.
2019-12-03 05:58:42,351 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-12-03 05:58:42,351 [root] WARNING: File at path "C:\oyvYbj\debugger" does not exist, skip.
2019-12-03 05:58:42,351 [root] INFO: Analysis completed.

MalScore

1.3

Benign

Machine

Name Label Manager Started On Shutdown On
target-04 target-04 ESX 2019-12-03 05:54:59 2019-12-03 05:59:08

File Details

File Name 인적성검사_기출문제_(4pui96kkskvlna76gtr0j9awv541y78ng5zejso4cg6gz).js
File Size 1704 bytes
File Type ASCII text, with very long lines, with CRLF line terminators
MD5 96796be57daee4f98d13bfd6ef4dde8f
SHA1 430270c7d86a0d788802262740d627db0bed2b2c
SHA256 e6645e06de02a403ba67111ccfa743c281d8d1a183ea586ed8342c1b143149bf
SHA512 1b94df53bd824cea0b1c695a2557b24f3c1b3a9ea8c6ca55430262bc142b7300ee1e32744c56f5c04d81def6c99cb27b589059b3cf979c3e5a07872241afc8e9
CRC32 720475B7
Ssdeep 48:RL03Ju8WnMQiFxEDmxqgpTMpFfDoqCK/7MBkJ:W88rtymxqYITDRR/7MB6
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Attempts to connect to a dead IP:Port (1 unique times)
IP: 31.216.35.3:80 (Sweden)
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: winhttp.dll/WinHttpCheckPlatform
DynamicLoader: winhttp.dll/WinHttpOpen
DynamicLoader: winhttp.dll/WinHttpConnect
DynamicLoader: winhttp.dll/WinHttpOpenRequest
DynamicLoader: winhttp.dll/WinHttpCloseHandle
DynamicLoader: winhttp.dll/WinHttpSendRequest
DynamicLoader: winhttp.dll/WinHttpReceiveResponse
DynamicLoader: winhttp.dll/WinHttpAddRequestHeaders
DynamicLoader: winhttp.dll/WinHttpQueryHeaders
DynamicLoader: winhttp.dll/WinHttpReadData
DynamicLoader: winhttp.dll/WinHttpWriteData
DynamicLoader: winhttp.dll/WinHttpQueryDataAvailable
DynamicLoader: winhttp.dll/WinHttpQueryOption
DynamicLoader: winhttp.dll/WinHttpSetOption
DynamicLoader: winhttp.dll/WinHttpSetTimeouts
DynamicLoader: winhttp.dll/WinHttpCrackUrl
DynamicLoader: winhttp.dll/WinHttpCreateUrl
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
Performs some HTTP requests
url: http://magnawood.byggwebben.se/main.php?resygeqslfwuj=020051459768276825

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

Summary

C:\Users\user\AppData\Local\Temp\5qIVJ.js
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\XG56133.tmp
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\5qIVJ.js
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\XG56133.tmp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
winhttp.dll.WinHttpCheckPlatform
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpWriteData
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpCreateUrl
oleaut32.dll.#8
oleaut32.dll.#12
shlwapi.dll.StrRChrA
shlwapi.dll.StrCmpNW
oleaut32.dll.#4
oleaut32.dll.#6
kernel32.dll.RegQueryValueExW
oleaut32.dll.#2
kernel32.dll.RegCloseKey
oleaut32.dll.#9
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
ws2_32.dll.#22
ole32.dll.CreateStreamOnHGlobal

Process Tree

  • wscript.exe 1844 "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\5qIVJ.js"

wscript.exe, PID: 1844, Parent PID: 1512
Full Path: C:\Windows\SysWOW64\wscript.exe
Command Line: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\5qIVJ.js"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

TCP

Source Source Port Destination Destination Port
192.168.35.24 49165 31.216.35.3 magnawood.byggwebben.se 80

UDP

Source Source Port Destination Destination Port
192.168.35.24 64144 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

HTTP Requests

URI Data
http://magnawood.byggwebben.se/main.php?resygeqslfwuj=020051459768276825
GET /main.php?resygeqslfwuj=020051459768276825 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: magnawood.byggwebben.se

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name XG56133.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\XG56133.tmp
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name wscript.exe
PID 1844
Dump Size 136704 bytes
Module Path C:\Windows\SysWOW64\wscript.exe
Type PE image: 32-bit executable
MD5 2c5f02e1471961afb53b5889a5ecf415
SHA1 10c5ab0d4ab0fd940cbc8a096f3454601c7ab047
SHA256 ee14d072e80fb4a80a0c19378ec0455f7dc121a8a27e7d73680e4981db7d75b6
CRC32 7FAB664E
Ssdeep 3072:Nzhy+syMzXAhTU4NLTBSRDdCt1nvWMWfylNNusm/CDkupr5Txt:Nz0+sysQ3IZdGWqlNQsmMNT
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename ee14d072e80fb4a80a0c19378ec0455f7dc121a8a27e7d73680e4981db7d75b6

Comments



No comments posted

Processing ( 0.593 seconds )

  • 0.194 CAPE
  • 0.172 ProcDump
  • 0.105 TrID
  • 0.035 Deduplicate
  • 0.032 TargetInfo
  • 0.026 BehaviorAnalysis
  • 0.011 NetworkAnalysis
  • 0.01 Strings
  • 0.006 AnalysisInfo
  • 0.001 Debug
  • 0.001 Static

Signatures ( 0.097 seconds )

  • 0.014 ransomware_files
  • 0.012 antiav_detectreg
  • 0.006 infostealer_ftp
  • 0.006 ransomware_extensions
  • 0.005 persistence_autorun
  • 0.005 antianalysis_detectfile
  • 0.004 antiav_detectfile
  • 0.004 infostealer_im
  • 0.003 antianalysis_detectreg
  • 0.003 disables_browser_warn
  • 0.003 infostealer_bitcoin
  • 0.003 infostealer_mail
  • 0.002 tinba_behavior
  • 0.002 rat_nanocore
  • 0.002 antivm_vbox_files
  • 0.002 browser_security
  • 0.002 masquerade_process_name
  • 0.002 network_torgateway
  • 0.001 persistence_bootexecute
  • 0.001 NewtWire Behavior
  • 0.001 api_spamming
  • 0.001 betabot_behavior
  • 0.001 kazybot_behavior
  • 0.001 kibex_behavior
  • 0.001 ursnif_behavior
  • 0.001 decoy_document
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antivm_vbox_keys
  • 0.001 antivm_vmware_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 modify_proxy
  • 0.001 disables_app_launch

Reporting ( 0.0 seconds )

Task ID 115354
Mongo ID 5de5f9ae38b1e1182f3b1628
Cuckoo release 1.3-CAPE
Delete