Analysis

Category Package Started Completed Duration Options Log
FILE js 2019-12-03 05:55:15 2019-12-03 05:59:32 257 seconds Show Options Show Log
route = internet
procdump = 1
2019-12-03 05:55:34,015 [root] INFO: Date set to: 12-03-19, time set to: 05:55:34, timeout set to: 200
2019-12-03 05:55:34,187 [root] DEBUG: Starting analyzer from: C:\efcjzlzc
2019-12-03 05:55:34,187 [root] DEBUG: Storing results at: C:\XnjvHCchwQ
2019-12-03 05:55:34,187 [root] DEBUG: Pipe server name: \\.\PIPE\qhIfum
2019-12-03 05:55:34,187 [root] INFO: Analysis package "js" has been specified.
2019-12-03 05:55:37,914 [root] DEBUG: Started auxiliary module Browser
2019-12-03 05:55:37,914 [root] DEBUG: Started auxiliary module Curtain
2019-12-03 05:55:37,914 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-12-03 05:55:41,019 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-12-03 05:55:41,019 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-12-03 05:55:41,019 [root] DEBUG: Started auxiliary module DigiSig
2019-12-03 05:55:41,019 [root] DEBUG: Started auxiliary module Disguise
2019-12-03 05:55:41,019 [root] DEBUG: Started auxiliary module Human
2019-12-03 05:55:41,035 [root] DEBUG: Started auxiliary module Screenshots
2019-12-03 05:55:41,035 [root] DEBUG: Started auxiliary module Sysmon
2019-12-03 05:55:41,035 [root] DEBUG: Started auxiliary module Usage
2019-12-03 05:55:41,035 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL option
2019-12-03 05:55:41,035 [root] INFO: Analyzer: Package modules.packages.js does not specify a DLL_64 option
2019-12-03 05:55:41,176 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\wscript.exe" with arguments ""C:\Users\user\AppData\Local\Temp\XaoNuMH8RPSe0S.js"" with pid 2372
2019-12-03 05:55:44,186 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-12-03 05:55:44,186 [lib.api.process] INFO: 32-bit DLL to inject is C:\efcjzlzc\dll\SSRvYk.dll, loader C:\efcjzlzc\bin\jpBTsKD.exe
2019-12-03 05:55:44,217 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\qhIfum.
2019-12-03 05:55:44,217 [root] DEBUG: Loader: Injecting process 2372 (thread 2164) with C:\efcjzlzc\dll\SSRvYk.dll.
2019-12-03 05:55:44,217 [root] DEBUG: Process image base: 0x00750000
2019-12-03 05:55:44,217 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\efcjzlzc\dll\SSRvYk.dll.
2019-12-03 05:55:44,233 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00776000 - 0x77940000
2019-12-03 05:55:44,233 [root] DEBUG: InjectDllViaIAT: Allocated 0x1d8 bytes for new import table at 0x00780000.
2019-12-03 05:55:44,233 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-12-03 05:55:44,233 [root] DEBUG: Successfully injected DLL C:\efcjzlzc\dll\SSRvYk.dll.
2019-12-03 05:55:44,233 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2372
2019-12-03 05:55:46,246 [lib.api.process] INFO: Successfully resumed process with pid 2372
2019-12-03 05:55:46,246 [root] INFO: Added new process to list with pid: 2372
2019-12-03 05:55:46,323 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-12-03 05:55:46,338 [root] DEBUG: Process dumps enabled.
2019-12-03 05:55:46,604 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-12-03 05:55:46,604 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:46,604 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:46,604 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:46,604 [root] INFO: Disabling sleep skipping.
2019-12-03 05:55:46,604 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2372 at 0x74ec0000, image base 0x750000, stack from 0x3c6000-0x3d0000
2019-12-03 05:55:46,619 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\XaoNuMH8RPSe0S.js".
2019-12-03 05:55:46,619 [root] INFO: Monitor successfully loaded in process with pid 2372.
2019-12-03 05:55:46,681 [root] DEBUG: DLL unloaded from 0x75B90000.
2019-12-03 05:55:46,681 [root] DEBUG: DLL unloaded from 0x00750000.
2019-12-03 05:55:46,713 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\SysWOW64\SXS (0x5f000 bytes).
2019-12-03 05:55:48,742 [root] DEBUG: DLL loaded at 0x77160000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-12-03 05:55:51,160 [root] DEBUG: DLL loaded at 0x74D90000: C:\Windows\SysWOW64\jscript (0xb2000 bytes).
2019-12-03 05:55:51,206 [root] DEBUG: DLL loaded at 0x75AA0000: C:\Windows\syswow64\WINTRUST (0x2d000 bytes).
2019-12-03 05:55:51,206 [root] DEBUG: DLL loaded at 0x76F00000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-12-03 05:55:51,221 [root] DEBUG: DLL loaded at 0x77AF0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-12-03 05:55:51,221 [root] DEBUG: DLL loaded at 0x75630000: C:\Windows\SysWOW64\CRYPTSP (0x16000 bytes).
2019-12-03 05:55:51,237 [root] DEBUG: DLL loaded at 0x755F0000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-12-03 05:55:51,237 [root] DEBUG: DLL loaded at 0x74D80000: C:\Windows\SysWOW64\MSISIP (0x8000 bytes).
2019-12-03 05:55:51,237 [root] DEBUG: DLL unloaded from 0x77390000.
2019-12-03 05:55:51,237 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\SysWOW64\wshext (0x16000 bytes).
2019-12-03 05:55:51,237 [root] DEBUG: DLL loaded at 0x74FC0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-12-03 05:55:51,253 [root] DEBUG: DLL loaded at 0x75CA0000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-12-03 05:55:51,440 [root] DEBUG: DLL loaded at 0x74D30000: C:\Windows\SysWOW64\scrobj (0x2d000 bytes).
2019-12-03 05:55:51,549 [root] DEBUG: DLL unloaded from 0x77580000.
2019-12-03 05:55:51,565 [root] DEBUG: DLL loaded at 0x74D20000: C:\Windows\SysWOW64\RpcRtRemote (0xe000 bytes).
2019-12-03 05:55:51,628 [root] DEBUG: DLL loaded at 0x74CF0000: C:\Windows\SysWOW64\scrrun (0x2a000 bytes).
2019-12-03 05:56:11,595 [root] DEBUG: DLL unloaded from 0x77390000.
2019-12-03 05:56:21,267 [root] DEBUG: DLL unloaded from 0x74D80000.
2019-12-03 05:56:21,267 [root] DEBUG: DLL unloaded from 0x74D60000.
2019-12-03 05:56:21,267 [root] DEBUG: DLL unloaded from 0x76F00000.
2019-12-03 05:58:51,838 [root] DEBUG: DLL loaded at 0x74B10000: C:\Windows\System32\msxml3 (0x133000 bytes).
2019-12-03 05:58:52,026 [root] DEBUG: DLL loaded at 0x75090000: C:\Windows\SysWOW64\winhttp (0x58000 bytes).
2019-12-03 05:58:52,026 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\SysWOW64\webio (0x4f000 bytes).
2019-12-03 05:58:52,072 [root] DEBUG: DLL loaded at 0x75A60000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-12-03 05:58:52,072 [root] DEBUG: DLL loaded at 0x76EF0000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-12-03 05:58:52,072 [root] DEBUG: DLL unloaded from 0x75B90000.
2019-12-03 05:58:52,072 [root] DEBUG: DLL loaded at 0x75080000: C:\Windows\SysWOW64\credssp (0x8000 bytes).
2019-12-03 05:58:52,072 [root] DEBUG: DLL unloaded from 0x75630000.
2019-12-03 05:58:52,088 [root] DEBUG: DLL loaded at 0x755B0000: C:\Windows\system32\mswsock (0x3c000 bytes).
2019-12-03 05:58:52,088 [root] DEBUG: DLL loaded at 0x755A0000: C:\Windows\System32\wshtcpip (0x5000 bytes).
2019-12-03 05:58:52,088 [root] DEBUG: DLL loaded at 0x75070000: C:\Windows\System32\wship6 (0x6000 bytes).
2019-12-03 05:58:52,229 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\mlang (0x2e000 bytes).
2019-12-03 05:58:52,259 [root] DEBUG: DLL loaded at 0x75510000: C:\Windows\SysWOW64\DNSAPI (0x44000 bytes).
2019-12-03 05:58:52,259 [root] DEBUG: DLL loaded at 0x75050000: C:\Windows\SysWOW64\IPHLPAPI (0x1c000 bytes).
2019-12-03 05:58:52,259 [root] DEBUG: DLL loaded at 0x74AB0000: C:\Windows\SysWOW64\WINNSI (0x7000 bytes).
2019-12-03 05:58:52,259 [root] DEBUG: DLL loaded at 0x74AA0000: C:\Windows\SysWOW64\rasadhlp (0x6000 bytes).
2019-12-03 05:58:52,368 [root] DEBUG: DLL loaded at 0x74A60000: C:\Windows\System32\fwpuclnt (0x38000 bytes).
2019-12-03 05:59:07,111 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-12-03 05:59:07,111 [root] INFO: Created shutdown mutex.
2019-12-03 05:59:08,125 [lib.api.process] INFO: Terminate event set for process 2372
2019-12-03 05:59:08,125 [root] DEBUG: Terminate Event: Attempting to dump process 2372
2019-12-03 05:59:08,125 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00750000.
2019-12-03 05:59:08,125 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-12-03 05:59:08,125 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00750000.
2019-12-03 05:59:08,125 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002F3B.
2019-12-03 05:59:08,141 [root] INFO: Added new CAPE file to list with path: C:\XnjvHCchwQ\CAPE\2372_343202913859532122019
2019-12-03 05:59:08,141 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x21600.
2019-12-03 05:59:08,141 [lib.api.process] INFO: Termination confirmed for process 2372
2019-12-03 05:59:08,141 [root] DEBUG: Terminate Event: CAPE shutdown complete for process 2372
2019-12-03 05:59:08,141 [root] INFO: Terminate event set for process 2372.
2019-12-03 05:59:08,141 [root] INFO: Terminating process 2372 before shutdown.
2019-12-03 05:59:08,141 [root] INFO: Waiting for process 2372 to exit.
2019-12-03 05:59:09,154 [root] INFO: Shutting down package.
2019-12-03 05:59:09,154 [root] INFO: Stopping auxiliary modules.
2019-12-03 05:59:09,154 [root] INFO: Finishing auxiliary modules.
2019-12-03 05:59:09,154 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-12-03 05:59:09,154 [root] WARNING: File at path "C:\XnjvHCchwQ\debugger" does not exist, skip.
2019-12-03 05:59:09,154 [root] INFO: Analysis completed.

MalScore

1.3

Benign

Machine

Name Label Manager Started On Shutdown On
target-05 target-05 ESX 2019-12-03 05:55:15 2019-12-03 05:59:30

File Details

File Name 인적성검사_기출문제_(4pui96kkskvlna76gtr0j9awv541y78ng5zejso4cg6gz).js
File Size 1704 bytes
File Type ASCII text, with very long lines, with CRLF line terminators
MD5 96796be57daee4f98d13bfd6ef4dde8f
SHA1 430270c7d86a0d788802262740d627db0bed2b2c
SHA256 e6645e06de02a403ba67111ccfa743c281d8d1a183ea586ed8342c1b143149bf
SHA512 1b94df53bd824cea0b1c695a2557b24f3c1b3a9ea8c6ca55430262bc142b7300ee1e32744c56f5c04d81def6c99cb27b589059b3cf979c3e5a07872241afc8e9
CRC32 720475B7
Ssdeep 48:RL03Ju8WnMQiFxEDmxqgpTMpFfDoqCK/7MBkJ:W88rtymxqYITDRR/7MB6
TrID
  • Unknown!
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Attempts to connect to a dead IP:Port (1 unique times)
IP: 31.216.35.3:80 (Sweden)
Dynamic (imported) function loading detected
DynamicLoader: ADVAPI32.dll/SaferIdentifyLevel
DynamicLoader: ADVAPI32.dll/SaferComputeTokenFromLevel
DynamicLoader: ADVAPI32.dll/SaferCloseLevel
DynamicLoader: CRYPTSP.dll/CryptAcquireContextW
DynamicLoader: CRYPTSP.dll/CryptGenRandom
DynamicLoader: RpcRtRemote.dll/I_RpcExtInitializeExtensionPoint
DynamicLoader: winhttp.dll/WinHttpCheckPlatform
DynamicLoader: winhttp.dll/WinHttpOpen
DynamicLoader: winhttp.dll/WinHttpConnect
DynamicLoader: winhttp.dll/WinHttpOpenRequest
DynamicLoader: winhttp.dll/WinHttpCloseHandle
DynamicLoader: winhttp.dll/WinHttpSendRequest
DynamicLoader: winhttp.dll/WinHttpReceiveResponse
DynamicLoader: winhttp.dll/WinHttpAddRequestHeaders
DynamicLoader: winhttp.dll/WinHttpQueryHeaders
DynamicLoader: winhttp.dll/WinHttpReadData
DynamicLoader: winhttp.dll/WinHttpWriteData
DynamicLoader: winhttp.dll/WinHttpQueryDataAvailable
DynamicLoader: winhttp.dll/WinHttpQueryOption
DynamicLoader: winhttp.dll/WinHttpSetOption
DynamicLoader: winhttp.dll/WinHttpSetTimeouts
DynamicLoader: winhttp.dll/WinHttpCrackUrl
DynamicLoader: winhttp.dll/WinHttpCreateUrl
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: SHLWAPI.dll/StrRChrA
DynamicLoader: SHLWAPI.dll/StrCmpNW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegQueryValueExW
DynamicLoader: OLEAUT32.dll/
DynamicLoader: kernel32.dll/RegCloseKey
DynamicLoader: OLEAUT32.dll/
DynamicLoader: WS2_32.dll/GetAddrInfoW
DynamicLoader: WS2_32.dll/WSASocketW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSAIoctl
DynamicLoader: WS2_32.dll/FreeAddrInfoW
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/
DynamicLoader: WS2_32.dll/WSARecv
DynamicLoader: WS2_32.dll/WSASend
DynamicLoader: WS2_32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: ole32.dll/CreateStreamOnHGlobal
Performs some HTTP requests
url: http://magnawood.byggwebben.se/main.php?resygeqslfwuj=14794098894218016

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

Summary

C:\Users\user\AppData\Local\Temp\XaoNuMH8RPSe0S.js
C:\Users\user\AppData\Local\Temp
C:\Users
C:\Users\user
C:\Users\user\AppData
C:\Users\user\AppData\Local
C:\Users\user\AppData\Local\Temp\XG56133.tmp
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\XaoNuMH8RPSe0S.js
C:\Windows\System32\tzres.dll
C:\Users\user\AppData\Local\Temp\XG56133.tmp
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
advapi32.dll.SaferIdentifyLevel
advapi32.dll.SaferComputeTokenFromLevel
advapi32.dll.SaferCloseLevel
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
winhttp.dll.WinHttpCheckPlatform
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpCloseHandle
winhttp.dll.WinHttpSendRequest
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpAddRequestHeaders
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpReadData
winhttp.dll.WinHttpWriteData
winhttp.dll.WinHttpQueryDataAvailable
winhttp.dll.WinHttpQueryOption
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpCrackUrl
winhttp.dll.WinHttpCreateUrl
oleaut32.dll.#8
oleaut32.dll.#12
shlwapi.dll.StrRChrA
shlwapi.dll.StrCmpNW
oleaut32.dll.#4
oleaut32.dll.#6
kernel32.dll.RegQueryValueExW
oleaut32.dll.#2
kernel32.dll.RegCloseKey
oleaut32.dll.#9
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
ws2_32.dll.#22
ole32.dll.CreateStreamOnHGlobal

Process Tree

  • wscript.exe 2372 "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\XaoNuMH8RPSe0S.js"

wscript.exe, PID: 2372, Parent PID: 2060
Full Path: C:\Windows\SysWOW64\wscript.exe
Command Line: "C:\Windows\system32\wscript.exe" "C:\Users\user\AppData\Local\Temp\XaoNuMH8RPSe0S.js"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
N 31.216.35.3 [VT] Sweden

TCP

Source Source Port Destination Destination Port
192.168.35.25 49165 31.216.35.3 magnawood.byggwebben.se 80

UDP

Source Source Port Destination Destination Port
192.168.35.25 61391 8.8.8.8 53

DNS

Name Response Post-Analysis Lookup
magnawood.byggwebben.se [VT] A 31.216.35.3 [VT]

HTTP Requests

URI Data
http://magnawood.byggwebben.se/main.php?resygeqslfwuj=14794098894218016
GET /main.php?resygeqslfwuj=14794098894218016 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: magnawood.byggwebben.se

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name XG56133.tmp
Associated Filenames
C:\Users\user\AppData\Local\Temp\XG56133.tmp
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Process Name wscript.exe
PID 2372
Dump Size 136704 bytes
Module Path C:\Windows\SysWOW64\wscript.exe
Type PE image: 32-bit executable
MD5 be812e57d282cdf8a42727f96eefd7a2
SHA1 95c8452cd3dc07a3f9bb50df316b9f93ae847dac
SHA256 be96c06d20fad9ada254be3d69ff5cfd5cc0c819c9f4cc270f940f04dd2721d7
CRC32 255B936D
Ssdeep 3072:/3tybBYiwWE90NTUwNtbI/c4mzrFtMcCtoJ9jqsm/CDkuTr5Txt:e2iwWEK7tcDoCGJYsmSNT
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename be96c06d20fad9ada254be3d69ff5cfd5cc0c819c9f4cc270f940f04dd2721d7

Comments



No comments posted

Processing ( 0.68 seconds )

  • 0.217 CAPE
  • 0.212 ProcDump
  • 0.128 TrID
  • 0.035 Deduplicate
  • 0.031 BehaviorAnalysis
  • 0.021 TargetInfo
  • 0.014 Strings
  • 0.012 NetworkAnalysis
  • 0.007 AnalysisInfo
  • 0.002 Static
  • 0.001 Debug

Signatures ( 0.096 seconds )

  • 0.017 ransomware_files
  • 0.016 antiav_detectreg
  • 0.007 ransomware_extensions
  • 0.006 antiav_detectfile
  • 0.005 persistence_autorun
  • 0.004 infostealer_ftp
  • 0.003 rat_nanocore
  • 0.003 antianalysis_detectfile
  • 0.003 antianalysis_detectreg
  • 0.002 tinba_behavior
  • 0.002 antivm_vbox_files
  • 0.002 antivm_vbox_keys
  • 0.002 antivm_vmware_keys
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.002 network_torgateway
  • 0.001 shifu_behavior
  • 0.001 ursnif_behavior
  • 0.001 cerber_behavior
  • 0.001 stealth_timeout
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_vmware_files
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name
  • 0.001 persistence_shim_database
  • 0.001 recon_fingerprint
  • 0.001 stealth_hiddenreg

Reporting ( 0.0 seconds )

Task ID 115355
Mongo ID 5de5f9c7a04cefe70a3b0a04
Cuckoo release 1.3-CAPE
Delete