File name: | 애플고딕.js |
Full analysis: | https://app.any.run/tasks/2fd9ac98-4f1a-47a5-b28b-b8cf2f30ef5b |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | December 14, 2018, 08:22:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with CRLF line terminators |
MD5: | 7240C414E14963D219D0F363AEFCE28A |
SHA1: | EE63A6281B970CE36B0054D36656F0949F0445EE |
SHA256: | 1B5A2162D5C07BCB49965764E3A8450D134D86960B9FB7D5D68547F8C279B204 |
SSDEEP: | 24576:t0Ew/XgLpnH7hIYEoluDWV/m2ja6R/WrPUyaytRMInw76ARzO89EePW5Qp40Pgaj:R |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2996 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\애플고딕.js" | C:\Windows\System32\WScript.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2384 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "IEX (([System.IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\nxfzgakogffcxdj.log')).Replace('?',''));" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2964 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2384 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PHONCQYGN9E4AC944FB3.temp | — | |
MD5:— | SHA256:— | |||
2384 | powershell.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
2384 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobData | — | |
MD5:— | SHA256:— | |||
2384 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings | — | |
MD5:— | SHA256:— | |||
2384 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\addressbook.acrodata | — | |
MD5:— | SHA256:— | |||
2384 | powershell.exe | C:\Users\admin\AppData\Roaming\Adobe\Acrobat\VGPQHBAF-DECRYPT.txt | text | |
MD5:70894DAC0A4E5D38EBD8BDF93EE8DA62 | SHA256:03E0382B120B1B73F97F997FCE7BDA1FE140137BAD584D614A6A7A578EDBE7F6 | |||
2384 | powershell.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.vgpqhbaf | binary | |
MD5:E070856D1EB200FCB01246717394A77C | SHA256:A885EB631C7AE9297BD9A6385E76310488CCEFCE3A3EE3D7FED7FBF0BC6BEC21 | |||
2996 | WScript.exe | C:\Users\admin\AppData\Roaming\nxfzgakogffcxdj.log | text | |
MD5:F82FA95AF7C7711B7EB03038A3D7B92F | SHA256:E8A87BB31665AADBEDAAE5C3A0B3DB6346ABFEF5DE8ED8C9E9A04F708D398E61 | |||
2384 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2384 | powershell.exe | C:\Users\admin\AppData\Roaming\VGPQHBAF-DECRYPT.txt | text | |
MD5:70894DAC0A4E5D38EBD8BDF93EE8DA62 | SHA256:03E0382B120B1B73F97F997FCE7BDA1FE140137BAD584D614A6A7A578EDBE7F6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2384 | powershell.exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2384 | powershell.exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
Domain | IP | Reputation |
---|---|---|
www.2mmotorsport.biz |
| unknown |