analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

«ПАО «НГК «Славнефть» подробности заказа.js

Full analysis: https://app.any.run/tasks/0e196baf-f8b3-46c7-8b70-be458dd8bfa5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 18, 2019, 10:35:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

1FC1C936DA1B3DFAF031CF634460C0CC

SHA1:

0319C7F581DCD5BF1E48002D183F71BB36A62E1B

SHA256:

22B1EA0639F1AB25E4050363266D219C17AAFBEC8F42F2E0CD119D6322810024

SSDEEP:

96:tMgFFHTUcsmshD3PUZT1OmTws34cKnEQW5cv3mITZoKLdPN:DPaFUZhOmTwfcK2vGomX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad08CA3.tmp (PID: 3540)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 3472)
    • Changes the autorun value in the registry

      • rad08CA3.tmp (PID: 3540)
    • TROLDESH was detected

      • rad08CA3.tmp (PID: 3540)
    • Actions looks like stealing of personal data

      • rad08CA3.tmp (PID: 3540)
    • Modifies files in Chrome extension folder

      • rad08CA3.tmp (PID: 3540)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • cmd.exe (PID: 2848)
    • Creates files in the user directory

      • WScript.exe (PID: 3472)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3472)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3472)
      • rad08CA3.tmp (PID: 3540)
    • Connects to unusual port

      • rad08CA3.tmp (PID: 3540)
    • Creates files in the program directory

      • rad08CA3.tmp (PID: 3540)
    • Checks for external IP

      • rad08CA3.tmp (PID: 3540)
  • INFO

    • Dropped object may contain URL to Tor Browser

      • rad08CA3.tmp (PID: 3540)
    • Dropped object may contain TOR URL's

      • rad08CA3.tmp (PID: 3540)
    • Dropped object may contain Bitcoin addresses

      • rad08CA3.tmp (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rad08ca3.tmp vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3472"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\«ПАО «НГК «Славнефть» подробности заказа.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2848"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad08CA3.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3540C:\Users\admin\AppData\Local\Temp\rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\rad08CA3.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
2688C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad08CA3.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
188
Read events
160
Write events
28
Delete events
0

Modification events

(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3472) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
254
Text files
38
Unknown types
6

Dropped files

PID
Process
Filename
Type
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensustext
MD5:7AFD6FB329CE19C1E635B95BC4ACCFB4
SHA256:5B4330623BC5A8532296EB307D8F84A436B9110AFFECAC3FC1F34DB64504685B
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:7AFD6FB329CE19C1E635B95BC4ACCFB4
SHA256:5B4330623BC5A8532296EB307D8F84A436B9110AFFECAC3FC1F34DB64504685B
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.newtext
MD5:6244B745BA8AB1ED70C70A34E4723911
SHA256:60E0CBF4FFE69614F1AEDFBB0B7BD84622D2B7A7CEEE9791D45D6CE4A281FA0B
3472WScript.exeC:\Users\admin\AppData\Local\Temp\rad08CA3.tmpexecutable
MD5:676740F0607965D86455D5F16E364C1A
SHA256:1C06B518A94AD6DB106D7D31626F2A7C80BD03F0DCD6D0BC450FFAC1750CDF79
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-certstext
MD5:C4C1896E3412A1D68A3DF3037D53EDC5
SHA256:3B7CE0814BB27B778B8193E51C5230829D3255976CB89404AB9F893C9BB93DFF
3540rad08CA3.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:02DDE8981147F50C29C2D529C2E9C77A
SHA256:D846F6C50046FD53DCA2F90116D4F52ADE73B92CF86944765AD7A390666CFDFF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
18
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3472
WScript.exe
GET
200
217.160.94.110:80
http://www.katharinen-apotheke-braunschweig.de/wp-content/themes/zerif-lite/css/messg.jpg
DE
executable
1.40 Mb
malicious
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3540
rad08CA3.tmp
GET
200
104.18.34.131:80
http://whatsmyip.net/
US
html
7.35 Kb
shared
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3540
rad08CA3.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3540
rad08CA3.tmp
86.59.21.38:443
Tele2 Telecommunication GmbH
AT
malicious
3472
WScript.exe
217.160.94.110:80
www.katharinen-apotheke-braunschweig.de
1&1 Internet SE
DE
suspicious
3540
rad08CA3.tmp
94.130.187.210:9001
Hetzner Online GmbH
DE
suspicious
3472
WScript.exe
66.147.244.243:443
texassweetiesdogrescue.org
Unified Layer
US
unknown
3540
rad08CA3.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
3540
rad08CA3.tmp
78.129.180.14:9001
iomart Cloud Services Limited.
GB
suspicious
3540
rad08CA3.tmp
79.172.193.32:9001
Deninet KFT
HU
suspicious
3540
rad08CA3.tmp
104.18.34.131:80
whatsmyip.net
Cloudflare Inc
US
shared
3540
rad08CA3.tmp
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
texassweetiesdogrescue.org
  • 66.147.244.243
unknown
www.katharinen-apotheke-braunschweig.de
  • 217.160.94.110
malicious
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
whatsmyip.net
  • 104.18.34.131
  • 104.18.35.131
shared

Threats

PID
Process
Class
Message
3472
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
3472
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
3472
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3540
rad08CA3.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3540
rad08CA3.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 178
3540
rad08CA3.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3540
rad08CA3.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3540
rad08CA3.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 568
3540
rad08CA3.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 701
3540
rad08CA3.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 580
23 ETPRO signatures available at the full report
No debug info