analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

«ПАО «НГК «Славнефть» подробности заказа.js

Full analysis: https://app.any.run/tasks/be9539aa-e829-49bb-976a-a35e2e0202f0
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 07:50:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
evasion
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

1FC1C936DA1B3DFAF031CF634460C0CC

SHA1:

0319C7F581DCD5BF1E48002D183F71BB36A62E1B

SHA256:

22B1EA0639F1AB25E4050363266D219C17AAFBEC8F42F2E0CD119D6322810024

SSDEEP:

96:tMgFFHTUcsmshD3PUZT1OmTws34cKnEQW5cv3mITZoKLdPN:DPaFUZhOmTwfcK2vGomX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • WScript.exe (PID: 2856)

    • Application was dropped or rewritten from another process

      • rad78F9F.tmp (PID: 4080)

    • Changes the autorun value in the registry

      • rad78F9F.tmp (PID: 4080)

    • TROLDESH was detected

      • rad78F9F.tmp (PID: 4080)

    • Deletes shadow copies

      • rad78F9F.tmp (PID: 4080)

    • Runs app for hidden code execution

      • rad78F9F.tmp (PID: 4080)

    • Dropped file may contain instructions of ransomware

      • rad78F9F.tmp (PID: 4080)

    • Actions looks like stealing of personal data

      • rad78F9F.tmp (PID: 4080)

    • Modifies files in Chrome extension folder

      • rad78F9F.tmp (PID: 4080)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2856)
      • rad78F9F.tmp (PID: 4080)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3364)
      • cmd.exe (PID: 1156)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2856)
      • rad78F9F.tmp (PID: 4080)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 2856)

    • Connects to unusual port

      • rad78F9F.tmp (PID: 4080)

    • Creates files in the program directory

      • rad78F9F.tmp (PID: 4080)

    • Checks for external IP

      • rad78F9F.tmp (PID: 4080)

    • Creates files like Ransomware instruction

      • rad78F9F.tmp (PID: 4080)

    • Creates files in the user directory

      • rad78F9F.tmp (PID: 4080)

  • INFO

    • Dropped object may contain URL to Tor Browser

      • rad78F9F.tmp (PID: 4080)

    • Dropped object may contain TOR URL's

      • rad78F9F.tmp (PID: 4080)

    • Dropped object may contain Bitcoin addresses

      • rad78F9F.tmp (PID: 4080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rad78f9f.tmp vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\«ПАО «НГК «Славнефть» подробности заказа.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3364"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad78F9F.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
4080C:\Users\admin\AppData\Local\Temp\rad78F9F.tmpC:\Users\admin\AppData\Local\Temp\rad78F9F.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
3296C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad78F9F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3436"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
rad78F9F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2388C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1156C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exerad78F9F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3944chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
256
Read events
203
Write events
52
Delete events
1

Modification events

(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2856) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
1 092
Text files
49
Unknown types
34

Dropped files

PID
Process
Filename
Type
4080rad78F9F.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\Public\Videos\Sample Videos\5hV8Wx7qW6KY9TspwAO7-8mM4n0awhE+S1wi1hG-syU=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
MD5:
SHA256:
4080rad78F9F.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:9DA254F3FAFC507F60EBE15F95F22CE9
SHA256:32707DA419C29773034C66EB742A989FEE3691FC7BCDBF9B483456346914D9A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
17
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
200
104.18.35.131:80
http://whatsmyip.net/
US
html
7.35 Kb
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
4080
rad78F9F.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4080
rad78F9F.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
4080
rad78F9F.tmp
81.6.37.253:9002
Init7 (Switzerland) Ltd.
CH
suspicious
4080
rad78F9F.tmp
147.135.37.68:9001
OVH SAS
US
suspicious
4080
rad78F9F.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
4080
rad78F9F.tmp
144.76.26.21:9001
Hetzner Online GmbH
DE
suspicious
2856
WScript.exe
66.147.244.243:443
texassweetiesdogrescue.org
Unified Layer
US
unknown
4080
rad78F9F.tmp
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
4080
rad78F9F.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
texassweetiesdogrescue.org
  • 66.147.244.243
unknown
whatismyipaddress.com
  • 104.16.155.36
  • 104.16.154.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
4080
rad78F9F.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
4080
rad78F9F.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
4080
rad78F9F.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 113
4080
rad78F9F.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
4080
rad78F9F.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 138
4080
rad78F9F.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 587
4080
rad78F9F.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
4080
rad78F9F.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
4080
rad78F9F.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 144
4080
rad78F9F.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
21 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
«ПАО «НГК «Славнефть» подробности заказа.js