| File name: | 4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js |
| Full analysis: | https://app.any.run/tasks/7ab7d7ee-8574-401a-b3c8-262a3fc240cc |
| Verdict: | Malicious activity |
| Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
| Analysis date: | August 01, 2022, 10:32:35 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines, with no line terminators |
| MD5: | AD27BE427DD7F922143E57FD1FA64F98 |
| SHA1: | 9D04EB7712599DB741E8E85D9F4339219B991E6A |
| SHA256: | 4B98D2919533AB614A7571AA0EF7C80FC177218BB778524FDE3BF6F72B0D7B08 |
| SSDEEP: | 12288:ifY8It0lbvO1PJ9XyuRrvafaI8ieJaU4I79VXHv0aIn83IHiz0:iubAaIoUCI |
MALICIOUS
Drops executable file immediately after starts
- WScript.exe (PID: 2520)
- invoice_a_202.exe (PID: 3324)
Changes the autorun value in the registry
- invoice_a_202.exe (PID: 3324)
- windowsjx.exe (PID: 3908)
Application was dropped or rewritten from another process
- windowsjx.exe (PID: 3908)
- invoice_a_202.exe (PID: 3324)
REMCOS detected by memory dumps
- windowsjx.exe (PID: 3908)
REMCOS was detected
- windowsjx.exe (PID: 3908)
SUSPICIOUS
Checks supported languages
- WScript.exe (PID: 2520)
- wscript.exe (PID: 852)
- invoice_a_202.exe (PID: 3324)
- cmd.exe (PID: 2892)
- windowsjx.exe (PID: 3908)
- WScript.exe (PID: 276)
Reads the computer name
- wscript.exe (PID: 852)
- WScript.exe (PID: 2520)
- invoice_a_202.exe (PID: 3324)
- WScript.exe (PID: 276)
- windowsjx.exe (PID: 3908)
Writes files like Keylogger logs
- WScript.exe (PID: 2520)
- invoice_a_202.exe (PID: 3324)
- windowsjx.exe (PID: 3908)
Application launched itself
- WScript.exe (PID: 2520)
Drops a file with a compile date too recent
- WScript.exe (PID: 2520)
- invoice_a_202.exe (PID: 3324)
Reads Environment values
- invoice_a_202.exe (PID: 3324)
- windowsjx.exe (PID: 3908)
Executable content was dropped or overwritten
- WScript.exe (PID: 2520)
- invoice_a_202.exe (PID: 3324)
Creates files in the program directory
- invoice_a_202.exe (PID: 3324)
- windowsjx.exe (PID: 3908)
INFO
Checks Windows Trust Settings
- WScript.exe (PID: 2520)
- wscript.exe (PID: 852)
- WScript.exe (PID: 276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Remcos
(PID) Process(3908) windowsjx.exe
Hosts (1)185.157.162.75:62186
BotnetPowerPoint
Connect_interval1
Install_flagTrue
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\ShellP1Z89AQ0B0
Setup_path%LOCALAPPDATA%
Copy_filewindowsjx.exe
Startup_valuemicrosoftjx
Hide_fileTrue
Mutex_nameRemcos-34MTRX
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagTrue
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%APPDATA%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
Total processes
41
Monitored processes
6
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 276 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\System32\WScript.exe | — | invoice_a_202.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 852 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\bQiNiwTuYc.js" | C:\Windows\System32\wscript.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2520 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js" | C:\Windows\System32\WScript.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2892 | "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe" | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3324 | "C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe" | C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe | WScript.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3908 | C:\ProgramData\Remcos\windowsjx.exe | C:\ProgramData\Remcos\windowsjx.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
Remcos(PID) Process(3908) windowsjx.exe Hosts (1)185.157.162.75:62186 BotnetPowerPoint Connect_interval1 Install_flagTrue Install_HKCU\RunTrue Install_HKLM\RunTrue Install_HKLM\Explorer\Run1 Install_HKLM\Winlogon\ShellP1Z89AQ0B0 Setup_path%LOCALAPPDATA% Copy_filewindowsjx.exe Startup_valuemicrosoftjx Hide_fileTrue Mutex_nameRemcos-34MTRX Keylog_flag1 Keylog_path%LOCALAPPDATA% Keylog_filelogs.dat Keylog_cryptFalse Hide_keylogFalse Screenshot_flagTrue Screenshot_time5 Take_ScreenshotFalse Screenshot_path%APPDATA% Screenshot_fileScreenshots Screenshot_cryptFalse Mouse_optionFalse Delete_fileFalse Audio_record_time5 Audio_path%APPDATA% Audio_dirMicRecords Connect_delay0 Copy_dirRemcos Keylog_dirremcos Max_keylog_file100000 | |||||||||||||||
Total events
2 240
Read events
2 190
Write events
50
Delete events
0
Modification events
| (PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | microsoftjx |
Value: "C:\ProgramData\Remcos\windowsjx.exe" | |||
| (PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | microsoftjx |
Value: "C:\ProgramData\Remcos\windowsjx.exe" | |||
| (PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
2
Suspicious files
3
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2520 | WScript.exe | C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe | executable | |
MD5:— | SHA256:— | |||
| 3908 | windowsjx.exe | C:\Users\admin\AppData\Roaming\Screenshots\time_20220801_113241.jpg | image | |
MD5:— | SHA256:— | |||
| 3908 | windowsjx.exe | C:\ProgramData\remcos\logs.dat | binary | |
MD5:— | SHA256:— | |||
| 3908 | windowsjx.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\json[1].json | binary | |
MD5:— | SHA256:— | |||
| 2520 | WScript.exe | C:\Users\admin\AppData\Roaming\bQiNiwTuYc.js | text | |
MD5:— | SHA256:— | |||
| 3324 | invoice_a_202.exe | C:\Users\admin\AppData\Local\Temp\install.vbs | binary | |
MD5:— | SHA256:— | |||
| 3324 | invoice_a_202.exe | C:\ProgramData\Remcos\windowsjx.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3908 | windowsjx.exe | GET | 200 | 178.237.33.50:80 | http://geoplugin.net/json.gp | NL | binary | 918 b | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3908 | windowsjx.exe | 185.157.162.75:62186 | — | Obenetwork AB | SE | malicious |
3908 | windowsjx.exe | 178.237.33.50:80 | geoplugin.net | Schuberg Philis B.V. | NL | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
geoplugin.net |
| suspicious |