File name: | 4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js |
Full analysis: | https://app.any.run/tasks/7ab7d7ee-8574-401a-b3c8-262a3fc240cc |
Verdict: | Malicious activity |
Threats: | A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. |
Analysis date: | August 01, 2022, 10:32:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | AD27BE427DD7F922143E57FD1FA64F98 |
SHA1: | 9D04EB7712599DB741E8E85D9F4339219B991E6A |
SHA256: | 4B98D2919533AB614A7571AA0EF7C80FC177218BB778524FDE3BF6F72B0D7B08 |
SSDEEP: | 12288:ifY8It0lbvO1PJ9XyuRrvafaI8ieJaU4I79VXHv0aIn83IHiz0:iubAaIoUCI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2520 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\4b98d2919533ab614a7571aa0ef7c80fc177218bb778524fde3bf6f72b0d7b08.js" | C:\Windows\System32\WScript.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
852 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\bQiNiwTuYc.js" | C:\Windows\System32\wscript.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
3324 | "C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe" | C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe | WScript.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
276 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\install.vbs" | C:\Windows\System32\WScript.exe | — | invoice_a_202.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2892 | "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\windowsjx.exe" | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3908 | C:\ProgramData\Remcos\windowsjx.exe | C:\ProgramData\Remcos\windowsjx.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Remcos(PID) Process(3908) windowsjx.exe Hosts (1)185.157.162.75:62186 BotnetPowerPoint Connect_interval1 Install_flagTrue Install_HKCU\RunTrue Install_HKLM\RunTrue Install_HKLM\Explorer\Run1 Install_HKLM\Winlogon\ShellP1Z89AQ0B0 Setup_path%LOCALAPPDATA% Copy_filewindowsjx.exe Startup_valuemicrosoftjx Hide_fileTrue Mutex_nameRemcos-34MTRX Keylog_flag1 Keylog_path%LOCALAPPDATA% Keylog_filelogs.dat Keylog_cryptFalse Hide_keylogFalse Screenshot_flagTrue Screenshot_time5 Take_ScreenshotFalse Screenshot_path%APPDATA% Screenshot_fileScreenshots Screenshot_cryptFalse Mouse_optionFalse Delete_fileFalse Audio_record_time5 Audio_path%APPDATA% Audio_dirMicRecords Connect_delay0 Copy_dirRemcos Keylog_dirremcos Max_keylog_file100000 |
(PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2520) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | microsoftjx |
Value: "C:\ProgramData\Remcos\windowsjx.exe" | |||
(PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | microsoftjx |
Value: "C:\ProgramData\Remcos\windowsjx.exe" | |||
(PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3324) invoice_a_202.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2520 | WScript.exe | C:\Users\admin\AppData\Roaming\bQiNiwTuYc.js | text | |
MD5:794372001398B622FF579ACFAEF83033 | SHA256:A2EB8EC643B32F38C67006EA8B9AB00B449546B4869DD4E43FB45FC5FBA45968 | |||
3908 | windowsjx.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\json[1].json | binary | |
MD5:F99A87CE1B8CE6269E7C27D2A970F099 | SHA256:07E7A5A7E7F5E14AEEFB90CCF0044E94242CDF4C6471329A9018AC7C1551BAB4 | |||
3908 | windowsjx.exe | C:\Users\admin\AppData\Roaming\Screenshots\time_20220801_113241.jpg | image | |
MD5:684A9D15D7674075DDFF55365A559690 | SHA256:D7CB84F0E2899A5D3015B06A346232F61C381799BADE3C2C7BBDF1EEBDA198F8 | |||
3908 | windowsjx.exe | C:\ProgramData\remcos\logs.dat | binary | |
MD5:2CD77281752C57B73F4F68F48233F1D1 | SHA256:60E7FE4F4D0AB3D93FF73A745411E846D46B9896B0E9F594CA6EFE5AD95247CF | |||
3324 | invoice_a_202.exe | C:\Users\admin\AppData\Local\Temp\install.vbs | binary | |
MD5:A709FE06DB2D825EE491B8BAC6569204 | SHA256:822CBB0BEF4CA3DFF8F2AE70537A990A2C4330DB5B484F5E51282CB43ECE8E46 | |||
2520 | WScript.exe | C:\Users\admin\AppData\Local\Temp\invoice_a_202.exe | executable | |
MD5:F9E94909637A6B6471565022188AB2BE | SHA256:8F47DBD8189DBE96BDA7511F2A37277EE9FAB8A763619D120C0FE49D953124B7 | |||
3324 | invoice_a_202.exe | C:\ProgramData\Remcos\windowsjx.exe | executable | |
MD5:F9E94909637A6B6471565022188AB2BE | SHA256:8F47DBD8189DBE96BDA7511F2A37277EE9FAB8A763619D120C0FE49D953124B7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3908 | windowsjx.exe | GET | 200 | 178.237.33.50:80 | http://geoplugin.net/json.gp | NL | binary | 918 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3908 | windowsjx.exe | 185.157.162.75:62186 | — | Obenetwork AB | SE | malicious |
3908 | windowsjx.exe | 178.237.33.50:80 | geoplugin.net | Schuberg Philis B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
geoplugin.net |
| suspicious |