analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Windykacja długów.js

Full analysis: https://app.any.run/tasks/f1e11de2-39f4-4a40-ad43-8b7d54ff82c4
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: May 20, 2019, 13:00:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

07F90E190328BC6D20CB0F94D8646C39

SHA1:

C8AE54EE3A3F3193EC8C28F72C3D7B4A8EBA0BA0

SHA256:

5DD1301B84DF7A9820D5B2ACADDD9399334A0DBB12CE0993167700008673A2A3

SSDEEP:

3072:HxNzPmG1aldeKJg6DojFDjEfKZsq81aENp0Nhw31lI1:nzPV1mpgfjhcKZl811N2Hw3E1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 11635.exe (PID: 3292)
    • Writes file to Word startup folder

      • 11635.exe (PID: 3292)
    • Actions looks like stealing of personal data

      • 11635.exe (PID: 3292)
    • Dropped file may contain instructions of ransomware

      • 11635.exe (PID: 3292)
    • Renames files like Ransomware

      • 11635.exe (PID: 3292)
    • Deletes shadow copies

      • cmd.exe (PID: 3660)
    • Connects to CnC server

      • 11635.exe (PID: 3292)
    • Changes settings of System certificates

      • 11635.exe (PID: 3292)
    • GANDCRAB detected

      • 11635.exe (PID: 3292)
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 3332)
      • 11635.exe (PID: 3292)
    • Creates files in the program directory

      • 11635.exe (PID: 3292)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3332)
    • Starts CMD.EXE for commands execution

      • 11635.exe (PID: 3292)
    • Reads Internet Cache Settings

      • 11635.exe (PID: 3292)
    • Reads the cookies of Mozilla Firefox

      • 11635.exe (PID: 3292)
    • Executed as Windows Service

      • vssvc.exe (PID: 3428)
    • Adds / modifies Windows certificates

      • 11635.exe (PID: 3292)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • 11635.exe (PID: 3292)
    • Dropped object may contain TOR URL's

      • 11635.exe (PID: 3292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start wscript.exe #GANDCRAB 11635.exe cmd.exe vssadmin.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Windykacja długów.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3292"C:\Users\admin\AppData\Roaming\Microsoft\11635.exe" C:\Users\admin\AppData\Roaming\Microsoft\11635.exe
WScript.exe
User:
admin
Integrity Level:
MEDIUM
3660"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quietC:\Windows\system32\cmd.exe
11635.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
584vssadmin delete shadows /all /quietC:\Windows\system32\vssadmin.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3428C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
491
Read events
450
Write events
41
Delete events
0

Modification events

(PID) Process:(3332) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3332) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3292) 11635.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3292) 11635.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3292) 11635.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\11635_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3292) 11635.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\11635_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3292) 11635.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\11635_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3292) 11635.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\11635_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3292) 11635.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\11635_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3292) 11635.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\11635_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
1
Suspicious files
419
Text files
318
Unknown types
13

Dropped files

PID
Process
Filename
Type
329211635.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
329211635.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.lnganf
MD5:
SHA256:
329211635.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
329211635.exeC:\System Volume Information\SPP\OnlineMetadataCache\{05ed3515-06b3-48f6-8cf2-bf24b1bf0727}_OnDiskSnapshotProp
MD5:
SHA256:
329211635.exeC:\System Volume Information\SPP\OnlineMetadataCache\{16d74681-6bc3-4c44-97f0-8b8dfefe2355}_OnDiskSnapshotProp
MD5:
SHA256:
329211635.exeC:\System Volume Information\SPP\OnlineMetadataCache\{38e8535f-27d0-4352-aa3a-ce4178930102}_OnDiskSnapshotProp
MD5:
SHA256:
329211635.exeC:\System Volume Information\SPP\OnlineMetadataCache\{3cc0f82b-873a-4e59-b89f-689fbdf88af9}_OnDiskSnapshotProp
MD5:
SHA256:
329211635.exeC:\MSOCache\LNGANF-MANUAL.txttext
MD5:D2773CC78EA99D4E6D07097C8C7E3D9A
SHA256:71BBE9E2DEAD4E11043AFC9FEA249CF3D3922CC33E7A6ADBFD3B728C491118CA
329211635.exeC:\System Volume Information\LNGANF-MANUAL.txttext
MD5:D2773CC78EA99D4E6D07097C8C7E3D9A
SHA256:71BBE9E2DEAD4E11043AFC9FEA249CF3D3922CC33E7A6ADBFD3B728C491118CA
329211635.exeC:\System Volume Information\SPP\LNGANF-MANUAL.txttext
MD5:D2773CC78EA99D4E6D07097C8C7E3D9A
SHA256:71BBE9E2DEAD4E11043AFC9FEA249CF3D3922CC33E7A6ADBFD3B728C491118CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3292
11635.exe
POST
301
107.173.49.208:80
http://www.kakaocorp.link/includes/graphic/dafumo.gif
US
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3292
11635.exe
107.173.49.208:443
www.kakaocorp.link
ColoCrossing
US
malicious
3292
11635.exe
107.173.49.208:80
www.kakaocorp.link
ColoCrossing
US
malicious

DNS requests

Domain
IP
Reputation
www.kakaocorp.link
  • 107.173.49.208
malicious
kakaocorp.link
  • 107.173.49.208
malicious

Threats

PID
Process
Class
Message
3292
11635.exe
A Network Trojan was detected
ET POLICY Data POST to an image file (gif)
3292
11635.exe
A Network Trojan was detected
MALWARE [PTsecurity] GandCrab Ransomware HTTP
3292
11635.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server
3292
11635.exe
A Network Trojan was detected
MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server
2 ETPRO signatures available at the full report
No debug info