analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Информация.js

Full analysis: https://app.any.run/tasks/d1eb55ef-8b92-4510-af76-30a12ad538ad
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 18, 2019, 04:59:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF, LF line terminators
MD5:

E057B8AD445EE840FE1F8C0B1E6D7FB8

SHA1:

6BC2F3F925DFE953FB8A74F9F74B0F79462508A7

SHA256:

68FAAB831A14E47A992CB9AF02992BF3E63BC2DEB0B8A360F44BDADA8F424A13

SSDEEP:

96:mcPLeDD84tDrgraeMlb4p+Nvx4pbgtxHnTHfgxJCXApSFicqZ:m+QD84t/xeMa+2bOHnTHIKXA4iZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radF8521.tmp (PID: 3556)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2824)
    • Changes the autorun value in the registry

      • radF8521.tmp (PID: 3556)
    • TROLDESH was detected

      • radF8521.tmp (PID: 3556)
    • Actions looks like stealing of personal data

      • radF8521.tmp (PID: 3556)
    • Modifies files in Chrome extension folder

      • radF8521.tmp (PID: 3556)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2824)
      • radF8521.tmp (PID: 3556)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2844)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2824)
    • Connects to unusual port

      • radF8521.tmp (PID: 3556)
    • Creates files in the program directory

      • radF8521.tmp (PID: 3556)
    • Checks for external IP

      • radF8521.tmp (PID: 3556)
  • INFO

    • Dropped object may contain URL to Tor Browser

      • radF8521.tmp (PID: 3556)
    • Dropped object may contain TOR URL's

      • radF8521.tmp (PID: 3556)
    • Dropped object may contain Bitcoin addresses

      • radF8521.tmp (PID: 3556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH radf8521.tmp vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Информация.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2844"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radF8521.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3556C:\Users\admin\AppData\Local\Temp\radF8521.tmpC:\Users\admin\AppData\Local\Temp\radF8521.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
3396C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exeradF8521.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
187
Read events
159
Write events
28
Delete events
0

Modification events

(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2824) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
54
Text files
27
Unknown types
1

Dropped files

PID
Process
Filename
Type
3556radF8521.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3556radF8521.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
3556radF8521.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensus
MD5:
SHA256:
3556radF8521.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
3556radF8521.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
3556radF8521.tmpC:\Users\Public\Videos\Sample Videos\Hzd39orIIYa83Nw8KvgJnYgzFD-g8vaA4hrzlaUu0do=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
3556radF8521.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
3556radF8521.tmpC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
3556radF8521.tmpC:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
MD5:
SHA256:
3556radF8521.tmpC:\Users\Public\Pictures\Sample Pictures\Koala.jpg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
18
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2824
WScript.exe
GET
200
68.66.224.30:80
http://markpreneur.com/wp-content/themes/the-seo/css/ssj.jpg
US
executable
1.04 Mb
malicious
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3556
radF8521.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3556
radF8521.tmp
194.109.206.212:443
Xs4all Internet BV
NL
malicious
3556
radF8521.tmp
76.73.17.194:9090
Cogent Communications
US
malicious
3556
radF8521.tmp
93.115.28.196:31553
UAB Cherry Servers
LT
suspicious
2824
WScript.exe
68.66.224.30:80
markpreneur.com
A2 Hosting, Inc.
US
malicious
3556
radF8521.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
3556
radF8521.tmp
77.87.49.6:9002
Foerderverein Freie Netzwerke e.V.
DE
suspicious
3556
radF8521.tmp
37.187.99.161:9001
OVH SAS
FR
suspicious
3556
radF8521.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared
3556
radF8521.tmp
104.16.20.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
markpreneur.com
  • 68.66.224.30
malicious
whatismyipaddress.com
  • 104.16.20.96
  • 104.16.16.96
  • 104.16.17.96
  • 104.16.18.96
  • 104.16.19.96
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
2824
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2824
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2824
WScript.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
2824
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3556
radF8521.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 267
3556
radF8521.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112
3556
radF8521.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 438
3556
radF8521.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 564
3556
radF8521.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 683
3556
radF8521.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
23 ETPRO signatures available at the full report
No debug info