analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

thing.jse

Full analysis: https://app.any.run/tasks/5d165ef0-727d-4f5d-b389-c5021ea9b313
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 14, 2019, 05:34:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
ransomware
troldesh
shade
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

7F129853A0CCE64211DBE4F9F3A5757D

SHA1:

09CD61E06428F99E57136F164683F5141BA074B1

SHA256:

842F27ECEF5A7F9FC4439ABAB558F732FBB04B93B0938F4F8740F41B41BD95DA

SSDEEP:

96:+JO25gVTNUxCruhEKNB5WV42XIAHbvV+ri6EEkq+OzhrCf:ygVJUxC2EKo+AHj1r+hrCf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • radC4A23.tmp (PID: 3804)
    • Changes the autorun value in the registry

      • radC4A23.tmp (PID: 3804)
    • TROLDESH was detected

      • radC4A23.tmp (PID: 3804)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2736)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2736)
      • radC4A23.tmp (PID: 3804)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2736)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3092)
    • Creates files in the program directory

      • radC4A23.tmp (PID: 3804)
    • Connects to unusual port

      • radC4A23.tmp (PID: 3804)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • radC4A23.tmp (PID: 3804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH radc4a23.tmp

Process information

PID
CMD
Path
Indicators
Parent process
2736"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\thing.jse"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3092"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radC4A23.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3804C:\Users\admin\AppData\Local\Temp\radC4A23.tmpC:\Users\admin\AppData\Local\Temp\radC4A23.tmp
cmd.exe
User:
admin
Company:
Burnaware
Integrity Level:
MEDIUM
Description:
Verify Disc
Version:
8.3.0.0
Total events
158
Read events
137
Write events
21
Delete events
0

Modification events

(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2736) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3804radC4A23.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3804radC4A23.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
3804radC4A23.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:A8A9A0C230A78FA879CF1B690C741C03
SHA256:4C9AA04528C864859E74E0F74C58693CEDA7829ABD85CA711B52E310FADAF9F1
2736WScript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\msg[1].jpgexecutable
MD5:5B6401C25C4DB9C6552A24BCF72295B8
SHA256:6DDD0CE0A815DA44D73286130CF49016830B2F18329E65C4F54F487E910B0FE3
3804radC4A23.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:53B2D018AD4BFFD5E9D5F0C3DF870FF1
SHA256:D3A981F5A22B5FB9A16CE4A5A97C7B2A528E0AE9BDDDB19536986DEF46477D27
2736WScript.exeC:\Users\admin\AppData\Local\Temp\radC4A23.tmpexecutable
MD5:5B6401C25C4DB9C6552A24BCF72295B8
SHA256:6DDD0CE0A815DA44D73286130CF49016830B2F18329E65C4F54F487E910B0FE3
3804radC4A23.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:5B6401C25C4DB9C6552A24BCF72295B8
SHA256:6DDD0CE0A815DA44D73286130CF49016830B2F18329E65C4F54F487E910B0FE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2736
WScript.exe
GET
404
208.97.150.86:80
http://www.rayhom.com/wp-content/themes/fotografie/inc/customizer/upgrade-button/msg.jpg
US
html
283 b
unknown
2736
WScript.exe
GET
200
97.64.208.226:80
http://csd190.com/wp-content/themes/academica/images/msg.jpg
US
executable
1.22 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3804
radC4A23.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
3804
radC4A23.tmp
208.83.223.34:80
Applied Operations, LLC
US
malicious
2736
WScript.exe
97.64.208.226:80
csd190.com
Mediacom Communications Corp
US
suspicious
2736
WScript.exe
208.97.150.86:80
www.rayhom.com
New Dream Network, LLC
US
unknown

DNS requests

Domain
IP
Reputation
www.rayhom.com
  • 208.97.150.86
unknown
csd190.com
  • 97.64.208.226
malicious

Threats

PID
Process
Class
Message
2736
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2736
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2736
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2736
WScript.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3804
radC4A23.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3804
radC4A23.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2 ETPRO signatures available at the full report
No debug info