File name: | emotet_dropper.js |
Full analysis: | https://app.any.run/tasks/259eebd5-b93b-4a6a-ac3f-393722bed8f9 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 23, 2019, 16:37:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines, with no line terminators |
MD5: | 581A46B5226220C82CA44F48C348664B |
SHA1: | A5C6BC8426CB880A66D97AFFDD7F6DD09FC946B1 |
SHA256: | 8B1B62324101CB93445FF7F6901E29FA08736CCB407948111E8BABC53F3BAEA6 |
SSDEEP: | 768:y0JdyreCo4vM39/y9OfUBbRu9564EpnQ6uZptB2Bpue5njopodt2MCNGTWKAwMdl:y0ue3t9qEfUBbRHpnUN8qD1WxfBk |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1848 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\emotet_dropper.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3852 | "C:\Users\admin\AppData\Local\Temp\cpwc4gs2x.exe" | C:\Users\admin\AppData\Local\Temp\cpwc4gs2x.exe | — | WScript.exe |
User: admin Company: PepsiCo Integrity Level: MEDIUM Description: Bedstand Exit code: 0 Version: 4.7.71.11 | ||||
3144 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2156 | --841a51f1 | C:\Users\admin\AppData\Local\Temp\cpwc4gs2x.exe | cpwc4gs2x.exe | |
User: admin Company: PepsiCo Integrity Level: MEDIUM Description: Bedstand Exit code: 0 Version: 4.7.71.11 | ||||
3600 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | cpwc4gs2x.exe | |
User: admin Company: PepsiCo Integrity Level: MEDIUM Description: Bedstand Exit code: 0 Version: 4.7.71.11 | ||||
3692 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | soundser.exe | |
User: admin Company: PepsiCo Integrity Level: MEDIUM Description: Bedstand Version: 4.7.71.11 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1848 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | text | |
MD5:472594722D5FB4EF7BDC443A494E0D82 | SHA256:5B161E2BC963CECF0A845705FBE053DF269D5D1E9C57CB1E27D5FBC488BEAF19 | |||
2156 | cpwc4gs2x.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:4042F9B434B667CC9BA1C96715A1A79E | SHA256:1B6AA692BA88E13DDEC659E9C601D305146FBA99E16181467CDFE49C7B109918 | |||
1848 | WScript.exe | C:\Users\admin\AppData\Local\Temp\cpwc4gs2x.exe | executable | |
MD5:4042F9B434B667CC9BA1C96715A1A79E | SHA256:1B6AA692BA88E13DDEC659E9C601D305146FBA99E16181467CDFE49C7B109918 | |||
1848 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3692 | soundser.exe | POST | — | 152.168.82.167:80 | http://152.168.82.167/prep/img/ringin/merge/ | AR | — | — | malicious |
3692 | soundser.exe | POST | — | 197.91.152.93:80 | http://197.91.152.93/vermont/enable/ringin/merge/ | ZA | — | — | malicious |
3692 | soundser.exe | POST | — | 77.82.85.35:8080 | http://77.82.85.35:8080/ringin/ban/ | RU | — | — | malicious |
1848 | WScript.exe | GET | 200 | 122.152.219.54:80 | http://122.152.219.54/wp-includes/QxG/ | CN | executable | 379 Kb | suspicious |
1848 | WScript.exe | GET | 301 | 45.56.100.50:80 | http://www.seductivestrands.com/wp-content/upgrade/jF/ | US | html | 178 b | unknown |
1848 | WScript.exe | GET | 301 | 216.239.32.21:80 | http://davidedigiorgio360.com/wp-admin/lEif/ | US | html | 255 b | malicious |
3692 | soundser.exe | POST | 200 | 66.228.45.129:8080 | http://66.228.45.129:8080/window/ | US | binary | 132 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1848 | WScript.exe | 216.239.32.21:80 | davidedigiorgio360.com | Google Inc. | US | whitelisted |
1848 | WScript.exe | 45.56.100.50:80 | www.seductivestrands.com | Linode, LLC | US | unknown |
1848 | WScript.exe | 122.152.219.54:80 | — | Shenzhen Tencent Computer Systems Company Limited | CN | suspicious |
3692 | soundser.exe | 197.91.152.93:80 | — | OPTINET | ZA | malicious |
3692 | soundser.exe | 66.228.45.129:8080 | — | Linode, LLC | US | malicious |
3692 | soundser.exe | 152.168.82.167:80 | — | CABLEVISION S.A. | AR | malicious |
3692 | soundser.exe | 77.82.85.35:8080 | — | PJSC Rostelecom | RU | malicious |
Domain | IP | Reputation |
---|---|---|
davidedigiorgio360.com |
| malicious |
www.seductivestrands.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1848 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
1848 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
1848 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
1848 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
1848 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1848 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
1848 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
1848 | WScript.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1848 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
3692 | soundser.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 3 |