analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Заказ.js

Full analysis: https://app.any.run/tasks/33406c9a-20a4-42f1-8037-c3b85fa56535
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 23, 2019, 08:54:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

FAC0252002A7A1F995CD64B84BD3D0E8

SHA1:

4C17FA6859BC03795565130686695E27239F519F

SHA256:

B2630DF5BFD4003087985A7F4378F4898A87310C93293A6A7E3A318AA31A6992

SSDEEP:

96:xCix15ao8eTS/IiQ59oFT05mOT5GVLISh9KzOmrCEulcNvHg5+R04Ja:xJTl5muTxShj+AcNa+RXa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad84C9D.tmp (PID: 3716)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2940)
    • Deletes shadow copies

      • rad84C9D.tmp (PID: 3716)
    • Changes the autorun value in the registry

      • rad84C9D.tmp (PID: 3716)
    • TROLDESH was detected

      • rad84C9D.tmp (PID: 3716)
    • Dropped file may contain instructions of ransomware

      • rad84C9D.tmp (PID: 3716)
    • Runs app for hidden code execution

      • rad84C9D.tmp (PID: 3716)
    • Actions looks like stealing of personal data

      • rad84C9D.tmp (PID: 3716)
    • Modifies files in Chrome extension folder

      • rad84C9D.tmp (PID: 3716)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2940)
      • rad84C9D.tmp (PID: 3716)
    • Starts application with an unusual extension

      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 2532)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2940)
      • rad84C9D.tmp (PID: 3716)
    • Connects to unusual port

      • rad84C9D.tmp (PID: 3716)
    • Creates files in the user directory

      • WScript.exe (PID: 2940)
      • rad84C9D.tmp (PID: 3716)
    • Creates files like Ransomware instruction

      • rad84C9D.tmp (PID: 3716)
    • Checks for external IP

      • rad84C9D.tmp (PID: 3716)
    • Creates files in the program directory

      • rad84C9D.tmp (PID: 3716)
  • INFO

    • Dropped object may contain URL to Tor Browser

      • rad84C9D.tmp (PID: 3716)
    • Dropped object may contain TOR URL's

      • rad84C9D.tmp (PID: 3716)
    • Dropped object may contain Bitcoin addresses

      • rad84C9D.tmp (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rad84c9d.tmp vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Заказ.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3008"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad84C9D.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3716C:\Users\admin\AppData\Local\Temp\rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\rad84C9D.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
setip/Unikstall
Version:
51.1052.0.0
2432C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad84C9D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2956"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
rad84C9D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2704C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2532C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exerad84C9D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3576chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
228
Read events
188
Write events
40
Delete events
0

Modification events

(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2940) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
1 100
Text files
54
Unknown types
27

Dropped files

PID
Process
Filename
Type
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdescs.newtext
MD5:2E924C76511EB38AD7EE60EAFBB0C2BB
SHA256:1A14F191EBC68A2B4AB8CA7C8C8617A3FAD203CC03AFC4306074804C1DE7583B
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmptext
MD5:768AD7FE7E32287FA0259053CEA21329
SHA256:A25E6F701B9ABCC17DA1A130E963CFDF231EA756C58870E3381751AB0BC1067C
2940WScript.exeC:\Users\admin\AppData\Local\Temp\rad84C9D.tmpexecutable
MD5:F67045329A5E10B9329D4DE8C7C15D92
SHA256:A877748C5A561FEB45F946D30223E1A309902B5A05C8574A0C3E906F6CF2CCB1
3716rad84C9D.tmpC:\ProgramData\Windows\csrss.exeexecutable
MD5:F67045329A5E10B9329D4DE8C7C15D92
SHA256:A877748C5A561FEB45F946D30223E1A309902B5A05C8574A0C3E906F6CF2CCB1
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-certstext
MD5:060FFAEB343B0062B88C95DDF0ADCBB5
SHA256:B7F51276ACF3E13A50EBCC891577398C02FAB0A225B28DEB49C8B1E5334278C7
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\unverified-microdesc-consensustext
MD5:5A1FBD33207BA4DBDD80729E4DF3565B
SHA256:581DBDAD510508D25C01B363C9EF47570F5BCD50F4DA7948C1CBF0DA75338085
3716rad84C9D.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:768AD7FE7E32287FA0259053CEA21329
SHA256:A25E6F701B9ABCC17DA1A130E963CFDF231EA756C58870E3381751AB0BC1067C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
20
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2940
WScript.exe
GET
200
74.220.215.203:80
http://edupath.edu.sa/wp-content/themes/wpeducon/css/presets/ssj.jpg
US
executable
902 Kb
malicious
3716
rad84C9D.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.20.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3716
rad84C9D.tmp
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3716
rad84C9D.tmp
142.44.243.241:443
OVH SAS
CA
suspicious
3716
rad84C9D.tmp
171.25.193.9:80
Foreningen for digitala fri- och rattigheter
SE
malicious
3716
rad84C9D.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
3716
rad84C9D.tmp
109.236.90.209:443
WorldStream B.V.
NL
malicious
3716
rad84C9D.tmp
104.16.20.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2940
WScript.exe
74.220.215.203:80
edupath.edu.sa
Unified Layer
US
suspicious
3716
rad84C9D.tmp
104.16.19.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3716
rad84C9D.tmp
104.16.18.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3716
rad84C9D.tmp
176.9.92.102:9001
Hetzner Online GmbH
DE
suspicious
3716
rad84C9D.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
edupath.edu.sa
  • 74.220.215.203
malicious
whatismyipaddress.com
  • 104.16.20.96
  • 104.16.18.96
  • 104.16.19.96
  • 104.16.17.96
  • 104.16.16.96
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
2940
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2940
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2940
WScript.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
2940
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3716
rad84C9D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 175
3716
rad84C9D.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3716
rad84C9D.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3716
rad84C9D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 132
3716
rad84C9D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 98
3716
rad84C9D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 195
23 ETPRO signatures available at the full report
No debug info