File name:

Группа компаний Рольф подробности заказа.js

Full analysis: https://app.any.run/tasks/eb3322ce-b05c-4311-a1cf-a22254493b9e
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 07:51:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
troldesh
shade
evasion
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

837DDC66E72D46E25FF60FB346FA5668

SHA1:

27DD8D146956CBACA76B8A8FB4638382D5DEE6B5

SHA256:

BC606F2F87A87D5735E9AFA9A2D855F9B10CF0B96E43CD82A09EF556BD41562A

SSDEEP:

96:DNEHbI6OSvCGi6W8HNVfFerx0rgw+CD6UYVXJkvBh09yR1mqcs8N9:hEHbI69CGDlHjsG8wd6NZJcyAR1mqcso

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad081A9.tmp (PID: 3912)

    • Changes settings of System certificates

      • WScript.exe (PID: 2728)

    • Changes the autorun value in the registry

      • rad081A9.tmp (PID: 3912)

    • TROLDESH was detected

      • rad081A9.tmp (PID: 3912)

    • Actions looks like stealing of personal data

      • rad081A9.tmp (PID: 3912)

    • Modifies files in Chrome extension folder

      • rad081A9.tmp (PID: 3912)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2728)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3152)

    • Creates files in the user directory

      • WScript.exe (PID: 2728)

    • Adds / modifies Windows certificates

      • WScript.exe (PID: 2728)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2728)
      • rad081A9.tmp (PID: 3912)

    • Creates files in the program directory

      • rad081A9.tmp (PID: 3912)

    • Connects to unusual port

      • rad081A9.tmp (PID: 3912)

    • Checks for external IP

      • rad081A9.tmp (PID: 3912)

  • INFO

    • Dropped object may contain URL to Tor Browser

      • rad081A9.tmp (PID: 3912)

    • Dropped object may contain TOR URL's

      • rad081A9.tmp (PID: 3912)

    • Dropped object may contain Bitcoin addresses

      • rad081A9.tmp (PID: 3912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rad081a9.tmp vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2600C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad081A9.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2728"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Группа компаний Рольф подробности заказа.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3152"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad081A9.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3912C:\Users\admin\AppData\Local\Temp\rad081A9.tmpC:\Users\admin\AppData\Local\Temp\rad081A9.tmp
cmd.exe
User:
admin
Company:
Burnaware
Integrity Level:
MEDIUM
Description:
Verify Disc
Exit code:
0
Version:
8.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rad081a9.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
218
Read events
176
Write events
41
Delete events
1

Modification events

(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(2728) WScript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\WScript_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
270
Text files
38
Unknown types
9

Dropped files

PID
Process
Filename
Type
3912rad081A9.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
3912rad081A9.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
3912rad081A9.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
3912rad081A9.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
3912rad081A9.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
3912rad081A9.tmpC:\Users\Public\Videos\Sample Videos\rUCRhGyF3KBJYGFCtN12szzR4BKJIXWGCgTrLCUP6VM=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
3912rad081A9.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
3912rad081A9.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\statetext
MD5:
SHA256:
3912rad081A9.tmpC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
3912rad081A9.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-microdesc-consensustext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
18
DNS requests
3
Threats
45

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.155.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
3912
rad081A9.tmp
GET
403
104.16.154.36:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3912
rad081A9.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared
2728
WScript.exe
136.144.173.55:443
cloud.albertgrafica.com.br
Transip B.V.
NL
unknown
3912
rad081A9.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
3912
rad081A9.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
3912
rad081A9.tmp
108.53.208.157:443
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3912
rad081A9.tmp
80.240.216.253:9421
OJSC Comcor
RU
suspicious
3912
rad081A9.tmp
217.79.178.60:443
myLoc managed IT AG
DE
suspicious
3912
rad081A9.tmp
104.16.154.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared
3912
rad081A9.tmp
104.16.155.36:80
whatismyipaddress.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
cloud.albertgrafica.com.br
  • 136.144.173.55
unknown
whatismyipaddress.com
  • 104.16.154.36
  • 104.16.155.36
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
3912
rad081A9.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3912
rad081A9.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3912
rad081A9.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 116
3912
rad081A9.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3912
rad081A9.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 96
3912
rad081A9.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 365
3912
rad081A9.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 600
3912
rad081A9.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
3912
rad081A9.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
3912
rad081A9.tmp
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
23 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Группа компаний Рольф подробности заказа.js