analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

отдел спецпроектов заказ.js

Full analysis: https://app.any.run/tasks/28e8a078-e64a-4a00-a24d-01f2504cd9ea
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 18, 2018, 09:50:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
loader
ransomware
troldesh
shade
evasion
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

A3F93F056E4FD6028CDA1BA5CA9C886C

SHA1:

74C5A7598565735562C1036E87496FB756F90F12

SHA256:

D9E106A6835A4944A6CD617255AC95E4A5EB44A355CE949B62868A43BDA426A3

SSDEEP:

96:Aw5LSNxGzbAB/WeqLZKLTMy8ooxPekum1DFsU1Yrt7QTzLXc2OxFT6:xWnGzO/QLsXMy8oo8pmxyUQtMTP7uk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rad8E84D.tmp (PID: 2884)
    • Downloads executable files from the Internet

      • WScript.exe (PID: 2928)
    • Changes the autorun value in the registry

      • rad8E84D.tmp (PID: 2884)
    • TROLDESH was detected

      • rad8E84D.tmp (PID: 2884)
    • Deletes shadow copies

      • rad8E84D.tmp (PID: 2884)
    • Runs app for hidden code execution

      • rad8E84D.tmp (PID: 2884)
    • Actions looks like stealing of personal data

      • rad8E84D.tmp (PID: 2884)
    • Dropped file may contain instructions of ransomware

      • rad8E84D.tmp (PID: 2884)
    • Modifies files in Chrome extension folder

      • rad8E84D.tmp (PID: 2884)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2928)
      • rad8E84D.tmp (PID: 2884)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1784)
      • cmd.exe (PID: 2356)
    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2928)
      • rad8E84D.tmp (PID: 2884)
    • Connects to unusual port

      • rad8E84D.tmp (PID: 2884)
    • Creates files in the program directory

      • rad8E84D.tmp (PID: 2884)
    • Checks for external IP

      • rad8E84D.tmp (PID: 2884)
    • Creates files like Ransomware instruction

      • rad8E84D.tmp (PID: 2884)
    • Creates files in the user directory

      • rad8E84D.tmp (PID: 2884)
  • INFO

    • Dropped object may contain URL to Tor Browser

      • rad8E84D.tmp (PID: 2884)
    • Dropped object may contain Bitcoin addresses

      • rad8E84D.tmp (PID: 2884)
    • Dropped object may contain TOR URL's

      • rad8E84D.tmp (PID: 2884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe cmd.exe no specs #TROLDESH rad8e84d.tmp vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\отдел спецпроектов заказ.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1784"C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad8E84D.tmpC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2884C:\Users\admin\AppData\Local\Temp\rad8E84D.tmpC:\Users\admin\AppData\Local\Temp\rad8E84D.tmp
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
8,8,0,1000
2220C:\Windows\system32\vssadmin.exe List ShadowsC:\Windows\system32\vssadmin.exerad8E84D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3728"C:\Windows\system32\vssadmin.exe" Delete Shadows /All /QuietC:\Windows\system32\vssadmin.exe
rad8E84D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2104C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2356C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exerad8E84D.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3332chcpC:\Windows\system32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
229
Read events
189
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1 092
Text files
48
Unknown types
31

Dropped files

PID
Process
Filename
Type
2884rad8E84D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-certs.tmp
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\admin\AppData\Local\Temp\6893A5D897\cached-microdesc-consensus.tmp
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\Public\Videos\Sample Videos\Wildlife.wmv
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\Public\Videos\Sample Videos\3JsF6yW9v1utmb1HFypSTbyy+GMJvmYRdvejVN6O4LE=.906D0F2E2F604F839E04.crypted000007
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
MD5:
SHA256:
2884rad8E84D.tmpC:\Users\admin\AppData\Local\Temp\6893A5~1\cached-certstext
MD5:F975ECBCA6E6F928BAA2B7DB0EF5D9AB
SHA256:4E4E0B4C9BA8696B8AE40AD4DB56E47AF6ED4024EF807ED1C250C0B02C5D449C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
17
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2928
WScript.exe
GET
200
107.155.140.75:80
http://tudosobrepalavras.com/wp-content/themes/islemag/img/sserv.jpg
US
executable
1.45 Mb
malicious
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2884
rad8E84D.tmp
GET
200
104.18.35.131:80
http://whatsmyip.net/
US
html
7.35 Kb
shared
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
2884
rad8E84D.tmp
GET
403
104.16.18.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2884
rad8E84D.tmp
131.188.40.189:443
Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
DE
malicious
2884
rad8E84D.tmp
50.21.183.46:59999
1&1 Internet SE
US
suspicious
2928
WScript.exe
107.155.140.75:80
tudosobrepalavras.com
Nodes Direct
US
suspicious
2884
rad8E84D.tmp
128.31.0.39:9101
Massachusetts Institute of Technology
US
malicious
2884
rad8E84D.tmp
158.69.217.87:9001
OVH SAS
CA
suspicious
2884
rad8E84D.tmp
109.70.100.11:443
Next Layer Telekommunikationsdienstleistungs- und Beratungs GmbH
AT
suspicious
2884
rad8E84D.tmp
104.16.18.96:80
whatismyipaddress.com
Cloudflare Inc
US
shared
2884
rad8E84D.tmp
104.18.35.131:80
whatsmyip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
tudosobrepalavras.com
  • 107.155.140.75
malicious
whatismyipaddress.com
  • 104.16.18.96
  • 104.16.16.96
  • 104.16.20.96
  • 104.16.19.96
  • 104.16.17.96
shared
whatsmyip.net
  • 104.18.35.131
  • 104.18.34.131
shared

Threats

PID
Process
Class
Message
2928
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2928
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2928
WScript.exe
A Network Trojan was detected
ET TROJAN JS/WSF Downloader Dec 08 2016 M4
2928
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2928
WScript.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
2928
WScript.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
2884
rad8E84D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 110
2884
rad8E84D.tmp
Misc activity
ET POLICY TLS possible TOR SSL traffic
2884
rad8E84D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 97
2884
rad8E84D.tmp
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 151
22 ETPRO signatures available at the full report
No debug info