analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Remmitance Copy.js

Full analysis: https://app.any.run/tasks/62e8a841-c851-422f-8974-4544b5bb6def
Verdict: Malicious activity
Analysis date: December 18, 2018, 16:32:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5:

821A6D89CA3378D14B05EB10144814D0

SHA1:

CAF5D87117254C4EC92C78A9A08ED577F1A57C10

SHA256:

E0299EC97F4E882600B5583FCED3A5191443C2B43B531ABCC06E535ED96C8B0D

SSDEEP:

192:VNgnrKVQXKYwGSJHMbzL3iufHZOxu83yk:VerKVQXKYTyHMbzLNf0u83yk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 2832)
  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2832)
      • notepad++.exe (PID: 3544)
      • notepad++.exe (PID: 3956)
      • notepad++.exe (PID: 3604)
    • Executes scripts

      • cmd.exe (PID: 3088)
    • Connects to unusual port

      • WScript.exe (PID: 2832)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
12
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start wscript.exe explorer.exe no specs notepad++.exe gup.exe cmd.exe no specs wscript.exe no specs notepad++.exe wscript.exe no specs notepad++.exe wscript.exe no specs notepad++.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2584"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3544"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
924"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
3088"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2268"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js"C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3956"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3036"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js"C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
2888"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
3708"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Remmitance Copy.js"C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
345
Read events
282
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
2832WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remmitance Copy.jstext
MD5:821A6D89CA3378D14B05EB10144814D0
SHA256:E0299EC97F4E882600B5583FCED3A5191443C2B43B531ABCC06E535ED96C8B0D
3604notepad++.exeC:\Users\admin\AppData\Local\Temp\Remmitance Copy.jstext
MD5:7F5808FCFBDC13890EA8647FBC178CA1
SHA256:1D43E8264BD357B314E1003202356AE45B96D3DADAD2AE494342D9A8920C815F
3544notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\session.xmltext
MD5:D2190EA6B5CFD7AD5154CF0FAA4F6703
SHA256:4F20AF8512D007D6FC153DF50990C118228F2DAFF0632AFB08F65B89E608E82C
3956notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:200B2AAFD04E2B323A4DBA550CA8435C
SHA256:62B21B4133322A3B96331F179C681343927E4FDD2801279792A1CAB4BBA65A4E
3956notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\backup\Remmitance Copy.js@2018-12-18_163550text
MD5:91BC1683F820D7C630B23D7A6D925A82
SHA256:473798B9FAF916BB307FAA0FC3786AD5A4D6F040B2471346C52047D71A9C0A14
3544notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\backup\Remmitance Copy.js@2018-12-18_163406text
MD5:0D7A4C29B1342965D3E69EB61D7E3620
SHA256:5A9E774FD926025FA054EC6AB2A4E7EA2A4922E50C687D573E5F169B53242D9C
3544notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\plugins\Config\converter.initext
MD5:F70F579156C93B097E656CABA577A5C9
SHA256:B926498A19CA95DC28964B7336E5847107DD3C0F52C85195C135D9DD6CA402D4
3544notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:31401E84150FDD475E79C0F607AF1D50
SHA256:AB20E3EAE7C4EF474F9C4C279BB5A94578E39EB2E363826065D3B037F367EC9D
3544notepad++.exeC:\Users\admin\AppData\Local\Temp\Remmitance Copy.jstext
MD5:D40003800559CC25DB961F2418F0236B
SHA256:C787FBA0A36EDB8117E3DB936221D1BE89BB51CA2FAAFC5418263EC053595C1A
2888notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\config.xmlxml
MD5:200B2AAFD04E2B323A4DBA550CA8435C
SHA256:62B21B4133322A3B96331F179C681343927E4FDD2801279792A1CAB4BBA65A4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
13
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.186.32:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
unknown
der
471 b
whitelisted
GET
200
2.16.186.32:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
unknown
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.16.186.32:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted
924
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
2832
WScript.exe
185.158.139.173:1114
Keyweb AG
DE
malicious

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 2.16.186.32
  • 2.16.186.41
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll