download: | Jgpl-AVVwPZO7UEfAVD_BsPxEfQNl-8K |
Full analysis: | https://app.any.run/tasks/98cfdf58-06a5-4d65-a13f-60de098bf75f |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | April 25, 2019, 14:24:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | D8E7629C1A0014BD2E119B35CAD65D88 |
SHA1: | D10EB4CF69562A4514EB13AEA6F8912FE3E158B5 |
SHA256: | E0EC4D2088282CFB1AD07AF447D41E2049402AC08996F6CEA4C93A758ABD3FEB |
SSDEEP: | 96:oLqXk3yjygzu5uAzKmJF7/F8d6qTbeRkM5XcOaQC5BWezUWY2TyJfM8DjVVZRe/z:u3+LKXK6SduRk0MrQkS1E38fVI/hl |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | JY-807212827-04252019.js |
---|---|
ZipUncompressedSize: | 29851 |
ZipCompressedSize: | 6952 |
ZipCRC: | 0xaa96b170 |
ZipModifyDate: | 2019:04:25 17:14:09 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2604 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Jgpl-AVVwPZO7UEfAVD_BsPxEfQNl-8K.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1076 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2604.34336\JY-807212827-04252019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3092 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2604.34841\JY-807212827-04252019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3860 | "C:\Users\admin\AppData\Local\Temp\rlzj4uha4.exe" | C:\Users\admin\AppData\Local\Temp\rlzj4uha4.exe | — | WScript.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3108 | --174b8974 | C:\Users\admin\AppData\Local\Temp\rlzj4uha4.exe | rlzj4uha4.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2848 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2604.36530\JY-807212827-04252019.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
296 | "C:\Users\admin\AppData\Local\soundser\soundser.exe" | C:\Users\admin\AppData\Local\soundser\soundser.exe | rlzj4uha4.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2240 | --3ab57678 | C:\Users\admin\AppData\Local\soundser\soundser.exe | — | soundser.exe |
User: admin Integrity Level: MEDIUM |
PID | Process | Filename | Type | |
---|---|---|---|---|
1076 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\noRN96koOG[1].exe | — | |
MD5:— | SHA256:— | |||
3092 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\noRN96koOG[1].exe | — | |
MD5:— | SHA256:— | |||
2848 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\noRN96koOG[1].exe | — | |
MD5:— | SHA256:— | |||
2604 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2604.34841\JY-807212827-04252019.js | text | |
MD5:946BA70FCB91888981E6FC5A81D9E7AE | SHA256:EDAB37A0304B9B8CB7C0140043B1C41DE464928D5835545575E593B95F5F9295 | |||
1076 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@lotuspolymers[1].txt | text | |
MD5:AF32E1A89C452E88B0C8E8989A2040B3 | SHA256:6056BBA26E4E707D69A2C461448F80F02D4D173E7FBFFDCE414D47A6E7A3AB58 | |||
2604 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2604.34336\JY-807212827-04252019.js | text | |
MD5:946BA70FCB91888981E6FC5A81D9E7AE | SHA256:EDAB37A0304B9B8CB7C0140043B1C41DE464928D5835545575E593B95F5F9295 | |||
3092 | WScript.exe | C:\Users\admin\AppData\Local\Temp\rlzj4uha4.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE | |||
3108 | rlzj4uha4.exe | C:\Users\admin\AppData\Local\soundser\soundser.exe | executable | |
MD5:3F5A7865E0EE668A2BFFCA64CBF127CD | SHA256:9C38B0B64EB091EB10521EE5A602940020AFA164615CC93898E771DFF24C97CE | |||
3092 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@lotuspolymers[2].txt | text | |
MD5:E8445612462BDBB9A071E77BB98708CB | SHA256:2B0064E0E6BD1A819C9B65F8A3BAC753EB334F2B37E552785C87D153A64F5B7B | |||
2848 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@lotuspolymers[1].txt | text | |
MD5:3B8FE2FB3E9A96519AE12CEF69B5B6A7 | SHA256:DE4ECAF5BFA302C86898713F9CE5DDBF4631AC5AC4090B1BD0E6E289EBDB572D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2848 | WScript.exe | GET | 200 | 107.180.14.32:80 | http://lotuspolymers.com/wp-includes/GacU/ | US | executable | 78.5 Kb | malicious |
3092 | WScript.exe | GET | 200 | 107.180.14.32:80 | http://lotuspolymers.com/wp-includes/GacU/ | US | executable | 78.5 Kb | malicious |
1076 | WScript.exe | GET | 200 | 107.180.14.32:80 | http://lotuspolymers.com/wp-includes/GacU/ | US | executable | 78.5 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3092 | WScript.exe | 103.84.194.226:443 | dolanmbakboyo.com | PT. Drupadi Prima | ID | suspicious |
3092 | WScript.exe | 107.180.14.32:80 | lotuspolymers.com | GoDaddy.com, LLC | US | malicious |
— | — | 103.84.194.226:443 | dolanmbakboyo.com | PT. Drupadi Prima | ID | suspicious |
1076 | WScript.exe | 107.180.14.32:80 | lotuspolymers.com | GoDaddy.com, LLC | US | malicious |
1076 | WScript.exe | 103.84.194.226:443 | dolanmbakboyo.com | PT. Drupadi Prima | ID | suspicious |
2848 | WScript.exe | 103.84.194.226:443 | dolanmbakboyo.com | PT. Drupadi Prima | ID | suspicious |
2848 | WScript.exe | 107.180.14.32:80 | lotuspolymers.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
dolanmbakboyo.com |
| malicious |
lotuspolymers.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1076 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1076 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1076 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1076 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1076 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1076 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
3092 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
3092 | WScript.exe | Generic Protocol Command Decode | SURICATA TLS invalid record type |
1076 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
1076 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |