analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

hxatdS4g.js

Full analysis: https://app.any.run/tasks/4d6d1327-65e2-40f6-996a-e1ef9427ce1c
Verdict: Malicious activity
Threats:

Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.

Analysis date: September 18, 2019, 15:39:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
cobaltstrike
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with CRLF line terminators
MD5:

CB11BB90F94A39AED353207844C37BAF

SHA1:

B3204F28FC0D3CA7BF0DFC7DEB2E8775E7FBFA4E

SHA256:

E8C63261EA549E8B932E278D85BAEC0B6D1C41186D7DFC5D82C0C5D5692F3001

SSDEEP:

3072:Mf/BHVxrsd1bWaq/L8b6EAwno2YpmESwMtmm+VMAxyJwB/RoO:Mf/BHVxrsdIaE8GVP9pmESxt7JqBZoO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • WScript.exe (PID: 3672)
      • regsvr32.exe (PID: 3136)
    • Changes the autorun value in the registry

      • regsvr32.exe (PID: 3136)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3672)
    • Application launched itself

      • regsvr32.exe (PID: 3136)
    • Creates files in the user directory

      • regSVR32.exe (PID: 3140)
      • regsvr32.exe (PID: 3136)
    • Starts CMD.EXE for commands execution

      • regsvr32.exe (PID: 3136)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • WScript.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe regsvr32.exe regsvr32.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3672"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\hxatdS4g.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3136"C:\Windows\System32\regsvr32.exe" /s "C:\Users\admin\45787.txt"C:\Windows\System32\regsvr32.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3140regSVR32 /S /N /U /I:"C:/Users/admin/AppData/Roaming/88771837A56C.txt" ScRoBJC:\Windows\System32\regSVR32.exe
regsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3200C:\Windows\system32\cmd.exe /c del "C:\Users\admin\45787.txt" >> NULC:\Windows\system32\cmd.exeregsvr32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
164
Read events
140
Write events
24
Delete events
0

Modification events

(PID) Process:(3672) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3672) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3136) regsvr32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:admin
Value:
2C54A6,88771837A56C
(PID) Process:(3136) regsvr32.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:UserInitMprLogonScript
Value:
regsvr32 /S /N /U /I:"C:/Users/admin/AppData/Roaming/88771837A56C.txt" ScRoBJ
(PID) Process:(3140) regSVR32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\regSVR32_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3140) regSVR32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\regSVR32_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3140) regSVR32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\regSVR32_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3140) regSVR32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\regSVR32_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3140) regSVR32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\regSVR32_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3140) regSVR32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\regSVR32_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3136regsvr32.exeC:\Users\admin\AppData\Roaming\88771837A56C.txthtml
MD5:B4B116E7361D5100040DFF57FC7DE312
SHA256:3916FE4C7CFC4BB1E1FE7BC41F6DE87E07D87E225323AAC2B6D5E1927C3A59DE
3672WScript.exeC:\Users\admin\45787.txtexecutable
MD5:3F7A68DAEEEFBB88880FF30540DC4C4B
SHA256:69CFA9D198AC78CC5C923F788833409A04FF42303983E0458F59CF431ABEA0EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
31
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3140
regSVR32.exe
HEAD
200
128.30.52.100:80
http://www.w3.org/1999/XSL/Format
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/42422
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/34770
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/96853
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/30838
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/92202
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/56957
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/4293
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/94225
US
whitelisted
3140
regSVR32.exe
GET
8.8.8.8:80
http://8.8.8.8/87796
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3140
regSVR32.exe
8.8.8.8:80
Google Inc.
US
whitelisted
3140
regSVR32.exe
128.30.52.100:80
www.w3.org
Massachusetts Institute of Technology
US
whitelisted
8.8.8.8:80
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.w3.org
  • 128.30.52.100
whitelisted
api.fujitsu.org.kz
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET TROJAN Cobalt Group/More_Eggs CnC Domain in DNS Lookup
2 ETPRO signatures available at the full report
No debug info