analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SWIFT_AMENDMENT_POLICY_PAYMENT_SOLUTION_PDF.js

Full analysis: https://app.any.run/tasks/9cfe8411-bbf6-4f9d-88ff-7885eb3b9180
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 12, 2019, 09:22:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines
MD5:

B9C748A0CFF4AE3E47A3F734529E1A17

SHA1:

DCC1079ACD595F3F3B8A8088C39DE331CAEB353C

SHA256:

F4D115A7239BCEACFD13F2E1E5970EF8EE02214E346BE25CCED59BF5D564B43E

SSDEEP:

1536:76iLr7FvFJjn3GRcQOGcpIh4jqhFMtGEY2GTqpP0AHOfH32ufWV1wBwCOTc:7/7Jj3GFOGUGmchX97w7c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Writes to a start menu file

      • WScript.exe (PID: 3324)
      • wscript.exe (PID: 1728)
      • wscript.exe (PID: 3896)

    • Changes the autorun value in the registry

      • WScript.exe (PID: 3324)
      • wscript.exe (PID: 1728)
      • wscript.exe (PID: 3896)

    • Connects to CnC server

      • wscript.exe (PID: 3896)

    • Application was dropped or rewritten from another process

      • cmdc.exe (PID: 3672)
      • cmdc.exe (PID: 1888)
      • kl-plugin.exe (PID: 2860)
      • cmdc.exe (PID: 2572)
      • cmdc.exe (PID: 3460)
      • cmdc.exe (PID: 988)
      • cmdc.exe (PID: 2244)
      • cmdc.exe (PID: 3544)
      • cmdc.exe (PID: 3256)

    • Downloads executable files from the Internet

      • wscript.exe (PID: 3896)

    • Stealing of credential data

      • wscript.exe (PID: 3896)
      • cmdc.exe (PID: 3460)
      • cmdc.exe (PID: 2244)
      • cmdc.exe (PID: 3256)

    • Actions looks like stealing of personal data

      • cmdc.exe (PID: 2244)
      • cmdc.exe (PID: 3460)
      • cmdc.exe (PID: 3256)

  • SUSPICIOUS

    • Application launched itself

      • WScript.exe (PID: 3324)
      • wscript.exe (PID: 3896)
      • cmdc.exe (PID: 1888)
      • cmdc.exe (PID: 3672)
      • cmdc.exe (PID: 988)
      • cmdc.exe (PID: 3544)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3896)

    • Creates files in the user directory

      • wscript.exe (PID: 1728)
      • WScript.exe (PID: 3324)
      • wscript.exe (PID: 3896)
      • cmdc.exe (PID: 3460)
      • cmdc.exe (PID: 3256)

    • Executes scripts

      • wscript.exe (PID: 3896)
      • WScript.exe (PID: 3324)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 3896)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 2036)
      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 3428)
      • cmd.exe (PID: 2196)
      • cmd.exe (PID: 692)
      • cmd.exe (PID: 772)

    • Loads DLL from Mozilla Firefox

      • cmdc.exe (PID: 2244)
      • cmdc.exe (PID: 3460)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
27
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start wscript.exe wscript.exe wscript.exe wscript.exe no specs cmd.exe no specs taskkill.exe no specs kl-plugin.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe no specs cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe cmd.exe no specs taskkill.exe no specs cmd.exe no specs taskkill.exe no specs cmdc.exe no specs cmdc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3324"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SWIFT_AMENDMENT_POLICY_PAYMENT_SOLUTION_PDF.js"C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1728"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ieLnblHVdD.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3896"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\SWIFT_AMENDMENT_POLICY_PAYMENT_SOLUTION_PDF.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3176"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ieLnblHVdD.js"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
2768"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exeC:\Windows\system32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2188taskkill /F /IM kl-plugin.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2860"C:\Users\admin\AppData\Roaming\kl-plugin.exe" www.tcoolsoul.com 1986 "WSHRAT|C4BA3647|USER-PC|admin|Microsoft Windows 7 Professional |plus|nan-av|false - 12/6/2019|JavaScript-v1.2" 1C:\Users\admin\AppData\Roaming\kl-plugin.exe
wscript.exe
User:
admin
Company:
WSHRat Plugin
Integrity Level:
MEDIUM
Description:
klplu
Version:
1.1.0.0
2036"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exeC:\Windows\system32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3296taskkill /F /IM cmdc.exeC:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3428"C:\Windows\system32\cmd.exe" /c taskkill /F /IM cmdc.exeC:\Windows\system32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
857
Read events
795
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
0
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\js3u_xa7.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\jpx-fdrx.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\yzowbpsa.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\jwrkhg8x.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\mqhonbx_.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\9o0xdlqg.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\mqczniwy.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\u127i3jl.newcfg
MD5:
SHA256:
2860kl-plugin.exeC:\Users\admin\AppData\Local\WSHRat_Plugin\kl-plugin.exe_Url_jaxmfvxjr5veege4korvji5hcwi3t2rj\1.1.0.0\7dtvhpen.newcfg
MD5:
SHA256:
1728wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ieLnblHVdD.jstext
MD5:7F0878101EFC57BE90BE80455BA87F38
SHA256:51B0DB6C7DE7635AC3B397ADF12570FB6C05E99E57B4D0C8359F919BFDA1D06D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3896
wscript.exe
POST
185.247.228.49:1986
http://www.tcoolsoul.com:1986/is-ready
unknown
malicious
3896
wscript.exe
POST
185.247.228.49:1986
http://www.tcoolsoul.com:1986/is-ready
unknown
malicious
3896
wscript.exe
POST
185.247.228.49:1986
http://www.tcoolsoul.com:1986/is-ready
unknown
malicious
3896
wscript.exe
POST
200
185.247.228.49:1986
http://www.tcoolsoul.com:1986/is-ready
unknown
text
95 b
malicious
3896
wscript.exe
GET
200
172.245.14.10:80
http://doughnut-snack.live/bpvpl.tar.gz
US
executable
3.11 Mb
malicious
3896
wscript.exe
GET
200
172.245.14.10:80
http://doughnut-snack.live/klplu.tar.gz
US
executable
25.5 Kb
malicious
3896
wscript.exe
GET
200
172.245.14.10:80
http://doughnut-snack.live/mapv.tar.gz
US
executable
2.42 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3896
wscript.exe
185.247.228.49:1986
www.tcoolsoul.com
malicious
3896
wscript.exe
172.245.14.10:80
doughnut-snack.live
ColoCrossing
US
malicious

DNS requests

Domain
IP
Reputation
brothersjoy.nl
unknown
www.tcoolsoul.com
  • 185.247.228.49
malicious
doughnut-snack.live
  • 172.245.14.10
malicious

Threats

PID
Process
Class
Message
3896
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
3896
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3896
wscript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3896
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
3896
wscript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
3896
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT Credential Dump Module Download Command Inbound
3896
wscript.exe
A Network Trojan was detected
MALWARE [PTsecurity] WSHRat Plugin
3896
wscript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3896
wscript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3896
wscript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
Process
Message
kl-plugin.exe
SetWindowsHookEx WH_KEYBOARD_LL
kl-plugin.exe
SetWindowsHookEx WH_MOUSE_LL
kl-plugin.exe
06/12/2019 10:23:23>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1186, y=673, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/12/2019 10:23:25>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1091, y=595, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/12/2019 10:23:26>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1256, y=430, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/12/2019 10:23:26>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1174, y=442, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/12/2019 10:23:26>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1138, y=433, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/12/2019 10:23:26>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1068, y=388, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/12/2019 10:23:27>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1062, y=436, mouseData=0, flags=0, dwExtraInfo=0
kl-plugin.exe
06/12/2019 10:23:34>MouseChange: nCode=0, wParam=WM_MOUSEMOVE, x=1256, y=670, mouseData=0, flags=0, dwExtraInfo=0
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SWIFT_AMENDMENT_POLICY_PAYMENT_SOLUTION_PDF.js