Play interactive tour

Edit tour

Analysis Report http://cdn.pushmaster.xyz/scripts/SDKs/mapio-net.js

Overview

General Information

Sample URL:	http://cdn.pushmaster.xyz/scripts/SDKs/mapio-net.js
Analysis ID:	428475
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Performs DNS queries to domains with low reputation

Sigma detected: WScript or CScript Dropper

Found WSH timer for Javascript or VBS script (likely evasive script)

Potential browser exploit detected (process start blacklist hit)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution

Classification

Process Tree

System is w10x64

iexplore.exe (PID: 5936 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 5948 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

wscript.exe (PID: 1576 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js' , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding, ParentImage: C:\Program Files\internet explorer\iexplore.exe, ParentProcessId: 5936, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js' , ProcessId: 1576

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js' , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding, ParentImage: C:\Program Files\internet explorer\iexplore.exe, ParentProcessId: 5936, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js' , ProcessId: 1576

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 13.225.87.26:443 -> 192.168.2.4:49725 version: TLS 1.2

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\System32\wscript.exe

Networking:

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

DNS query: cdn.pushmaster.xyz

Source: global traffic

HTTP traffic detected: GET /scripts/SDKs/mapio-net.js HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: cdn.pushmaster.xyzConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: cdn.pushmaster.xyz

Source: wscript.exe, 00000003.00000003.747222682.0000021EACA38000.00000004.00000001.sdmp, wscript.exe, 00000003.00000002.748312680.0000021EACCC4000.00000004.00000040.sdmp, mapio-net.js.c0xib1r.partial.2.dr

String found in binary or memory: https://api.pushmaster.xyz/

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown

HTTPS traffic detected: 13.225.87.26:443 -> 192.168.2.4:49725 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal48.troj.win@5/10@1/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F190F693-C3BE-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9A8AE64A1E01720D.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js'	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Run
Source: C:\Windows\System32\wscript.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://cdn.pushmaster.xyz/scripts/SDKs/mapio-net.js	0%	Avira URL Cloud	safe

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
cdn.pushmaster.xyz	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
0	1%	Virustotal		Browse
https://api.pushmaster.xyz/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
d22epj5m7ijdgk.cloudfront.net	13.225.87.26	true	false		high
cdn.pushmaster.xyz	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cdn.pushmaster.xyz/scripts/SDKs/mapio-net.js	false		unknown
0	true	1%, Virustotal, Browse	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.pushmaster.xyz/	wscript.exe, 00000003.00000003.747222682.0000021EACA38000.00000004.00000001.sdmp, wscript.exe, 00000003.00000002.748312680.0000021EACCC4000.00000004.00000040.sdmp, mapio-net.js.c0xib1r.partial.2.dr	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.225.87.26	d22epj5m7ijdgk.cloudfront.net	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	428475
Start date:	02.06.2021
Start time:	18:23:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://cdn.pushmaster.xyz/scripts/SDKs/mapio-net.js
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.troj.win@5/10@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): ielowutil.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.139.144, 13.64.90.137, 168.61.161.212, 88.221.62.148, 52.255.188.83, 152.199.19.161, 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, ie9comview.vo.msecnd.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, go.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, au-bg-shim.trafficmanager.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F190F693-C3BE-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	32344
Entropy (8bit):	1.7959455105394673
Encrypted:	false
SSDEEP:	192:rsZPZy26WEt5ifrtzzMN7BWhLkZ0Aq3p2:rsxxZQWmPrl
MD5:	808A30B1C12D470D5D5E21933F9DF2E8
SHA1:	A3D9C7E9556CC1CF1D8D025ACF716E3F2690D18C
SHA-256:	3FC47B315641F3D6586C090AA38A8251E4ACB47B363F466127F650880BF0C11D
SHA-512:	44B7DFDCD18C2CBD321136294DF13DB441C6EEB4ED0CDDBBFEF5413C62444569B10343F17EAC308720E17AD31A9DFE2C8A7C87A4FDF0D816BC84AA5EA3196FA3
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F190F695-C3BE-11EB-90EB-ECF4BBEA1588}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5975868124412702
Encrypted:	false
SSDEEP:	48:IwIGcpr5Gwpa9G4pQxGrapbSRGQpBaGHHpcPTGUpQaTGcpm:r8ZzQ/6BBSrjh2Z6ug
MD5:	0DAFB1EA24DF7A3229010B1F3F12A071
SHA1:	31CC3CDF52B9DFC16DB1FA25AB9E6B2367B2EA49
SHA-256:	1F70F0BE5D06300B456577E5AEC7907C5A60E7160D1B0CEAED37FEE1549FCBAC
SHA-512:	5315D17CEEE8273065B83C60284E75C43E8918C26C786FBFBA0441FBD513EBE60A803B627A5318195B835628A099B3BF845A17A28B9C1816D010D4D34319635D
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\mapio-net[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	183
Entropy (8bit):	4.588847634298986
Encrypted:	false
SSDEEP:	3:qVoB3tUROGclXqyvXboAc9FKEIHiHby4AqWSZUXqXlIVLmEUjA/CqwcWWGu:q43tISl6kXiWHiHuwWSU6XlI5KktpfGu
MD5:	E4E384D6672787C1BB2A9B500114F1F5
SHA1:	CF909E7937CD3F312C434367B732A53D7A6CBF14
SHA-256:	80785F5520097DDE3B28C617171415CD690CBF1E0353A5F3E348C83A4656EA0F
SHA-512:	BD99B87EEF90595068F7DBB5944DAD8137D8B601F3C5A2DB2CBFB5DFDD526F80E03DED110003E77893570A72C3629CC244F965105AA53EB2CEA2395755A18007
Malicious:	false
Reputation:	low
Preview:	<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>CloudFront</center>..</body>..</html>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js.c0xib1r.partial Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4873
Entropy (8bit):	4.807347158404483
Encrypted:	false
SSDEEP:	96:1WD5XKfDF7VTAz/nuUSUa8IYlreb/lkhJ2OdWjsNTDnwOQUDDa9yes2M/R+L5lLx:2FEhTAz/nuUQ8IYlrY/lkhJ2OdWjsN3A
MD5:	F96F2A654B79524B3EA5283FFC46ACBE
SHA1:	A00F21E53C270A8F63F0438A6A50AFC0BD4CBE3F
SHA-256:	A1DAB071697D928D018DF886FD5D7F4664337AB39D9F9348FD0DBF35671AE4DF
SHA-512:	141FDFA252E9E78EBC1DDC370FF5992977F0487F83E3998FB94099906DBF47FBD3DED854AE6A612E00B63750C273689717775BE18CE616540A7D00DBB4E88616
Malicious:	false
Reputation:	low
Preview:	const vapidPK = "BB0Xd0Pwg9lsyzwb3UgbkE6GHsLu1y0tUYFFBLznTd-fR6Be2xPh6_b9Q0_UfIDGaw_DzcygT8cPXNytjoyJajs";.const swPath = '/sw.js';.const swScope = '/';..const serverPath = 'https://api.pushmaster.xyz/'..const serverSyncInterval = 60 // in minutes.const userPromptInterval = 30 // in minutes...// Check for service worker.if ("serviceWorker" in navigator) {. window.addEventListener('load', () => {. pushFlow().catch(err => console.error(err));. }).};...async function pushFlow() {. //register sw. let register = await navigator.serviceWorker.register(swPath, {. scope: swScope. }).. // wait until sw is ready. register = await navigator.serviceWorker.ready.. const notificationObject = await promptUser(register).. if (notificationObject) {. notificationServerSync(notificationObject).then(res => {. console.log(res). }). } else {. console.log("notificationObject falsy"). }..}..async function promptUser(register, overw

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js.c0xib1r.partial:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Reputation:	low
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js:Zone.Identifier Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	modified
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:W:W
MD5:	ECCBC87E4B5CE2FE28308FD9F2A7BAF3
SHA1:	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB
SHA-256:	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
SHA-512:	3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276AE26C43B739BC65C4E16B10C3AF6C202AEBB
Malicious:	false
Reputation:	low
Preview:	3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\mapio-net[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4873
Entropy (8bit):	4.807347158404483
Encrypted:	false
SSDEEP:	96:1WD5XKfDF7VTAz/nuUSUa8IYlreb/lkhJ2OdWjsNTDnwOQUDDa9yes2M/R+L5lLx:2FEhTAz/nuUQ8IYlrY/lkhJ2OdWjsN3A
MD5:	F96F2A654B79524B3EA5283FFC46ACBE
SHA1:	A00F21E53C270A8F63F0438A6A50AFC0BD4CBE3F
SHA-256:	A1DAB071697D928D018DF886FD5D7F4664337AB39D9F9348FD0DBF35671AE4DF
SHA-512:	141FDFA252E9E78EBC1DDC370FF5992977F0487F83E3998FB94099906DBF47FBD3DED854AE6A612E00B63750C273689717775BE18CE616540A7D00DBB4E88616
Malicious:	false
Reputation:	low
Preview:	const vapidPK = "BB0Xd0Pwg9lsyzwb3UgbkE6GHsLu1y0tUYFFBLznTd-fR6Be2xPh6_b9Q0_UfIDGaw_DzcygT8cPXNytjoyJajs";.const swPath = '/sw.js';.const swScope = '/';..const serverPath = 'https://api.pushmaster.xyz/'..const serverSyncInterval = 60 // in minutes.const userPromptInterval = 30 // in minutes...// Check for service worker.if ("serviceWorker" in navigator) {. window.addEventListener('load', () => {. pushFlow().catch(err => console.error(err));. }).};...async function pushFlow() {. //register sw. let register = await navigator.serviceWorker.register(swPath, {. scope: swScope. }).. // wait until sw is ready. register = await navigator.serviceWorker.ready.. const notificationObject = await promptUser(register).. if (notificationObject) {. notificationServerSync(notificationObject).then(res => {. console.log(res). }). } else {. console.log("notificationObject falsy"). }..}..async function promptUser(register, overw

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.412554678800313
Encrypted:	false
SSDEEP:	3:oVXUbViZdgUNW8JOGXnEbViZdgpULun:o9ULBqELpSu
MD5:	37EC7EB6F68BC90D03EA0CDCAD2317DD
SHA1:	1BD9236DDFB33F9CD187093AC412A24A960C14C8
SHA-256:	E89C156464A89E5955A300054FBA0B3FF3F12CA06B5AA4BB1AA76A92DFB2DC9C
SHA-512:	92341AE3FD60CF84D7882B99F1E91D56C1918D776FC4EB4FEF3E1D67277306B3A830D261292BED989086365776D441D047C4FF14A7C44DE0E07E75CF2D261DBA
Malicious:	false
Reputation:	low
Preview:	[2021/06/02 18:24:04.894] Latest deploy version: ..[2021/06/02 18:24:04.894] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\~DF9A8AE64A1E01720D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12981
Entropy (8bit):	0.4406043448808726
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9loj9loj9lWZbvcNk:kBqoIE611
MD5:	09E0EDD8617F3E4C06B9F152B4C80A7B
SHA1:	A712CFF8644EFA0D59A35677161E32317EDE1A36
SHA-256:	07AC1E00D0BE094808802F3BB8E434FA2D1758F943D79E430147233096A7E723
SHA-512:	DDECDC8EB815D02FC0F96EB55E66778C776336A3A561486BCFCCD75CC8D33F53C1AC0830037FC7C3CC9BC0EFB31B6D49051EA82EEACD16B3737BADC375BB0581
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDC8929727F558112.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29989
Entropy (8bit):	0.33020638854646217
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwZW99lwZK9l2Z+l/9lq:kBqoxKAuvScS+bVe+ray
MD5:	C649C1E3DE1E37D44146FD0C61588723
SHA1:	E21C6846D69C6FC2DC7C945F98CEF546DD133C39
SHA-256:	590DDD8A207273E8B8FFC2FAF717CE5BE4811A83A062EA38EDFF6AF43ABDB852
SHA-512:	DE08F2F9B337A318DA9D5B24D45337778AB9F98A6FA1413548571B7F87AFBBF2EA25E05DB529134845A9DDB32925E1C5F4C297AA58E9F80F91836730EE982BDE
Malicious:	false
Reputation:	low
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 2, 2021 18:24:05.162862062 CEST	49723	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.162924051 CEST	49724	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.205235958 CEST	80	49724	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.205389023 CEST	49724	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.208265066 CEST	49724	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.217609882 CEST	80	49724	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.217710018 CEST	49724	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.218029976 CEST	80	49723	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.218123913 CEST	49723	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.231153011 CEST	80	49723	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.231232882 CEST	49723	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.250821114 CEST	80	49724	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.254760981 CEST	80	49724	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.254846096 CEST	49724	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.262171984 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.304558039 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.304692984 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.309669971 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.316570997 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.316636086 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.351799011 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.353806973 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.353859901 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.353867054 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.353909969 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.353910923 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.353967905 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.358505964 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.358580112 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.395142078 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.401500940 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.401745081 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.440123081 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.440171003 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.440278053 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.440329075 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.440402031 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.441004992 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.443875074 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.444411993 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.444514036 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.446777105 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.446806908 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.446829081 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.446844101 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.446846008 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.446865082 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.446929932 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.449919939 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.449947119 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:05.450033903 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:05.493189096 CEST	443	49725	13.225.87.26	192.168.2.4
Jun 2, 2021 18:24:26.946595907 CEST	49723	80	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:26.946692944 CEST	49725	443	192.168.2.4	13.225.87.26
Jun 2, 2021 18:24:26.946794033 CEST	49724	80	192.168.2.4	13.225.87.26

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 2, 2021 18:23:55.902101994 CEST	61516	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:23:55.944523096 CEST	53	61516	8.8.8.8	192.168.2.4
Jun 2, 2021 18:23:56.705336094 CEST	49182	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:23:56.749351025 CEST	53	49182	8.8.8.8	192.168.2.4
Jun 2, 2021 18:23:57.572734118 CEST	59920	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:23:57.614653111 CEST	53	59920	8.8.8.8	192.168.2.4
Jun 2, 2021 18:23:58.638706923 CEST	57458	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:23:58.684714079 CEST	53	57458	8.8.8.8	192.168.2.4
Jun 2, 2021 18:23:59.406157017 CEST	50579	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:23:59.448761940 CEST	53	50579	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:00.530810118 CEST	51703	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:00.573657036 CEST	53	51703	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:01.441968918 CEST	65248	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:01.486421108 CEST	53	65248	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:02.672341108 CEST	53723	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:02.716834068 CEST	53	53723	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:03.638751984 CEST	64646	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:03.682532072 CEST	53	64646	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:03.945209026 CEST	65298	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:03.987854958 CEST	53	65298	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:05.093996048 CEST	59123	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:05.117111921 CEST	54531	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:05.145566940 CEST	53	59123	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:05.159338951 CEST	53	54531	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:06.198383093 CEST	49714	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:06.241210938 CEST	53	49714	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:08.048310041 CEST	58028	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:08.090378046 CEST	53	58028	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:08.960501909 CEST	53097	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:09.002698898 CEST	53	53097	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:10.008054018 CEST	49257	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:10.050208092 CEST	53	49257	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:10.900171995 CEST	62389	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:10.942866087 CEST	53	62389	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:11.821374893 CEST	49910	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:11.863708973 CEST	53	49910	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:12.788875103 CEST	55854	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:12.831289053 CEST	53	55854	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:13.587821007 CEST	64549	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:13.630072117 CEST	53	64549	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:33.992826939 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:34.035315037 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:35.021004915 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:35.070517063 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:36.019792080 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:36.061944008 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:38.066642046 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:38.108939886 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:42.114063025 CEST	63153	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:42.156800985 CEST	53	63153	8.8.8.8	192.168.2.4
Jun 2, 2021 18:24:51.780881882 CEST	52991	53	192.168.2.4	8.8.8.8
Jun 2, 2021 18:24:51.841317892 CEST	53	52991	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 2, 2021 18:24:05.093996048 CEST	192.168.2.4	8.8.8.8	0x98da	Standard query (0)	cdn.pushmaster.xyz	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 2, 2021 18:24:05.145566940 CEST	8.8.8.8	192.168.2.4	0x98da	No error (0)	cdn.pushmaster.xyz	d22epj5m7ijdgk.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Jun 2, 2021 18:24:05.145566940 CEST	8.8.8.8	192.168.2.4	0x98da	No error (0)	d22epj5m7ijdgk.cloudfront.net		13.225.87.26	A (IP address)	IN (0x0001)
Jun 2, 2021 18:24:05.145566940 CEST	8.8.8.8	192.168.2.4	0x98da	No error (0)	d22epj5m7ijdgk.cloudfront.net		13.225.87.63	A (IP address)	IN (0x0001)
Jun 2, 2021 18:24:05.145566940 CEST	8.8.8.8	192.168.2.4	0x98da	No error (0)	d22epj5m7ijdgk.cloudfront.net		13.225.87.2	A (IP address)	IN (0x0001)
Jun 2, 2021 18:24:05.145566940 CEST	8.8.8.8	192.168.2.4	0x98da	No error (0)	d22epj5m7ijdgk.cloudfront.net		13.225.87.72	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.pushmaster.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49724	13.225.87.26	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Jun 2, 2021 18:24:05.208265066 CEST	199	OUT	GET /scripts/SDKs/mapio-net.js HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: cdn.pushmaster.xyz Connection: Keep-Alive
Jun 2, 2021 18:24:05.254760981 CEST	200	IN	HTTP/1.1 301 Moved Permanently Server: CloudFront Date: Wed, 02 Jun 2021 16:24:05 GMT Content-Type: text/html Content-Length: 183 Connection: keep-alive Location: https://cdn.pushmaster.xyz/scripts/SDKs/mapio-net.js X-Cache: Redirect from cloudfront Via: 1.1 f8fe53d5464b299529d281799da8de30.cloudfront.net (CloudFront) X-Amz-Cf-Pop: FRA2-C2 X-Amz-Cf-Id: ZqcFVLE_zbSy-RUEIpf_HSIgbD59KWuCicrYlRVIaQPuw5ZY6Pavmg== Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 43 6c 6f 75 64 46 72 6f 6e 74 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>CloudFront</center></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 2, 2021 18:24:05.358505964 CEST	13.225.87.26	443	192.168.2.4	49725	CN=*.pushmaster.xyz CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Tue Dec 08 01:00:00 CET 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Fri Jan 07 00:59:59 CET 2022 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-16-23-24-65281,29-23-24,0	9e10692f1b7f78228b2d4e424db3a98c
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: iexplore.exe PID: 5936 Parent PID: 800

General

Start time:	18:24:03
Start date:	02/06/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff7b9c70000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: iexplore.exe PID: 5948 Parent PID: 5936

General

Start time:	18:24:04
Start date:	02/06/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2
Imagebase:	0xa0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 1576 Parent PID: 5936

General

Start time:	18:24:51
Start date:	02/06/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\mapio-net.js'
Imagebase:	0x7ff742c30000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report http://cdn.pushmaster.xyz/scripts/SDKs/mapio-net.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

No static file info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: iexplore.exe PID: 5936 Parent PID: 800

General

Chronological Activities

Analysis Process: iexplore.exe PID: 5948 Parent PID: 5936

General

Chronological Activities

Analysis Process: wscript.exe PID: 1576 Parent PID: 5936

General

Chronological Activities