MAS_0.1_BETA.cmd
This report is generated from a file or URL submitted to this webservice on November 5th 2018 09:15:27 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Installation/Persistance
-
Found an indicator for a scheduled task trigger
- details
- "ption>Online_KMS_Activation_Script-Run_Once - Run and Delete itself on first Internet Contact</Description> <URI>\Online_KMS_Activation_Script-Run_Once</URI> <SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;LS)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor> </RegistrationInfo> <Triggers> <LogonTrigger> <Enabled>true</Enabled> </LogonTrigger> </Triggers> <Principals> <Principal id="LocalSystem"> <UserId>S-1-5-18</UserId> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable> <IdleSettings>" (Indicator: "LogonTrigger"; File: "MAS_0.1_BETA.cmd.bin")
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Found an indicator for a scheduled task trigger
-
Suspicious Indicators 3
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/67 reputation engines marked "http://abbodi1406.square7.ch" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"wal_Task set /a max_loop=3if defined Run_Once set /a max_loop=5:repeatEcho Checking Internet Connection...ping www.google.com -n 1 -w 20000 > nul || ( if %loop%== %max_loop% ( echo Internet Is Not Connected. if defined Renewal_Task Exit 1651565635 & Rem Dummy Numbers To Show Error In Task if defined Run_Once Exit 1651565635 & Rem Dummy Numbers To Show Error In Task echo. pause goto:EOF ) echo Waiting 30 s&timeout /t 30>nul set /a loop=%loop%+1 goto repeat)echo Internet is connected.set "servers="set "servers=%servers% kms.digiboy.i"set "servers=%servers%r"set "servers=%servers% kms.mrxn.n"set "servers=%servers%et"set "servers=%servers% kms8.MSGuides.c"set "servers=%servers%om"set "servers=%servers% kms9.MSGuides.c"set "servers=%servers%om"set "servers=%servers% kms.chinancce.c"set "servers=%servers%om"set "servers=%servers% kms.library.h"set "servers=%servers%k"set "servers=%servers% kms.03k.o"" (Indicator: "servers=")
"set "servers=%servers%rg"set "servers=%servers% kms.digiboy.i"set "servers=%servers%r"set n=1&for %%a in (%servers%) do (set server[!n!]=%%a&set /A n+=1)&set /a max_servers=!n!-1set server_num=1:serverset /a activation_ok=1if %server_num% gtr !max_servers! ( if defined Renewal_Task (echo No KMS server available. Exiting...&exit 1651565635 rem Dummy Numbers To Show Error In Task) if defined Run_Once (echo No KMS server available. Exiting...&exit 1651565635 rem Dummy Numbers To Show Error In Task) echo No KMS server available, & pause & goto:EOF) set KMS_IP=!server[%server_num%]!echo Trying with KMS server %KMS_IP% &echo.remrem In case of Run_Once, ping the KMS serverif defined PlusOnlineKMS (echo. &echo Trying to ping server %KMS_IP% &echo.ping %KMS_IP% -n 1 -w 20000 > nul || (echo Ping unsuccessfull for %KMS_IP% Trying next server.set /a server_num+=1goto :server))rem ping of KMS server ok. Continue the normal processremcd /d "%~dp0"I" (Indicator: "servers=") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "wscript.exe" wrote bytes "711165027a3b6402ab8b02007f950200fc8c0200729602006cc805001ecd61027d266102" to virtual address "0x74BC07E4" (part of module "USER32.DLL")
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Informative 5
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/55 Antivirus vendors marked sample as malicious (0% detection rate)
0/15 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Parsed Javascript
- details
- details too long to display
- source
- Static Parser
- relevance
- 5/10
-
Parsed Javascript
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "wscript.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\SysWOW64\wscript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\SysWOW64\en-US\jscript.dll.mui"
"wscript.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"wscript.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://forums.mydigitallife.net/posts/838808"
Pattern match: "https://pastebin.com/raw/WK5YHaEM"
Pattern match: "https://anonfile.com/Qdk2hck2b8/"
Pattern match: "https://github.com/AveYo/Compressed2TXT"
Pattern match: "www.google.com"
Pattern match: "https://forums.mydigitallife.net/posts/1221231"
Pattern match: "http://schemas.microsoft.com/windows/2004/02/mit/task"
Pattern match: "https://www.nsaneforums.com/topic/316668--/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
MAS_0.1_BETA.cmd
- Filename
- MAS_0.1_BETA.cmd
- Size
- 1.1MiB (1137175 bytes)
- Type
- script javascript
- Description
- DOS batch file, ISO-8859 text, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- bce3b34956711cbe4b48f4e59887d07908b3abd47aff9f2ec4acc04419005795
- MD5
- f2510a548372aea8f3c9d68f8bb427c5
- SHA1
- 0643cf0b3177ba1c450f85e004290c056962d201
- ssdeep
- 24576:dAWNBUnMufKyKQbNcpr40wbmsgf2EBFSdsaJ:OPcQpp0mhgupdsg
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MAS_0.1_BETA.cmd.js" (PID: 4092)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.