1.js
This report is generated from a file or URL submitted to this webservice on June 7th 2018 16:05:46 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/58 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "64.40.144.28": ...
URL: http://coyerparadise.com/blog/profile/ (AV positives: 1/67 scanned on 06/07/2018 13:11:25)
URL: http://mounthollyar.com/Update/logs/alibaba/ (AV positives: 8/67 scanned on 06/07/2018 13:01:28)
URL: http://the-old-place.com/how_to_pick_a_prospect.htm (AV positives: 3/67 scanned on 06/07/2018 04:29:48)
URL: http://www.rayflatt.com/cubecart/index.php?act=login&redir=L2N1YmVjYXJ0L2luZGV4LnBocD9hY3Q9dmlld0RvYyZhbXA7ZG9jSWQ9NA== (AV positives: 3/67 scanned on 06/06/2018 23:00:13)
URL: http://www.rayflatt.com/cubecart/ (AV positives: 2/67 scanned on 06/06/2018 23:00:14)
File SHA256: 1f3063978f097919010e1dfc070af968e6275f2682962744b91329f8f83268fc (AV positives: 1/60 scanned on 06/07/2018 13:01:33)
File SHA256: cf9af836cfd6daa504d0370c958c26e4b292e337af8200416e3344385e410a9c (AV positives: 29/71 scanned on 06/06/2018 02:44:08)
File SHA256: 0b5b2ca67a62ea7029352748e000f1f71af72a97547bb233697aeb5326cbcef3 (AV positives: 34/59 scanned on 05/18/2018 14:40:00)
File SHA256: d11db6cb515aff8dbd5225c6143b977e0b36cb6997f3cd0bdf11c69eb8bb2d0e (AV positives: 33/71 scanned on 05/16/2018 23:24:52)
File SHA256: a15609ed0d096c7c044c431dc728e15b840caad6dba0b3aec9ec9c02d26f0c1f (AV positives: 26/57 scanned on 03/28/2018 11:30:35) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Suspicious Indicators 2
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
Unusual Characteristics
-
Found decoded Javascript strings
- details
-
"#1#1#1#1#1#1#1#1"
""
"##"
"#0#0" - source
- File/Memory
- relevance
- 10/10
-
Found decoded Javascript strings
-
Informative 9
-
General
-
Contacts domains
- details
- "www.house2.gg12.net"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "64.40.144.28:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!xg8wljf!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!xg8wljf!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!xg8wljf!appdata!local!microsoft!windows!history!history.ie5!"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\Local\!IETld!Mutex"
"\Sessions\1\BaseNamedObjects\Local\c:!users!xg8wljf!appdata!roaming!microsoft!windows!ietldcache!"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\WininetProxyRegistryMutex"
"Local\WininetConnectionMutex"
"IESQMMUTEX_0_208"
"Local\c:!users!xg8wljf!appdata!roaming!microsoft!windows!ietldcache!"
"Local\ZonesCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Logged script engine calls
- details
-
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "Msxml2.XMLHTTP.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Parsed Javascript
- details
- details too long to display
- source
- Static Parser
- relevance
- 5/10
-
Contacts domains
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "wscript.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "C:\Windows\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\tzres.dll"
"wscript.exe" touched file "C:\Windows\System32\en-US\tzres.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
"wscript.exe" touched file "C:\Windows\System32\msxml3.dll\1"
"wscript.exe" touched file "C:\Windows\System32\msxml3.dll"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"wscript.exe" touched file "C:\Windows\System32\en-US\urlmon.dll.mui" - source
- API Call
- relevance
- 7/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Network Related
-
Found potential URL in binary/memory
- details
- Pattern match: "www.house2.gg12.net"
- source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
File Details
1.js
- Filename
- 1.js
- Size
- 521KiB (533757 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines, with no line terminators
- Architecture
- WINDOWS
- SHA256
- 10695ce00c83418dd2e85676be4b51d36078b92091a66db3101c680b0375c863
- MD5
- d2db0caddb1a50b69f88b32bfc08f85e
- SHA1
- c5fc4ed5837ef379700ad4a1b78710a7750b1fd0
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\1.js" (PID: 272)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.house2.gg12.net |
64.40.144.28
TTL: 599 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
64.40.144.28 |
80
TCP |
wscript.exe PID: 272 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
64.40.144.28:80 (www.house2.gg12.net) | GET | www.house2.gg12.net/host.php | GET /host.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.house2.gg12.net
Connection: Keep-Alive 200 OK More Details |
Extracted Strings
Extracted Files
No significant files were extracted.