JT840348593.jse
This report is generated from a file or URL submitted to this webservice on June 12th 2018 08:17:59 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2" (SID: 2022053, Rev: 2, Severity: 1) categorized as "A Network Trojan was detected" (Phishing, Exploit Kits) - source
- Suricata Alerts
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by a significant amount of reputation engines
- details
- 8/67 reputation engines marked "http://www.house2.gg12.net" as malicious (11% detection rate)
- source
- External System
- relevance
- 10/10
-
Detected Suricata Alert
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "64.40.144.28": ...
URL: http://coyerparadise.com/blog/profile/ (AV positives: 1/67 scanned on 06/12/2018 07:11:26)
URL: http://www.house2.gg12.net/ (AV positives: 8/67 scanned on 06/12/2018 06:33:45)
URL: http://mccallshorseworld.com/Registra/www.alibaba.com/alibaba/vqcr8bp0gud (AV positives: 4/68 scanned on 06/11/2018 17:20:06)
URL: http://mccallshorseworld.com/Registra/www.alibaba.com/alibaba/vqcr8bp0gud&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc.php?email=nat@httechchina.com.com&?routeto=detail%C2%B6ms=%7B%22feedbackId%22%3A100158472495%2C%22listType%22%3A%22inbox%22%2C%22folderId%22%3A0%2C%22anchor%22%3A%22spam%22%7D (AV positives: 6/67 scanned on 06/11/2018 13:00:09)
URL: http://www.house2.gg12.net/host.php (AV positives: 9/69 scanned on 06/11/2018 14:14:56)
File SHA256: d11db6cb515aff8dbd5225c6143b977e0b36cb6997f3cd0bdf11c69eb8bb2d0e (AV positives: 33/60 scanned on 06/11/2018 04:08:45)
File SHA256: 1f3063978f097919010e1dfc070af968e6275f2682962744b91329f8f83268fc (AV positives: 1/71 scanned on 06/10/2018 23:59:03)
File SHA256: afd98dde72881d6716270eb13b3fdad2d2863db110fc2b314424b88d85cd8e79 (AV positives: 9/68 scanned on 06/07/2018 23:27:43)
File SHA256: fe6c3f27ffd057e4432aa3c883fda65521ddea582b1803592cb9d17aabc322ec (AV positives: 15/70 scanned on 06/07/2018 12:46:31)
File SHA256: cf9af836cfd6daa504d0370c958c26e4b292e337af8200416e3344385e410a9c (AV positives: 29/71 scanned on 06/06/2018 02:44:08) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Script file shows a combination of malicious behavior
- details
-
The script produces internet activity
is obfuscated and drops files - source
- Indicator Combinations
- relevance
- 7/10
-
Script file shows a combination of malicious behavior
-
Suspicious Indicators 5
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid from 77767521.scr (PID: 268) (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query CPU information
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 8/67 reputation engines marked "http://www.house2.gg12.net" as malicious (11% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"wscript.exe" wrote 32 bytes to a remote process "%TEMP%\77767521.scr" (Handle: 1048)
"wscript.exe" wrote 52 bytes to a remote process "%TEMP%\77767521.scr" (Handle: 1048)
"wscript.exe" wrote 4 bytes to a remote process "%TEMP%\77767521.scr" (Handle: 1048) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
- source
- Network Traffic
- relevance
- 10/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
-
Spyware/Information Retrieval
-
Found an instsant messenger related domain
- details
- "F="http://www.icq.com/legal/eula/en">End User License Agreement</a>" (Indicator: "icq.com"; File: "00011472-00000268.00000000.11792.004B3000.00000002.mdmp")
- source
- File/Memory
- relevance
- 10/10
-
Found an instsant messenger related domain
-
Informative 17
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from 77767521.scr (PID: 268) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from 77767521.scr (PID: 268) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from 77767521.scr (PID: 268) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from 77767521.scr (PID: 268) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from 77767521.scr (PID: 268) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from 77767521.scr (PID: 268) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
- "www.house2.gg12.net"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "64.40.144.28:80"
- source
- Network Traffic
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
- "wscript.exe" created file "%TEMP%\77767521.scr"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Logged script engine calls
- details
-
"wscript.exe" called "WScript.Shell.1.CreateObject" ...
"wscript.exe" called "Msxml2.XMLHTTP.CreateObject" ...
"wscript.exe" called "ADODB.Stream.6.0.CreateObject" ... - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "77767521.scr" with commandline "/S" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Creates new processes
- details
- "wscript.exe" is creating a new process (Name: "%TEMP%\77767521.scr", Handle: 1048)
- source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"host[1].htm" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"77767521.scr" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Drops executable files
- details
-
"host[1].htm" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"77767521.scr" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "C:\Windows\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "C:\Windows\System32\wscript.exe"
"wscript.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "C:\Windows\System32\rsaenh.dll"
"wscript.exe" touched file "C:\Windows\System32\wshom.ocx"
"wscript.exe" touched file "C:\Windows\System32\tzres.dll"
"wscript.exe" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"wscript.exe" touched file "C:\Windows\System32\msxml3r.dll"
"wscript.exe" touched file "C:\Windows\System32\msxml3.dll\1"
"wscript.exe" touched file "C:\Windows\System32\msxml3.dll"
"wscript.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"wscript.exe" touched file "C:\Windows\System32\wshqos.dll"
"wscript.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CKDNCXYS\host[1].htm" - source
- API Call
- relevance
- 7/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "www.house2.gg12.net"
Heuristic match: "Mail.Ru"
Pattern match: "http://www.icq.com/legal/eula/en"
Heuristic match: "sz.ad" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Modifies proxy settings
- details
-
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"wscript.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"wscript.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Drops executable files with unusual extensions
- details
- "77767521.scr" has type "PE32 executable (GUI) Intel 80386 for MS Windows" and unusual extension "scr"
- source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"wscript.exe" wrote bytes "c04e307720543177e0653177b53832770000000000d0827500000000c5ea82750000000088ea827500000000e968347582283277ee29327700000000d2693475000000007dbb82750000000009be347500000000ba18827500000000" to virtual address "0x75621000" (part of module "NSI.DLL")
"wscript.exe" wrote bytes "fae62d77e1a632772e713277ee29327785e22d776da0327726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74691000" (part of module "WSHTCPIP.DLL")
"wscript.exe" wrote bytes "e7392e77e1a632772e713277ee29327785e22d776da03277906431773ad5387726e42d77d16d3277003d3077804b307700000000ad3751758b2d5175b641517500000000" to virtual address "0x74B91000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Drops executable files with unusual extensions
File Details
JT840348593.jse
- Filename
- JT840348593.jse
- Size
- 375KiB (384223 bytes)
- Type
- script javascript
- Description
- ASCII text, with very long lines, with no line terminators
- Architecture
- WINDOWS
- SHA256
- 4984cf7b0788040f177a380156e448bd25c50e4716167f284d0a8bc8871aa802
- MD5
- 23d53da4b7108b1384e815fc1f2ffc92
- SHA1
- 0d1208ae52d2afac0398b52d81699cfbdf8e5b9d
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
wscript.exe
"C:\JT840348593.jse"
(PID: 1324)
- 77767521.scr /S (PID: 268)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.house2.gg12.net |
64.40.144.28
TTL: 599 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
64.40.144.28 |
80
TCP |
wscript.exe PID: 1324 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
64.40.144.28:80 (www.house2.gg12.net) | GET | www.house2.gg12.net/host.php | GET /host.php HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Host: www.house2.gg12.net
Connection: Keep-Alive 200 OK More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
64.40.144.28 -> local:63892 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
64.40.144.28 -> local:63892 (TCP) | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 | 2022053 |
64.40.144.28 -> local:63892 (TCP) | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) | 2015744 |
Extracted Strings
Extracted Files
-
Informative Selection 1
-
-
77767521.scr
- Size
- 564KiB (577537 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- wscript.exe (PID: 1324)
- MD5
- d0c299d45f7256abf882b310930e62f9
- SHA1
- 46bfa319307054b7343706c7becd0d45d1a38e87
- SHA256
- 88ecc398e9b8c945fc0eb390a47c6d3dca8df866277963fdc1007f41ce4bfb56
-
-
Informative 1
-
-
host[1].htm
- Size
- 564KiB (577537 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- wscript.exe (PID: 1324)
- MD5
- d0c299d45f7256abf882b310930e62f9
- SHA1
- 46bfa319307054b7343706c7becd0d45d1a38e87
- SHA256
- 88ecc398e9b8c945fc0eb390a47c6d3dca8df866277963fdc1007f41ce4bfb56
-