ID: 71345 Cookbook: browseurl.jbs Time: 11:22:46 Date: 07/08/2018 Version: 23.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Signature Overview 5 AV Detection: 6 Bitcoin Miner: 6 Software Vulnerabilities: 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 Malware Analysis System Evasion: 6 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 Dropped Files 9 Screenshots 9 Startup 9 Created / dropped Files 9 Contacted Domains/Contacted IPs 11 Contacted Domains 11 Contacted URLs 12 Contacted IPs 12 Public 12 Static File Info 12 No static file info 12 Network Behavior 12 Network Port Distribution 12 TCP Packets 13 UDP Packets 13 DNS Queries 13
Copyright Joe Security LLC 2018 Page 2 of 16 DNS Answers 13 HTTP Request Dependency Graph 13 HTTP Packets 13 Code Manipulations 14 Statistics 14 Behavior 14 System Behavior 14 Analysis Process: iexplore.exe PID: 2056 Parent PID: 548 14 General 15 File Activities 15 Registry Activities 15 Analysis Process: iexplore.exe PID: 1900 Parent PID: 2056 15 General 15 File Activities 15 Registry Activities 16 Analysis Process: wscript.exe PID: 3104 Parent PID: 2056 16 General 16 File Activities 16 Registry Activities 16 Key Created 16 Disassembly 16
Copyright Joe Security LLC 2018 Page 3 of 16 Analysis Report
Overview
General Information
Joe Sandbox Version: 23.0.0 Analysis ID: 71345 Start date: 07.08.2018 Start time: 11:22:46 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 56s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: http://aqc223.adfrend.com/friendly.js Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 5 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled Analysis stop reason: Timeout Detection: MAL Classification: mal56.expl.mine.win@5/9@1/1 Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.
Detection
Strategy Score Range Reporting Detection
Threshold 56 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2018 Page 4 of 16 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Signature Overview
Copyright Joe Security LLC 2018 Page 5 of 16 • AV Detection • Bitcoin Miner • Software Vulnerabilities • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection:
Antivirus detection for dropped file
Bitcoin Miner:
Found strings related to Crypto-Mining
Software Vulnerabilities:
Potential browser exploit detected (process start blacklist hit)
Networking:
Downloads compressed data via HTTP
Downloads files
Downloads files from webservers via HTTP
Performs DNS lookups
Urls found in memory or binary data
System Summary:
Classification label
Creates files inside the user directory
Creates temporary files
Reads ini files
Reads software policies
Spawns processes
Uses an in-process (OLE) Automation server
Found graphical window changes (likely an installer)
Uses new MSVCR Dlls
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Found WSH timer for Javascript or VBS script (likely evasive script)
Copyright Joe Security LLC 2018 Page 6 of 16 Anti Debugging:
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Language, Device and Operating System Detection:
Queries the cryptographic machine GUID
Behavior Graph
Hide Legend Behavior Graph Legend: ID: 71345 URL: http://aqc223.adfrend.com/friendly.js Process Startdate: 07/08/2018 Signature Architecture: WINDOWS Score: 56 Created File DNS/IP Info Is Dropped Antivirus detection Found strings related started for dropped file to Crypto-Mining Is Windows Process
Number of created Registry Values
iexplore.exe Number of created Files
Visual Basic 8 37 Delphi
dropped Java
friendly.js.b9ht2v...ial:Zone.Identifier, ASCII .Net C# or VB.NET C, C++ or other language started started Is malicious
Potential browser exploit detected (process start blacklist hit)
iexplore.exe wscript.exe
10
aqc223.adfrend.com
173.208.193.181, 49171, 49172, 80 dropped dropped WII-KC-WholeSaleInternetIncUS United States
C:\Users\user\AppData\...\friendly[1].js, HTML C:\Users\user\...\friendly.js.b9ht2vr.partial, HTML
Simulations
Behavior and APIs
Time Type Description 11:23:26 API Interceptor 421x Sleep call for process: iexplore.exe modified 11:23:50 API Interceptor 2x Sleep call for process: wscript.exe modified
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link http://aqc223.adfrend.com/friendly.js 0% virustotal Browse
Copyright Joe Security LLC 2018 Page 7 of 16 Dropped Files
Source Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59K 100% Avira PUA/CryptoMiner.Gen Z\friendly[1].js C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4 100% Avira PUA/CryptoMiner.Gen R\friendly.js.b9ht2vr.partial
Unpacked PE Files
No Antivirus matches
Domains
Source Detection Scanner Label Link aqc223.adfrend.com 0% virustotal Browse
URLs
Source Detection Scanner Label Link http://aqc223.adfrend.com/friendly.js 0% virustotal Browse http://aqc223.adfrend.com/friendly.js 0% Avira URL Cloud safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
Copyright Joe Security LLC 2018 Page 8 of 16 Dropped Files
No context
Screenshots
Startup
System is w7 iexplore.exe (PID: 2056 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: CA1F703CD665867E8132D2946FB55750) iexplore.exe (PID: 1900 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2056 CREDAT:275457 /prefetch:2 MD5: CA1F703CD665867E8132D2946FB55750) wscript.exe (PID: 3104 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\fri endly.js' MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup
Created / dropped Files
C:\Users\SAMTAR~1\AppData\Local\Temp\~DF01346E7BD5F72CD3.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: FoxPro FPT, blocks size 258, next free block index 16711424
Copyright Joe Security LLC 2018 Page 9 of 16 C:\Users\SAMTAR~1\AppData\Local\Temp\~DF01346E7BD5F72CD3.TMP Size (bytes): 29989 Entropy (8bit): 1.5449829905758383 Encrypted: false MD5: 8130C3A6952FC493FA5F6EC39295E090 SHA1: 35926EF1820B8C44FF6C450FE8C2E1F2AED56862 SHA-256: 37E99ECED0122D5F230F07BA7C7FE5E5A5B381853A4A435C8D00D7E4700BCBDE SHA-512: F192A2EF2A5BE9DBBE4E252EDAF57748F48C4CD9F73860B7E3DC495A6FBDFC55E95DE4068FE09EBC0D6E9AB5 9E645034184C2AAE7C1953A787AC6094B95C6679 Malicious: false Reputation: low
C:\Users\SAMTAR~1\AppData\Local\Temp\~DF442007127DB870C9.TMP Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: data Size (bytes): 12981 Entropy (8bit): 2.8326739835194443 Encrypted: false MD5: BCC796EAEFCEEC052188CAACC8D4CAFC SHA1: 625B8D8CEA3F6FE31BE37B849D89904522961296 SHA-256: E9336A2665B887E5507782A9831C3B9162A5D4AEDAA0E3645AB3C92092C62CA0 SHA-512: E094E014D68E236160A77E96ACEAD30264D013FE7200EBD57D9928BAAAB3DB7B41B718EC4320DEEEAB60E6E6 8F25A04731AC716F641F08629C013E9BD3FDD8C8 Malicious: false Reputation: low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{899453F1-9A23-11E8-B3E3-CCDA62336E41}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 32344 Entropy (8bit): 1.7952268015278676 Encrypted: false MD5: EB3FA6865F05937651AD47B606D65620 SHA1: 867E3DDF6BFFDE2E44C4AFD721E2B0B2E6C94D37 SHA-256: 73958600453C6A50E140A4959F00CFC01C4C2243D289DFF1FF30546C579E86CD SHA-512: F806CEF5CCCEC46458B86C7BA7B0FA415F262A79C7392258C828FED4D72FCC3B886136755202060800A5B7DFE5 9F0F85D77E547AD1D23BDEB7DA0BF82DA8CF1D Malicious: false Reputation: low
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{899453F3-9A23-11E8-B3E3-CCDA62336E41}.dat Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Microsoft Word Document Size (bytes): 19032 Entropy (8bit): 1.6010720089232622 Encrypted: false MD5: 88EFACC234B7DDCCF0A46C6D13043FC0 SHA1: CD304A1505A7E14EB59731CC3FD5BB73435267B7 SHA-256: 3C683558E6898E534A8B005BC1CD87B3A623858FA02EACFFE6435F7E8F82082B SHA-512: 338F8AAABC174B871899F9226EC000991982E38BDC14026AFAE300A3FA300E1FAF8609D02B72689DFBCB11F487 D6985E98FACE9B750C0D2FD5C335C7957ED92C Malicious: false Reputation: low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js.b9ht2vr.partial
Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with no line terminators Size (bytes): 292 Entropy (8bit): 5.2794367444469295 Encrypted: false MD5: 4E54C3B70993814E4B0E23C537F5DE1E SHA1: E474955F620256BA3FFBBDD114E3603C26BBCB74 SHA-256: 8E3F46FADC59F4A482C1BA9FD119DBB31C29A1247731A3D886058AFEF127233E SHA-512: 40D28C90DA7A125BDDC2C8CDA6297C3FC948E50A33F7C9634904D978FEAD79D00D13E3FC49C9FC52EBA60A861 FCC1760CE5911DE6BC1E8855FA1B95B0815424E Malicious: true Antivirus: Antivirus: Avira, Detection: 100%, Browse Copyright Joe Security LLC 2018 Page 10 of 16 C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js.b9ht2vr.partial
Reputation: low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js.b9ht2vr.partial:Zone.Identifier
Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 26 Entropy (8bit): 3.9500637564362093 Encrypted: false MD5: FBCCF14D504B7B2DBCB5A5BDA75BD93B SHA1: D59FC84CDD5217C6CF74785703655F78DA6B582B SHA-256: EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 SHA-512: AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E 3973DDEFC68966F974E124307B5043E654443B98 Malicious: true Reputation: low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js:Zone.Identifier Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: very short file (no magic) Size (bytes): 1 Entropy (8bit): 0.0 Encrypted: false MD5: ECCBC87E4B5CE2FE28308FD9F2A7BAF3 SHA1: 77DE68DAECD823BABBB58EDB1C8E14D7106E83BB SHA-256: 4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE SHA-512: 3BAFBF08882A2D10133093A1B8433F50563B93C14ACD05B79028EB1D12799027241450980651994501423A66C276A E26C43B739BC65C4E16B10C3AF6C202AEBB Malicious: false Reputation: low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\friendly[1].js
Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: HTML document, ASCII text, with no line terminators Size (bytes): 292 Entropy (8bit): 5.2794367444469295 Encrypted: false MD5: 4E54C3B70993814E4B0E23C537F5DE1E SHA1: E474955F620256BA3FFBBDD114E3603C26BBCB74 SHA-256: 8E3F46FADC59F4A482C1BA9FD119DBB31C29A1247731A3D886058AFEF127233E SHA-512: 40D28C90DA7A125BDDC2C8CDA6297C3FC948E50A33F7C9634904D978FEAD79D00D13E3FC49C9FC52EBA60A861 FCC1760CE5911DE6BC1E8855FA1B95B0815424E Malicious: true Antivirus: Antivirus: Avira, Detection: 100%, Browse Reputation: low
\samr Process: C:\Program Files\Internet Explorer\iexplore.exe File Type: Hitachi SH big-endian COFF object, not stripped Size (bytes): 116 Entropy (8bit): 4.053374040827533 Encrypted: false MD5: 080E701E8B8E2E9C68203C150AC7C6B7 SHA1: 4EF041621388B805758AE1D3B122F9D364705223 SHA-256: FE129AE2A7C96708754F6F51091E6E512C9FEACA1042A1E9DB914C651FEB344D SHA-512: C11D88B8E355B7B922B985802464B693F75BA4C2A62F9137A15842CA82F9B6B3ED13059EDC0DF1C04E7DE43719 D892B4C0D22BB67BE0D57EAB368BA1BC057E79 Malicious: false Reputation: low
Contacted Domains/Contacted IPs
Contacted Domains
Copyright Joe Security LLC 2018 Page 11 of 16 Name IP Active Malicious Antivirus Detection Reputation aqc223.adfrend.com 173.208.193.181 true false 0%, virustotal, Browse unknown
Contacted URLs
Name Process http://aqc223.adfrend.com/friendly.js C:\Program Files\Internet Explorer\iexplore.exe
Contacted IPs
No. of IPs < 25%
25% < No. of IPs < 50% 50% < No. of IPs < 75%
75% < No. of IPs
Public
IP Country Flag ASN ASN Name Malicious 173.208.193.181 United States 32097 WII-KC-WholeSaleInternetIncUS false
Static File Info
No static file info
Network Behavior
Network Port Distribution
Total Packets: 8 • 80 (HTTP) • 53 (DNS) Copyright Joe Security LLC 2018 Page 12 of 16 TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Aug 7, 2018 11:23:28.236330986 CEST 63758 53 192.168.2.3 8.8.8.8 Aug 7, 2018 11:23:28.286312103 CEST 53 63758 8.8.8.8 192.168.2.3 Aug 7, 2018 11:23:28.295602083 CEST 49171 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.296526909 CEST 49172 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.423145056 CEST 80 49171 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:28.423229933 CEST 49171 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.424396992 CEST 80 49172 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:28.424521923 CEST 49172 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.424868107 CEST 49171 80 192.168.2.3 173.208.193.181 Aug 7, 2018 11:23:28.810250998 CEST 80 49171 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:29.042680979 CEST 80 49171 173.208.193.181 192.168.2.3 Aug 7, 2018 11:23:29.042834044 CEST 49171 80 192.168.2.3 173.208.193.181
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP Aug 7, 2018 11:23:28.236330986 CEST 63758 53 192.168.2.3 8.8.8.8 Aug 7, 2018 11:23:28.286312103 CEST 53 63758 8.8.8.8 192.168.2.3
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Aug 7, 2018 11:23:28.236330986 CEST 192.168.2.3 8.8.8.8 0xe477 Standard query aqc223.adf A (IP address) IN (0x0001) (0) rend.com
DNS Answers
Timestamp Source IP Dest IP Trans ID Replay Code Name CName Address Type Class Aug 7, 2018 8.8.8.8 192.168.2.3 0xe477 No error (0) aqc223.adf 173.208.193.181 A (IP address) IN (0x0001) 11:23:28.286312103 rend.com CEST
HTTP Request Dependency Graph
aqc223.adfrend.com
HTTP Packets
Session ID Source IP Source Port Destination IP Destination Port Process 0 192.168.2.3 49171 173.208.193.181 80 C:\Program Files\Internet Explorer\iexplore.exe
kBytes Timestamp transferred Direction Data
Copyright Joe Security LLC 2018 Page 13 of 16 kBytes Timestamp transferred Direction Data Aug 7, 2018 0 OUT GET /friendly.js HTTP/1.1 11:23:28.424868107 CEST Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: aqc223.adfrend.com DNT: 1 Connection: Keep-Alive Aug 7, 2018 1 IN HTTP/1.1 200 OK 11:23:29.042680979 CEST Cache-Control: no-cache Pragma: no-cache Content-Type: text/javascript; charset=utf-8 Content-Encoding: gzip Expires: -1 Vary: Accept-Encoding Server: Microsoft-IIS/7.5 P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA div COM NAV OTC NOI DSP COR" X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 07 Aug 2018 09:23:26 GMT Content-Length: 333 Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 66 d5 74 bd c8 97 ed f8 aa 2e da 7c eb e3 c7 cd b4 2e 56 6d da d4 d3 cf 3e 9a b7 ed aa 79 74 f7 ee b4 2a 96 f3 e2 32 1f 4f ab c5 dd b2 98 b8 0f 16 c5 72 fc d3 cd 47 47 8f ef ca 7b 47 fa fe d1 65 56 a7 f4 65 5e a7 9f a5 cb fc 2a 3d a1 37 be 8d 37 8e 97 d5 f2 7a 51 ad 9b ad 8f 7e 9f f9 2f 3a 78 b3 ff 9d 7b fb 9f 9e 5c bf d8 79 f7 ea 8b af 2e 3e bd 2e af cb e5 f3 b3 2f da 5f f4 bc f8 68 94 fe e2 76 5e 57 6d 5b e6 8f d2 9d f1 de 2f b9 73 c8 30 c7 4d 9b d5 ed d6 9d 43 d7 ed ac b8 4c 9b f6 ba cc 3f fb 68 56 34 ab 32 bb 7e 44 1d e5 84 99 b4 08 07 f4 d3 cd 78 dd e4 75 33 be bf 3b 2e b3 bb bb 0f ef 3f b8 ff e9 bd dd ce 50 ee 12 d0 a3 8f ef 1c fe 3f 29 32 03 d6 24 01 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"ft.|.Vm>yt*2OrGG{GeVe^*=77zQ~/:x{\y.>./_hv^Wm[/s0MCL?hV42 ~Dxu3;.?P?)2$
Code Manipulations
Statistics
Behavior
• iexplore.exe • iexplore.exe • wscript.exe
Click to jump to process
System Behavior
Analysis Process: iexplore.exe PID: 2056 Parent PID: 548
Copyright Joe Security LLC 2018 Page 14 of 16 General
Start time: 11:23:26 Start date: 07/08/2018 Path: C:\Program Files\Internet Explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Imagebase: 0xd80000 File size: 815312 bytes MD5 hash: CA1F703CD665867E8132D2946FB55750 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Completion Count Address Symbol
Source Old File Path New File Path Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: iexplore.exe PID: 1900 Parent PID: 2056
General
Start time: 11:23:27 Start date: 07/08/2018 Path: C:\Program Files\Internet Explorer\iexplore.exe Wow64 process (32bit): false Commandline: 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2056 CREDAT:275457 /prefetch:2 Imagebase: 0xd80000 File size: 815312 bytes MD5 hash: CA1F703CD665867E8132D2946FB55750 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Source File Path Offset Length Completion Count Address Symbol Copyright Joe Security LLC 2018 Page 15 of 16 Registry Activities
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: wscript.exe PID: 3104 Parent PID: 2056
General
Start time: 11:23:50 Start date: 07/08/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows \Temporary Internet Files\Content.IE5\9CMFZC4R\friendly.js' Imagebase: 0x4c0000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_USERS\Software\Microsoft\Windows script Host success or wait 1 4C4109 RegCreateKeyExW HKEY_USERS\Software\Microsoft\Windows script Host\Settings success or wait 1 4C4109 RegCreateKeyExW
Disassembly
Copyright Joe Security LLC 2018 Page 16 of 16