Threat Analysis Report

Summary

Threat Malicious Level File Name sample2.js MD5 Hash 580E637B97B16698CC750B445223D5C0 Identifier SHA-1 Hash 07E507426F72522DABFECF91181D7F64DC3B8D23 Identifier SHA-256 Hash 790999F47B2FA4396FF6B0A6916E295D832A12B3495A87590C859A1FE9D73245 Identifier File Size 3586 bytes File Type ASCII text File 2015-11-06 09:26:23 Submitted Duration 38 seconds Sandbox 27 seconds Replication

Engine Analysis

Engine Threat Name Severity

GTI File Reputation --- Unverified

Gateway Anti-Malware JS/Downloader.gen.f Very High Anti-Malware JS/Downloader.gen.f Very High YARA Custom Rules

Sandbox Malware.Dynamic Very High Final Very High

Sample is malicious: f inal severit y level 5

Behavior Classif icat ion

Networking Very High Exploiting, Shellcode High Security Solution / Mechanism bypass, termination and removal, Anti Unverified Debugging, VM Detection Spreading Unverified Persistence, Installation Boot Survival Unverified

Hiding, Camouflage, Stealthiness, Detection and Removal Protection Unverified Data spying, Sniffing, Keylogging, Ebanking Fraud Unverified Dynamic Analysis

Action Severity

Malware behavior: networking activities from non-executable file Very High ATTENTION: connection made to a malicious website (see Web/URL Very High reputation for details) Detected suspicious Java Script content High Downloaded data from a webserver Low Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that Low WinInet attempts to resolve and connect to a host Connected to a specific service provider Low Cracks a URL into its component parts Informational

GTI Web/URL Reput at ion

Connected Sites: 2 URL Port Reputation Category Name Risk Group Functional Group Medium REVAULT .ME 80 ------Risk Hig h Malicious REVAULT .ME/DOC.CSS 80 Security Risk/Fraud/Crime Risk Sites

Processes Analyzed

Name Reason Severity sample2.js loaded by MATD Analyzer Very High sample2.js

Run-T ime Dlls: 2 advapi32.dll kernel32.dll

File Operations: 7

Files Opened

File Name Access Mode File Attributes C:\Prog ram Files\...\T emp\fd5cc082-4041-4915- Read 8000000 96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js Read 8000000

Files Read

C:\Prog ram Files\...\T emp\fd5cc082-4041-4915-96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js

Memory Mapped Files

Created a file that can be used for memory mapping

Other

Obtained the path of the Windows system directory Retrieved the full path for the module Reg istry Operations: 21

Reg istry Created

HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s

Reg istry Opened

HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s

Reg istry Read

HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKCU\Software\Microsoft\Windows Script Host\Setting s Enabled HKCU\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKCU\Software\Microsoft\Windows Script Host\Setting s T imeout HKCU\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKCU\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER HKLM\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKLM\Software\Microsoft\Windows Script Host\Setting s Enabled HKLM\Software\Microsoft\Windows Script Host\Setting s Ig noreUserSetting s HKLM\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKLM\Software\Microsoft\Windows Script Host\Setting s T imeout HKLM\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKLM\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER

Process Operations: 14

Process Created

Process Name Module "c:\windows\system32\wscript.exe" c:\windows\system32\wscript.exe "c:\users\admini~1\appdata\local\temp\install.js" {00000323-0000-0000-C000- 000000000046} {0000032A-0000-0000-C000- 000000000046} {06290BD1-48AA-11D2-8432- 006008C3FBFC} {0D43FE01-F093-11CF-8940- 00A0C9054228} {1F486A52-3CB1-48FD-8F50- B8DC300D9F9D} {6C736DB1-BD94-11D0-8A23- 00AA00B58E10} {7B8A2D94-0AC9-11D1-896C- 00C04FB6BFC4} {A47979D2-C419-11D9-A5B4- 001185AD2B89} {C39EE728-D419-4BD4-A3EF- EDA059DBD935} {DCB00C01-570F-4A9B-8D69- 199FDBA5723B} {F414C260-6AC0-11CF-B6D1- 00AA00BBBB58}

Process killed

Ended itself and all of its threads

T hread Created e2f25

Network Operations: 23

Other

Cracked the URL into its component parts: HT T P://REVAULT .ME/DOC.CSS Headers: , HeaderLeng th: 0, Optional: , OptionalLeng th: 0 Initialized the WinINet functions, Ag ent name: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/7.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e), Access type: PRECONFIG Flag s: PORT _NUMBER Opened a HT T P or FT P session for a g iven site: REVAULT .ME Set an Internet option: 2 Set an Internet option: 2d Set an Internet option: 3a Set an Internet option: 3e Set an Internet option: 41 Set an Internet option: 44 Set an Internet option: 5 Set an Internet option: 56 Set an Internet option: 58 Set an Internet option: 6 Set an Internet option: 64 Set an Internet option: 65 Set an Internet option: 66 Set an Internet option: 6c Set an Internet option: 7a Set an Internet option: 7b Set an Internet option: 8c Set an Internet option: 9b Verb: g et, ObjectName: /doc.css, Version: , Referer: , Flag s: 400000, Context: 793ed8

Analysis Environment

Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601, version 6.1.7601), 64-bit Internet Explorer version: 9 Microsoft Office version: 2013 PDF Reader version: 9.0 No Flash player installed Flash player plugin version: 13.0.0.231 Platform Version 3.4.8.96.50610

Copyright © 2015 McAfee, Inc., 2821 Mission College Blvd, Santa Clara, CA 95054, www.intelsecurity.com