Threat Analysis Report
Summary
Threat Malicious Level File Name sample2.js MD5 Hash 580E637B97B16698CC750B445223D5C0 Identifier SHA-1 Hash 07E507426F72522DABFECF91181D7F64DC3B8D23 Identifier SHA-256 Hash 790999F47B2FA4396FF6B0A6916E295D832A12B3495A87590C859A1FE9D73245 Identifier File Size 3586 bytes File Type ASCII text File 2015-11-06 09:26:23 Submitted Duration 38 seconds Sandbox 27 seconds Replication
Engine Analysis
Engine Threat Name Severity
GTI File Reputation --- Unverified
Gateway Anti-Malware JS/Downloader.gen.f Very High Anti-Malware JS/Downloader.gen.f Very High YARA Custom Rules
Sandbox Malware.Dynamic Very High Final Very High
Sample is malicious: f inal severit y level 5
Behavior Classif icat ion
Networking Very High Exploiting, Shellcode High Security Solution / Mechanism bypass, termination and removal, Anti Unverified Debugging, VM Detection Spreading Unverified Persistence, Installation Boot Survival Unverified
Hiding, Camouflage, Stealthiness, Detection and Removal Protection Unverified Data spying, Sniffing, Keylogging, Ebanking Fraud Unverified Dynamic Analysis
Action Severity
Malware behavior: networking activities from non-executable file Very High ATTENTION: connection made to a malicious website (see Web/URL Very High reputation for details) Detected suspicious Java Script content High Downloaded data from a webserver Low Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that Low WinInet attempts to resolve and connect to a host Connected to a specific service provider Low Cracks a URL into its component parts Informational
GTI Web/URL Reput at ion
Connected Sites: 2 URL Port Reputation Category Name Risk Group Functional Group Medium REVAULT .ME 80 ------Risk Hig h Malicious REVAULT .ME/DOC.CSS 80 Security Risk/Fraud/Crime Risk Sites
Processes Analyzed
Name Reason Severity sample2.js loaded by MATD Analyzer Very High sample2.js
Run-T ime Dlls: 2 advapi32.dll kernel32.dll
File Operations: 7
Files Opened
File Name Access Mode File Attributes C:\Prog ram Files\...\T emp\fd5cc082-4041-4915- Read 8000000 96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js Read 8000000
Files Read
C:\Prog ram Files\...\T emp\fd5cc082-4041-4915-96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js
Memory Mapped Files
Created a file that can be used for memory mapping
Other
Obtained the path of the Windows system directory Retrieved the full path for the module Reg istry Operations: 21
Reg istry Created
HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s
Reg istry Opened
HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s
Reg istry Read
HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKCU\Software\Microsoft\Windows Script Host\Setting s Enabled HKCU\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKCU\Software\Microsoft\Windows Script Host\Setting s T imeout HKCU\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKCU\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER HKLM\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKLM\Software\Microsoft\Windows Script Host\Setting s Enabled HKLM\Software\Microsoft\Windows Script Host\Setting s Ig noreUserSetting s HKLM\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKLM\Software\Microsoft\Windows Script Host\Setting s T imeout HKLM\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKLM\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER
Process Operations: 14
Process Created
Process Name Module "c:\windows\system32\wscript.exe" c:\windows\system32\wscript.exe "c:\users\admini~1\appdata\local\temp\install.js" {00000323-0000-0000-C000- 000000000046} {0000032A-0000-0000-C000- 000000000046} {06290BD1-48AA-11D2-8432- 006008C3FBFC} {0D43FE01-F093-11CF-8940- 00A0C9054228} {1F486A52-3CB1-48FD-8F50- B8DC300D9F9D} {6C736DB1-BD94-11D0-8A23- 00AA00B58E10} {7B8A2D94-0AC9-11D1-896C- 00C04FB6BFC4} {A47979D2-C419-11D9-A5B4- 001185AD2B89} {C39EE728-D419-4BD4-A3EF- EDA059DBD935} {DCB00C01-570F-4A9B-8D69- 199FDBA5723B} {F414C260-6AC0-11CF-B6D1- 00AA00BBBB58}
Process killed
Ended itself and all of its threads
T hread Created e2f25
Network Operations: 23
Other
Cracked the URL into its component parts: HT T P://REVAULT .ME/DOC.CSS Headers: , HeaderLeng th: 0, Optional: , OptionalLeng th: 0 Initialized the WinINet functions, Ag ent name: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/7.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e), Access type: PRECONFIG Flag s: PORT _NUMBER Opened a HT T P or FT P session for a g iven site: REVAULT .ME Set an Internet option: 2 Set an Internet option: 2d Set an Internet option: 3a Set an Internet option: 3e Set an Internet option: 41 Set an Internet option: 44 Set an Internet option: 5 Set an Internet option: 56 Set an Internet option: 58 Set an Internet option: 6 Set an Internet option: 64 Set an Internet option: 65 Set an Internet option: 66 Set an Internet option: 6c Set an Internet option: 7a Set an Internet option: 7b Set an Internet option: 8c Set an Internet option: 9b Verb: g et, ObjectName: /doc.css, Version: , Referer: , Flag s: 400000, Context: 793ed8
Analysis Environment
Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601, version 6.1.7601), 64-bit Internet Explorer version: 9 Microsoft Office version: 2013 PDF Reader version: 9.0 No Flash player installed Flash player plugin version: 13.0.0.231 Platform Version 3.4.8.96.50610
Copyright © 2015 McAfee, Inc., 2821 Mission College Blvd, Santa Clara, CA 95054, www.intelsecurity.com