Threat Analysis Report Summary Threat Malicious Level File Name sample2.js MD5 Hash 580E637B97B16698CC750B445223D5C0 Identifier SHA-1 Hash 07E507426F72522DABFECF91181D7F64DC3B8D23 Identifier SHA-256 Hash 790999F47B2FA4396FF6B0A6916E295D832A12B3495A87590C859A1FE9D73245 Identifier File Size 3586 bytes File Type ASCII text File 2015-11-06 09:26:23 Submitted Duration 38 seconds Sandbox 27 seconds Replication Engine Analysis Engine Threat Name Severity GTI File Reputation --- Unverified Gateway Anti-Malware JS/Downloader.gen.f Very High Anti-Malware JS/Downloader.gen.f Very High YARA Custom Rules Sandbox Malware.Dynamic Very High Final Very High Sample is malicious: f inal severit y level 5 Behavior Classif icat ion Networking Very High Exploiting, Shellcode High Security Solution / Mechanism bypass, termination and removal, Anti Unverified Debugging, VM Detection Spreading Unverified Persistence, Installation Boot Survival Unverified Hiding, Camouflage, Stealthiness, Detection and Removal Protection Unverified Data spying, Sniffing, Keylogging, Ebanking Fraud Unverified Dynamic Analysis Action Severity Malware behavior: networking activities from non-executable file Very High ATTENTION: connection made to a malicious website (see Web/URL Very High reputation for details) Detected suspicious Java Script content High Downloaded data from a webserver Low Modified INTERNET_OPTION_CONNECT_RETRIES: number of times that Low WinInet attempts to resolve and connect to a host Connected to a specific service provider Low Cracks a URL into its component parts Informational GTI Web/URL Reput at ion Connected Sites: 2 URL Port Reputation Category Name Risk Group Functional Group Medium REVAULT .ME 80 --- --- --- Risk Hig h Malicious REVAULT .ME/DOC.CSS 80 Security Risk/Fraud/Crime Risk Sites Processes Analyzed Name Reason Severity sample2.js loaded by MATD Analyzer Very High sample2.js Run-T ime Dlls: 2 advapi32.dll kernel32.dll File Operations: 7 Files Opened File Name Access Mode File Attributes C:\Prog ram Files\...\T emp\fd5cc082-4041-4915- Read 8000000 96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js Read 8000000 Files Read C:\Prog ram Files\...\T emp\fd5cc082-4041-4915-96fc-a43c32cfbc0d.js C:\Users\ADMINI~1\AppData\Local\T emp\install.js Memory Mapped Files Created a file that can be used for memory mapping Other Obtained the path of the Windows system directory Retrieved the full path for the module Reg istry Operations: 21 Reg istry Created HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s Reg istry Opened HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s HKLM\Software\Microsoft\Windows Script Host\Setting s Reg istry Read HKCR\.js HKCR\JSFile\ScriptEng ine HKCU\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKCU\Software\Microsoft\Windows Script Host\Setting s Enabled HKCU\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKCU\Software\Microsoft\Windows Script Host\Setting s T imeout HKCU\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKCU\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER HKLM\Software\Microsoft\Windows Script Host\Setting s DisplayLog o HKLM\Software\Microsoft\Windows Script Host\Setting s Enabled HKLM\Software\Microsoft\Windows Script Host\Setting s Ig noreUserSetting s HKLM\Software\Microsoft\Windows Script Host\Setting s Log SecuritySuccesses HKLM\Software\Microsoft\Windows Script Host\Setting s T imeout HKLM\Software\Microsoft\Windows Script Host\Setting s T rustPolicy HKLM\Software\Microsoft\Windows Script Host\Setting s UseWINSAFER Process Operations: 14 Process Created Process Name Module "c:\windows\system32\wscript.exe" c:\windows\system32\wscript.exe "c:\users\admini~1\appdata\local\temp\install.js" {00000323-0000-0000-C000- 000000000046} {0000032A-0000-0000-C000- 000000000046} {06290BD1-48AA-11D2-8432- 006008C3FBFC} {0D43FE01-F093-11CF-8940- 00A0C9054228} {1F486A52-3CB1-48FD-8F50- B8DC300D9F9D} {6C736DB1-BD94-11D0-8A23- 00AA00B58E10} {7B8A2D94-0AC9-11D1-896C- 00C04FB6BFC4} {A47979D2-C419-11D9-A5B4- 001185AD2B89} {C39EE728-D419-4BD4-A3EF- EDA059DBD935} {DCB00C01-570F-4A9B-8D69- 199FDBA5723B} {F414C260-6AC0-11CF-B6D1- 00AA00BBBB58} Process killed Ended itself and all of its threads T hread Created e2f25 Network Operations: 23 Other Cracked the URL into its component parts: HT T P://REVAULT .ME/DOC.CSS Headers: , HeaderLeng th: 0, Optional: , OptionalLeng th: 0 Initialized the WinINet functions, Ag ent name: mozilla/4.0 (compatible; msie 7.0; windows nt 6.1; wow64; trident/7.0; slcc2; .net clr 2.0.50727; .net clr 3.5.30729; .net clr 3.0.30729; media center pc 6.0; .net4.0c; .net4.0e), Access type: PRECONFIG Flag s: PORT _NUMBER Opened a HT T P or FT P session for a g iven site: REVAULT .ME Set an Internet option: 2 Set an Internet option: 2d Set an Internet option: 3a Set an Internet option: 3e Set an Internet option: 41 Set an Internet option: 44 Set an Internet option: 5 Set an Internet option: 56 Set an Internet option: 58 Set an Internet option: 6 Set an Internet option: 64 Set an Internet option: 65 Set an Internet option: 66 Set an Internet option: 6c Set an Internet option: 7a Set an Internet option: 7b Set an Internet option: 8c Set an Internet option: 9b Verb: g et, ObjectName: /doc.css, Version: , Referer: , Flag s: 400000, Context: 793ed8 Analysis Environment Microsoft Windows 7 Enterprise Edition Service Pack 1 (build 7601, version 6.1.7601), 64-bit Internet Explorer version: 9 Microsoft Office version: 2013 PDF Reader version: 9.0 No Flash player installed Flash player plugin version: 13.0.0.231 Platform Version 3.4.8.96.50610 Copyright © 2015 McAfee, Inc., 2821 Mission College Blvd, Santa Clara, CA 95054, www.intelsecurity.com.