Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 11:34 a.m.	June 25, 2021, 11:37 a.m.

Size	3.9KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`fba84df6b9bf9bd8f09b9fe20714b379`
SHA256	`89ee3c5ae8900306571edddfe40ba964838e401d9b7c7eaf5f37576f8313915c`
CRC32	`9BB2440F`
ssdeep	`96:NjTrpT9ySUrHOaTkWD546SP2iTvNm04T2GyZ:5Tx9PUruaTkI4hO41m04a7`
Yara	None matched

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\JV8256491470.js
3972

Name	Response	Post-Analysis Lookup
myphamthanhtam.com	A 45.119.85.137	45.119.85.137

Flow	SID	Signature	Category
TCP 192.168.56.102:49806 -> 45.119.85.137:80	2022550	ET MALWARE Possible Malicious Macro DL EXE Feb 2016	A Network Trojan was detected
TCP 192.168.56.102:49806 -> 45.119.85.137:80	2022566	ET MALWARE Possible Malicious Macro EXE DL AlphaNumL	A Network Trojan was detected
TCP 192.168.56.102:49806 -> 45.119.85.137:80	2022834	ET MALWARE Possible Malicious Macro DL BIN May 2016 (No UA)	A Network Trojan was detected

No Suricata TLS

request

GET http://myphamthanhtam.com/system/logs/87yhb54cdfy.exe

file	C:\Users\test22\AppData\Local\Temp\GrqjmhgTY2.exe

host	13.209.83.196
host	172.217.25.14

Time & API	Arguments	Status	Return
InternetCrackUrlW June 25, 2021, 11:34 a.m.	url: http://myphamthanhtam.com/system/logs/87yhb54cdfy.exe flags: 0	1	1
HttpOpenRequestW June 25, 2021, 11:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /system/logs/87yhb54cdfy.exe	1	13369356
InternetReadFile June 25, 2021, 11:34 a.m.	buffer: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access this resource.</p> </body></html> request_handle: 0x00cc000c	1	1

file	C:\Users\test22\AppData\Local\Temp\GrqjmhgTY2.exe

Time & API	Arguments	Status	Return
InternetCrackUrlW June 25, 2021, 11:34 a.m.	url: http://myphamthanhtam.com/system/logs/87yhb54cdfy.exe flags: 0	1	1
HttpOpenRequestW June 25, 2021, 11:34 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /system/logs/87yhb54cdfy.exe	1	13369356
send June 25, 2021, 11:34 a.m.	buffer: ! socket: 800 sent: 1	1	1
send June 25, 2021, 11:34 a.m.	buffer: GET /system/logs/87yhb54cdfy.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.2; .NET4.0C; .NET4.0E) Host: myphamthanhtam.com Connection: Keep-Alive socket: 932 sent: 323	1	323
send June 25, 2021, 11:34 a.m.	buffer: ! socket: 800 sent: 1	1	1

parent_process

wscript.exe

martian_process

C:\Users\test22\AppData\Local\Temp\GrqjmhgTY2.exe

dead_host

192.168.56.102:49818

MicroWorld-eScan	Generic.JS.Downloader.644DBBF0
FireEye	Generic.JS.Downloader.644DBBF0
CAT-QuickHeal	JS.Dropper.CL
McAfee	JS/Nemucod.da
Zillya	Downloader.Nemucod.JS.16
Arcabit	HEUR.JS.Trojan.b
Baidu	JS.Trojan.Nemucod.q
F-Prot	JS/Locky.D!Eldorado
Symantec	Trojan.Gen.7
ESET-NOD32	JS/TrojanDownloader.Nemucod.GE
Avast	JS:Decode-CGO [Trj]
Kaspersky	HEUR:Exploit.Script.Generic
BitDefender	Generic.JS.Downloader.644DBBF0
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
AegisLab	Hacktool.Script.Generic.3!c
Ad-Aware	Generic.JS.Downloader.644DBBF0
Sophos	JS/DwnLdr-NEY
Comodo	Malware@#3lm8pu8cj3w77
F-Secure	Malware.HTML/ExpKit.Gen2
DrWeb	JS.DownLoader.913
VIPRE	Trojan-Downloader.JS.Locky.a (v)
TrendMicro	HEUR_JSRANSOM.O2
McAfee-GW-Edition	JS/Nemucod.da
Emsisoft	Generic.JS.Downloader.644DBBF0 (B)
Ikarus	Trojan-Ransom.Script.Locky
Cyren	JS/Locky.D!Eldorado
Jiangmin	TrojanDownloader.JS.auvc
Avira	HTML/ExpKit.Gen2
Antiy-AVL	Trojan/Win32.TGeneric
Microsoft	TrojanDownloader:JS/Swabfex.P
ViRobot	JS.S.Downloader.4022
ZoneAlarm	HEUR:Exploit.Script.Generic
GData	Script.Trojan-Downloader.Agent.NP@gen
AhnLab-V3	JS/Obfus.S13
ALYac	Generic.JS.Downloader.644DBBF0
Rising	Downloader.Nemucod!8.34 (TOPIS:E0:6zoMYUTbQQN)
MAX	malware (ai score=85)
Fortinet	JS/TrojanDownloader.gen!tr
AVG	JS:Decode-CGO [Trj]
Qihoo-360	trojan.js.downloader.1

file	C:\Users\test22\AppData\Local\Temp\GrqjmhgTY2.exe

JV8256491470.js