263cf261...7869

VTI SCORE: 100/100

Target:

win10_64 | windows_script_file

Classification:

Dropper, Downloader

263cf261a45e5d9cf420e9b5ccda364d3765a439623cbd7be64daf8cc57d7869 (SHA256)

Paquete_id345634563.PDF.js

JScript

Created at 2018-05-02 13:26:00

Notifications (2/2)

Code overwrite was observed during this analysis. Note that the analysis results may be affected by this modification by the sample.

The operating system was rebooted during the analysis because the sample installed a startup script or application for persistence.

Connection Overview

Contacted Hosts (2)

Hostname	IP Address	Location	Protocols	Reputation Status	WHOIS Data
www.wkc.co.id	156.67.210.210	Singapore	HTTPS, TCP	Unknown	Show WHOIS
www.fuente-ovejuna.cz	46.28.105.149	Czech Republic	HTTP, DNS, TCP	Unknown	Show WHOIS

Contacted URLs (2)

URL	Categories	Names	HTTP Status Code	Reputation Status
https://www.wkc.co.id/heritage58.com/js/lib/inode.jpg	-	-	-	Unknown
www.fuente-ovejuna.cz/admin/includes/css.php	-	-	HTTP_STATUS_OK (200)	Unknown

Connections

DNS (1)

Operation	Additional Information	Success	Count	Logfile
Resolve Name	host = www.fuente-ovejuna.cz, address_out = 46.28.105.149		1	Fn

HTTP Sessions (2)

Information	Value
Total Data Sent	0.57 KB
Total Data Received	0.00 KB
Contacted Host Count	2
Contacted Hosts	www.wkc.co.id, www.fuente-ovejuna.cz

HTTP Session #1

Information	Value
Used COM interface	MSXML2.XMLHTTP
User Agent	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)
Server Name	www.wkc.co.id
Server Port	443
Data Sent	0.34 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = https, server_name = www.wkc.co.id, server_port = 443	1	Fn
Open HTTP Request	http_verb = GET, http_version = HTTP 1.1, target_resource = /heritage58.com/js/lib/inode.jpg	1	Fn
Send HTTP Request	url = https://www.wkc.co.id/heritage58.com/js/lib/inode.jpg	1	Fn
Read Response	size_out = 0	1	Fn

HTTP Session #2

Information	Value
User Agent	Mozilla/3.0 (compatible; Indy Library)
Server Name	www.fuente-ovejuna.cz
Server Port	80
Data Sent	0.23 KB
Data Received	0.00 KB

Operation	Additional Information	Count	Logfile
Open Session	user_agent = Mozilla/3.0 (compatible; Indy Library), access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS	1	Fn
Open Connection	protocol = http, server_name = www.fuente-ovejuna.cz, server_port = 80	1	Fn
Open HTTP Request	http_verb = POST, http_version = HTTP/1.0, target_resource = /admin/includes/css.php	1	Fn
Send HTTP Request	headers = content-length: 42, connection: keep-alive, accept: text/html, /, user-agent: Mozilla/3.0 (compatible; Indy Library), host: www.fuente-ovejuna.cz, content-type: application/x-www-form-urlencoded, url = www.fuente-ovejuna.cz/admin/includes/css.php	1	Fn Data

Function Logfile

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".

Notifications (2/2)

Connection Overview

Connections

WHOIS Domain Information

Before

After