MAS_0.5-CRC32_6304474C.cmd
This report is generated from a file or URL submitted to this webservice on December 19th 2018 14:07:01 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Installation/Persistance
-
Found an indicator for a scheduled task trigger
- details
-
"ec>
</Actions>
</Task>
REM (Re)activate xml End
::
REM Run_Once xml Start
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Source>Microsoft Corporation</Source>
<Date>1999-01-01T12:00:00.34375</Date>
<Author>rpo/WindowsAddict</Author>
<Version>1.0</Version>
<Description>Online_KMS_Activation_Script-Run_Once - Run and Delete itself on first Internet Contact</Description>
<URI>\Online_KMS_Activation_Script-Run_Once</URI>
<SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;LS)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>" (Indicator: "LogonTrigger"; File: "5f75bc69d5c2e6bc6f58e6aa0db8ed25355a1bf342d96c2adeccd414478c7989.bin") - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Found an indicator for a scheduled task trigger
-
Suspicious Indicators 3
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/67 reputation engines marked "http://abbodi1406.square7.ch" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"_Once Exit 1651565635 & Rem Dummy Numbers To Show Error In Task
echo.
pause
goto:EOF
)
echo Waiting 30 s&timeout /t 30>nul
set /a loop=%loop%+1
goto repeat
)
echo Internet is connected.
echo.
set "servers="
set "servers=%servers% kms.digiboy.i"
set "servers=%servers%r"
set "servers=%servers% kms.mrxn.n"
set "servers=%servers%et"
set "servers=%servers% kms8.MSGuides.c"
set "servers=%servers%om"
set "servers=%servers% kms9.MSGuides.c"
set "servers=%servers%om"
set "servers=%servers% kms.chinancce.c"
set "servers=%servers%om"
set "servers=%servers% kms.library.h"
set "servers=%servers%k"
set "servers=%servers% kms.03k.o"
set "servers=%servers%rg"
set "servers=%servers% kms.digiboy.i"
set "servers=%servers%r"
set n=1&for %%a in (%servers%) do (set server[!n!]=%%a&set /A n+=1)&set /a max_servers=!n!-1
set server_num=1
:server
set /a activation_ok=1
if %server_num% gtr !max_servers! (
if defined Renewal_Task (echo No KMS server available. Ex" (Indicator: "servers=") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "wscript.exe" wrote bytes "711177027a3b7602ab8b02007f950200fc8c0200729602006cc805001ecd73027d267302" to virtual address "0x753107E4" (part of module "USER32.DLL")
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
-
Informative 4
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
Installation/Persistance
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "wscript.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\SysWOW64\wscript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\SysWOW64\en-US\jscript.dll.mui"
"wscript.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"wscript.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://forums.mydigitallife.net/posts/838808"
Pattern match: "https://forums.mydigitallife.net/posts/1479890"
Pattern match: "https://forums.mydigitallife.net/posts/1150042"
Pattern match: "https://pastebin.com/raw/WK5YHaEM"
Pattern match: "https://anonfile.com/X0Zc76k4bd/"
Pattern match: "https://github.com/vyvojar/slshim/releases"
Pattern match: "https://tinyurl.com/y86za5zq"
Pattern match: "https://github.com/AveYo/Compressed2TXT"
Pattern match: "www.google.com"
Pattern match: "https://forums.mydigitallife.net/posts/1221231"
Pattern match: "http://schemas.microsoft.com/windows/2004/02/mit/task"
Pattern match: "https://www.nsaneforums.com/topic/316668--/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
MAS_0.5-CRC32_6304474C.cmd
- Filename
- MAS_0.5-CRC32_6304474C.cmd
- Size
- 1.1MiB (1160046 bytes)
- Type
- script javascript
- Description
- ASCII text, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 5f75bc69d5c2e6bc6f58e6aa0db8ed25355a1bf342d96c2adeccd414478c7989
- MD5
- ddc5e7e36887f02528605bc690f3b583
- SHA1
- e391397c036fd9ec7d4f5e207997f51a99e6e769
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MAS_0.5-CRC32_6304474C.cmd.js" (PID: 3584)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.