Malicious Javascript from MYOB Email Attack | VTI by Score
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 11 |
| VTI Rule Type | Scripts |
|
Anti Analysis | Try to detect virtual machine |
|
|
Readout system information, commonly used to detect VMs via registry. (Value "VendorIdentifier" in key "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0").
|
|||
|
|
Injection | Write into memory of another process |
|
|
"c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe" modifies memory of "c:\windows\syswow64\dllhost.exe"
|
|||
|
|
Injection | Modify control flow of another process |
|
|
"c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\pst790mv.exe" alters context of "c:\windows\syswow64\dllhost.exe"
|
|||
|
|
PE | Execute dropped PE file |
|
|
Execute dropped file "c:\users\5p5nrg~1\appdata\local\temp\pst790mv.exe".
|
|||
|
|
Network | Check external IP address |
|
|
Check external IP by asking IP info service at "httpbin.org/ip".
|
|||
|
|
Network | Download data |
|
|
URL "https://moranaccountants-my.sharepoint.com/personal/lily_moranaccountants_com_au/_layouts/15/guestaccess.aspx?docid=03559bd7bd473450fab4c679cae4be913&authkey=AXWiRPNRVvwj9BsVKKyrAsc&e=259ca72ab9534857b5c3964310916b09".
|
|||
|
URL "httpbin.org/ip".
|
|||
|
|
Network | Connect to HTTP server |
|
|
URL "httpbin.org/ip".
|
|||
|
URL "https://moranaccountants-my.sharepoint.com/personal/lily_moranaccountants_com_au/_layouts/15/guestaccess.aspx?docid=03559bd7bd473450fab4c679cae4be913&authkey=AXWiRPNRVvwj9BsVKKyrAsc&e=259ca72ab9534857b5c3964310916b09".
|
|||
|
|
PE | Drop PE file |
|
|
Drop file "c:\users\5p5nrg~1\appdata\local\temp\pst790mv.exe".
|
|||
|
Drop file "c:\programdata\252e9d6f-46f0-4cf5-8686-f2a673c579a2\af77746e-8a65-4302-8042-f6017918c669.dll".
|
|||
|
|
Process | Create system object |
|
|
Create mutex with name "df7689e6-c49f-4a86-82e8-6809a406872a".
|
|||
|
|
Network | Connect to remote host |
|
|
Outgoing TCP connection to host "192.99.181.10:443".
|
|||
