Windows Analysis Report
Document-v23-08-15.js

Overview

General Information

Sample name: Document-v23-08-15.js
Analysis ID: 1558931
MD5: 2259006bb72bb1f4752bd035b4b00175
SHA1: d27dcb7a170d42cd2af5b2918dad70da1bea4b2b
SHA256: 2dbddc1b299419296c4e9fad92efdeaec4948bf165238a70c930c6fd02a4beb9
Tags: BruteRatelBruteRatelC4jsuser-k3dg3___
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Source: unknown HTTPS traffic detected: 104.21.20.51:443 -> 192.168.2.4:49730 version: TLS 1.2
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /merd.php HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows InstallerHost: fwaax.life
Source: global traffic DNS traffic detected: DNS query: fwaax.life
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 19 Nov 2024 23:16:58 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-storeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nDrFQ7KtHKQLqfcOR7LyojyWJ9v%2Bna9sgHCI%2B9Zrw7FMzNGBapYCCxfP2EUMXpZpEEP8VmBsTUOASmRv2OC8vvo3sKvwdh%2Fmt7n9t%2FanFS9daa5Gyrorv%2FUmTVZl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e53e93a08ca80cd-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1702&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2823&recv_bytes=726&delivery_rate=1645070&cwnd=177&unsent_bytes=0&cid=038c61eb76d74b7d&ts=508&x=0"
Source: wscript.exe, 00000000.00000003.1673173052.0000016240C06000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1806043328.000001623EEB0000.00000004.00000020.00020000.00000000.sdmp, Document-v23-08-15.js String found in binary or memory: https://fwaax.life/merd.php
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 104.21.20.51:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary
barindex
Sample has a suspicious name (potential lure to open the executable)
Source: Document-v23-08-15.js Static file information: Suspicious name
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Microsoft Windows Installer HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C1090-0000-0000-C000-000000000046} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: Document-v23-08-15.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal52.winJS@2/0@1/1
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document-v23-08-15.js"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\msiexec.exe TID: 7468 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558931 Sample: Document-v23-08-15.js Startdate: 20/11/2024 Architecture: WINDOWS Score: 52 12 fwaax.life 2->12 16 Sample has a suspicious name (potential lure to open the executable) 2->16 18 Sigma detected: WScript or CScript Dropper 2->18 6 wscript.exe 1 2->6         started        9 msiexec.exe 2->9         started        signatures3 process4 dnsIp5 20 Windows Scripting host queries suspicious COM object (likely to drop second stage) 6->20 14 fwaax.life 104.21.20.51, 443, 49730 CLOUDFLARENETUS United States 9->14 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.20.51
 fwaax.life United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
fwaax.life 104.21.20.51 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://fwaax.life/merd.php false
  • Avira URL Cloud: safe
 unknown