Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
download.js

Overview

General Information

Sample name:download.js
Analysis ID:1559082
MD5:7f16b7d60038083c561ff299c1c6bba0
SHA1:a54454390875024cdfa20f2b7ff09775ed05aa4a
SHA256:1e2f3f3be9eda8c98dbe2fbf903fa9185b9b1612553be334a87985223cd07b02
Tags:jsKongTukeps1user-monitorsg
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 7404 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 7404, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js", ProcessId: 7404, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results
Source: download.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: sus22.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information2
Scripting
Valid AccountsWindows Management Instrumentation2
Scripting
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization Scripts1
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
download.js8%ReversingLabsWin32.Trojan.Generic
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1559082
Start date and time:2024-11-20 06:58:19 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:download.js
Detection:SUS
Classification:sus22.winJS@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
  • VT rate limit hit for: download.js
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:ASCII text, with very long lines (12128), with CRLF line terminators
Entropy (8bit):6.0567661116192975
TrID:
    File name:download.js
    File size:20'635 bytes
    MD5:7f16b7d60038083c561ff299c1c6bba0
    SHA1:a54454390875024cdfa20f2b7ff09775ed05aa4a
    SHA256:1e2f3f3be9eda8c98dbe2fbf903fa9185b9b1612553be334a87985223cd07b02
    SHA512:efcf0889f5b8786ad4d690e9d9dc8aadff7c9b905f02b5866741c1081b66df1ad5b9dc069d0b529df51effe859e0a5a7950dba7f7ffec1e4e9b3e7bd0ea746d9
    SSDEEP:384:2GodVbU43mNQTL9Rmbq8se0nI0jXqFAlLObetSOiRiye2JwzQ5HPeq6eL:2Gu0q8QXqmlLO+NisquQ5HL
    TLSH:B7928D857BCCE8D146C4CC9D86471D087A5598BDD027FFC5BBAADA8137477429F09D80
    File Content Preview:$lkcqxwrs=$executioncontext;$isenalalarbeinonaterreer = -join (0..54 | ForEach-Object {[char]([int]('1011001050981041021041031030981040960971031001041021041040971021041031001030981040' + '9610309810409710410309710309910210410410410310409810409610210410410
    Icon Hash:68d69b8bb6aa9a86
    No network behavior found

    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Target ID:0
    Start time:00:59:22
    Start date:20/11/2024
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\download.js"
    Imagebase:0x7ff7da680000
    File size:170'496 bytes
    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    No disassembly