Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fiFdIrd.txt.js

Overview

General Information

Sample name:fiFdIrd.txt.js
Analysis ID:1579698
MD5:9bb1cbab607d6bc9edbe8e5d75d59ae0
SHA1:dcd0318b6a56752ae232a37d8bde6229a99216af
SHA256:73dcf2097bda1ebce1dc29509a0d1c0ecef0168b8aa56fecb5a19c93ba543436
Tags:jsuser-lontze7
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Cscript/Wscript Uncommon Script Extension Execution
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 5560 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", ProcessId: 5560, ProcessName: wscript.exe
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", ProcessId: 5560, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js", ProcessId: 5560, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: fiFdIrd.txt.jsReversingLabs: Detection: 18%
Source: fiFdIrd.txt.jsVirustotal: Detection: 29%Perma Link
Source: classification engineClassification label: mal60.evad.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: fiFdIrd.txt.jsReversingLabs: Detection: 18%
Source: fiFdIrd.txt.jsVirustotal: Detection: 29%
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: Possible double extension: txt.jsStatic PE information: fiFdIrd.txt.js
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting
Valid AccountsWindows Management Instrumentation1
Scripting
1
DLL Side-Loading
1
Masquerading
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization Scripts1
DLL Side-Loading
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
fiFdIrd.txt.js18%ReversingLabsWin32.Trojan.Generic
fiFdIrd.txt.js30%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    high
    s-part-0035.t-0009.t-msedge.net
    13.107.246.63
    truefalse
      high
      No contacted IP infos
      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1579698
      Start date and time:2024-12-23 07:50:34 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 1m 53s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Without Instrumentation
      Number of analysed new started processes analysed:2
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:fiFdIrd.txt.js
      Detection:MAL
      Classification:mal60.evad.winJS@1/0@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .js
      • Stop behavior analysis, all processes terminated
      • Exclude process from analysis (whitelisted): dllhost.exe
      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, slscr.update.microsoft.com, otelrules.afd.azureedge.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
      No simulations
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      bg.microsoft.map.fastly.net5XXofntDiN.exeGet hashmaliciousLummaCBrowse
      • 199.232.210.172
      p3a0oZ4U7X.exeGet hashmaliciousUnknownBrowse
      • 199.232.214.172
      lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
      • 199.232.210.172
      fKdiT1D1dk.exeGet hashmaliciousRHADAMANTHYSBrowse
      • 199.232.214.172
      #U5b89#U88c5#U52a9#U624b_1.0.8.exeGet hashmaliciousUnknownBrowse
      • 199.232.210.172
      Support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
      • 199.232.214.172
      #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exeGet hashmaliciousUnknownBrowse
      • 199.232.210.172
      Rechnung736258.pdf.lnkGet hashmaliciousLummaCBrowse
      • 199.232.214.172
      Company Information.pdf.lnkGet hashmaliciousUnknownBrowse
      • 199.232.210.172
      Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
      • 199.232.210.172
      s-part-0035.t-0009.t-msedge.netmPQW1NB2Px.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
      • 13.107.246.63
      uw7vXaPNPF.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      HOEcO4nqCT.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      D7M4c24p9T.exeGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
      • 13.107.246.63
      gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
      • 13.107.246.63
      clip64.dllGet hashmaliciousAmadeyBrowse
      • 13.107.246.63
      https://staging.effimate.toyo.ai-powered-services.com/Get hashmaliciousUnknownBrowse
      • 13.107.246.63
      https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=Ne7lLAcjQUaMUQJ9C8JRxUnNOxFiqmxEvtl5lDv69HJUMDcyQThVMFBaMzdYWTM3RDY1SVZJUUVaSC4uGet hashmaliciousUnknownBrowse
      • 13.107.246.63
      https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/Get hashmaliciousUnknownBrowse
      • 13.107.246.63
      No context
      No context
      No context
      No created / dropped files found
      File type:ASCII text, with very long lines (6176), with no line terminators
      Entropy (8bit):4.000738677908642
      TrID:
        File name:fiFdIrd.txt.js
        File size:6'176 bytes
        MD5:9bb1cbab607d6bc9edbe8e5d75d59ae0
        SHA1:dcd0318b6a56752ae232a37d8bde6229a99216af
        SHA256:73dcf2097bda1ebce1dc29509a0d1c0ecef0168b8aa56fecb5a19c93ba543436
        SHA512:dbfc95f2b8bbd8eafede77370c342c8cd6e562d7709a830ac16f873a980429cea93cb5a80c9a4c662bb750530ff9154c4d5f82d7f4e63724191116f349b92c3b
        SSDEEP:96:YniHRdPqB/d64r05DhjDEP1098Xh3eDnERRB+6vaiFwmgNAr/M4:YiOJd6T+3Xh3uEHCQM4
        TLSH:A6D183F3548A6C9F963A0DA4E50863554DAC5E0B96EC807B6F889BB508EE0144CEA47E
        File Content Preview:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        Icon Hash:68d69b8bb6aa9a86
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Dec 23, 2024 07:51:43.517946005 CET1.1.1.1192.168.2.50x5bd7No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
        Dec 23, 2024 07:51:43.517946005 CET1.1.1.1192.168.2.50x5bd7No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
        Dec 23, 2024 07:51:43.932723999 CET1.1.1.1192.168.2.50xe366No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
        Dec 23, 2024 07:51:43.932723999 CET1.1.1.1192.168.2.50xe366No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Target ID:0
        Start time:01:51:26
        Start date:23/12/2024
        Path:C:\Windows\System32\wscript.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\fiFdIrd.txt.js"
        Imagebase:0x7ff6ea550000
        File size:170'496 bytes
        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
        Has elevated privileges:false
        Has administrator privileges:false
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        No disassembly