Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
30136156071477318040.js

Overview

General Information

Sample name:30136156071477318040.js
Analysis ID:1579811
MD5:4391c21844a3510fb5f81353c978f8cb
SHA1:40adc05af71dfb667dc0b4c3fd40ea82dcbf2397
SHA256:4d6b228af8d822301c22863aa504a871aa99b7b1d71745bb99ec3acbb3f03b65
Tags:jsuser-kupschke
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 7088 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js", ProcessId: 7088, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js", ProcessId: 7088, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: 30136156071477318040.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal56.evad.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.RegRead("HKEY_CURRENT_USER\Control Panel\International\Locale");
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information12
Scripting
Valid AccountsWindows Management Instrumentation12
Scripting
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization Scripts1
Obfuscated Files or Information
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
fp2e7a.wpc.phicdn.net
192.229.221.95
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1579811
    Start date and time:2024-12-23 09:27:09 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 1m 53s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:2
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:30136156071477318040.js
    Detection:MAL
    Classification:mal56.evad.winJS@1/0@0/0
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .js
    • Stop behavior analysis, all processes terminated
    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 20.190.147.8, 13.107.246.63
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com
    • VT rate limit hit for: 30136156071477318040.js
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    fp2e7a.wpc.phicdn.netBJQizQ6sqT.exeGet hashmaliciousLummaCBrowse
    • 192.229.221.95
    6vNMeuQvlu.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
    • 192.229.221.95
    2ZsJ2iP8Q2.exeGet hashmaliciousLummaCBrowse
    • 192.229.221.95
    BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
    • 192.229.221.95
    mgEXk8ip26.exeGet hashmaliciousLummaCBrowse
    • 192.229.221.95
    r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
    • 192.229.221.95
    dnf5RWZv2v.exeGet hashmaliciousUnknownBrowse
    • 192.229.221.95
    crhRJnVd08.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
    • 192.229.221.95
    xWnpPJbKGK.exeGet hashmaliciousCryptbotBrowse
    • 192.229.221.95
    skIYOAOzvU.exeGet hashmaliciousLummaCBrowse
    • 192.229.221.95
    No context
    No context
    No context
    No created / dropped files found
    File type:ASCII text, with very long lines (55155), with no line terminators
    Entropy (8bit):4.932217996562063
    TrID:
      File name:30136156071477318040.js
      File size:55'155 bytes
      MD5:4391c21844a3510fb5f81353c978f8cb
      SHA1:40adc05af71dfb667dc0b4c3fd40ea82dcbf2397
      SHA256:4d6b228af8d822301c22863aa504a871aa99b7b1d71745bb99ec3acbb3f03b65
      SHA512:f557e884a93ae05c43bdfc50a2d686e22ea4063b92e80ba8e15a56c6dde6699e345d547e40a54c37d7ac102ec14a8878f0b1716af5c04ebd04cc7137d471f0b3
      SSDEEP:1536:7YufknwjKDeY5mMblwLJiFQ5fFZGOCj+WdfzFj70/d5hIM0sh:7YufknwjKDeY5mMblwLJiFQxSrjo/th
      TLSH:6C4320C8A169837F51DDD86C9A4A70972248E0ED01BDC772A9FA2C0B5449D6D13FCBBC
      File Content Preview:function onvw(){this[smnj+wsi+ltu+lhe](wsi+ltu+qtzc+ehvq+ged+wsi+qtzc+uov+sqf+tac+lbr+mfb+vroo+yfo+uov+ged+fbco+ndsl+uov+sfi+cab+ndsl+fbco+ged+bgc+ndsl+awxr+tac+jpt+bgc+ndsl+rfg+sfi+fbco+ndsl+vroo+qtzc+ypn+bra+ndsl+tac+ltu+bgc+yyho+yfo+fbco+lby+uov+cab+nd
      Icon Hash:68d69b8bb6aa9a86
      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Dec 23, 2024 09:27:57.199148893 CET1.1.1.1192.168.2.60xbd7dNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
      Dec 23, 2024 09:27:57.199148893 CET1.1.1.1192.168.2.60xbd7dNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

      Click to jump to process

      Click to jump to process

      Click to dive into process behavior distribution

      Target ID:0
      Start time:03:28:00
      Start date:23/12/2024
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\30136156071477318040.js"
      Imagebase:0x7ff75c830000
      File size:170'496 bytes
      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
      Has elevated privileges:false
      Has administrator privileges:false
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      No disassembly