Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
invoke.js

Overview

General Information

Sample name:invoke.js
Analysis ID:1599738
MD5:7548a72b1874434a65f56800962c9731
SHA1:608bfdab000bb01393a746136d9cb75fc60dbf8a
SHA256:f21bd2cea52aa3f8247fee59434cdbf1f2e0e289046ab4b2612ea4ac37daa706
Tags:electluscious-comgitb-orghorsesbarium-comjsuser-JAMESWT_MHT
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential obfuscated javascript found
Sigma detected: WScript or CScript Dropper
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • wscript.exe (PID: 1200 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js", ProcessId: 1200, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js", ProcessId: 1200, ProcessName: wscript.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: wscript.exe, 00000000.00000003.2053357246.00000189D48C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://experttrafficcounter.com/stats
Source: wscript.exe, 00000000.00000003.2145467867.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145614169.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053641134.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054589728.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2146268151.00000189D48DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053543289.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053449040.00000189D48D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053284786.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053774488.00000189D48DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://experttrafficcounter.com/stats?
Source: wscript.exe, 00000000.00000003.2053357246.00000189D48C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://quickerapparently.com/watch.
Source: wscript.exe, 00000000.00000003.2145467867.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145614169.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053641134.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054589728.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2146268151.00000189D48DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053543289.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053449040.00000189D48D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053284786.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053774488.00000189D48DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://quickerapparently.com/watch.)
Source: wscript.exe, 00000000.00000002.2147650534.00000189D2B9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2147210570.00000189D2B9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supportsentparticle.com/dnn2hkn8?key=
Source: wscript.exe, 00000000.00000003.2145467867.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145614169.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053641134.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054589728.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2146268151.00000189D48DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053543289.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053449040.00000189D48D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053284786.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053774488.00000189D48DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supportsentparticle.com/dnn2hkn8?key=e
Source: wscript.exe, 00000000.00000003.2054193499.00000189D4882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://supportsentparticle.com/dnn2hkn8?key=f(A
Source: invoke.jsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal48.evad.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

Data Obfuscation

barindex
Source: invoke.jsInitial file: High amount of function use 72
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information12
Scripting		Valid AccountsWindows Management Instrumentation12
Scripting		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping2
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		Boot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1599738 Sample: invoke.js Startdate: 26/01/2025 Architecture: WINDOWS Score: 48 7 Sigma detected: WScript or CScript Dropper 2->7 9 Potential obfuscated javascript found 2->9 5 wscript.exe 1 2->5         started        process3

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
invoke.js0%VirustotalBrowse
invoke.js0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://supportsentparticle.com/dnn2hkn8?key=0%Avira URL Cloudsafe
https://supportsentparticle.com/dnn2hkn8?key=f(A0%Avira URL Cloudsafe
https://supportsentparticle.com/dnn2hkn8?key=e0%Avira URL Cloudsafe
https://quickerapparently.com/watch.)0%Avira URL Cloudsafe
https://quickerapparently.com/watch.0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://supportsentparticle.com/dnn2hkn8?key=ewscript.exe, 00000000.00000003.2145467867.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145614169.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053641134.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054589728.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2146268151.00000189D48DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053543289.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053449040.00000189D48D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053284786.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053774488.00000189D48DB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://supportsentparticle.com/dnn2hkn8?key=wscript.exe, 00000000.00000002.2147650534.00000189D2B9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2147210570.00000189D2B9C000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://quickerapparently.com/watch.)wscript.exe, 00000000.00000003.2145467867.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2145614169.00000189D48DA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053641134.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054589728.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2146268151.00000189D48DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053543289.00000189D48DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053449040.00000189D48D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053284786.00000189D48D3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2053774488.00000189D48DB000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://quickerapparently.com/watch.wscript.exe, 00000000.00000003.2053357246.00000189D48C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2052905007.00000189D48B7000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://supportsentparticle.com/dnn2hkn8?key=f(Awscript.exe, 00000000.00000003.2054193499.00000189D4882000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1599738
Start date and time:2025-01-26 13:35:40 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 4s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:Without Instrumentation
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:invoke.js
Detection:MAL
Classification:mal48.evad.winJS@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.44
  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ASCII text, with very long lines (25171), with no line terminators
Entropy (8bit):5.626750016019527
TrID:
    File name:invoke.js
    File size:25'171 bytes
    MD5:7548a72b1874434a65f56800962c9731
    SHA1:608bfdab000bb01393a746136d9cb75fc60dbf8a
    SHA256:f21bd2cea52aa3f8247fee59434cdbf1f2e0e289046ab4b2612ea4ac37daa706
    SHA512:8c5b809dff67e462d41bbc2be06ffdb952e767084e7650b1ccba3f861b7bdcd3b4f79909144be21aa15eba8830874bd9319c281f027d8fefb60f17f6ae11c2f9
    SSDEEP:384:eWrKG5PzM3y+l58fVCXTs5Q19JNueNLNGNDW3XlwMahOA3jhyzQmVOYfvA7Rw:eKK4PzfKe5EDF5aDNunQ+
    TLSH:BBB209C8BF61F0A8038534B7B33F9809F96B4D0D19BCD094D1D7B8A4E966B65E837990
    File Content Preview:function b738jk(n,k){var i=b738jn();return b738jk=function(l,m){l=l-0x1dc;var T=i[l];return T;},b738jk(n,k);}(function(n,k){var nN=b738jk,i=n();while(!![]){try{var l=-parseInt(nN(0x228))/0x1+parseInt(nN(0x207))/0x2*(parseInt(nN(0x24f))/0x3)+-parseInt(nN(0

    File Icon

    Icon Hash:68d69b8bb6aa9a86

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    0510s020406080100

    Click to jump to process

    Memory Usage

    0510s0.0051015MB

    Click to jump to process

    High Level Behavior Distribution

    • File
    • Registry

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:07:36:32
    Start date:26/01/2025
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\invoke.js"
    Imagebase:0x7ff68dd10000
    File size:170'496 bytes
    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Disassembly

    No disassembly