Windows Analysis Report
license.js

Overview

General Information

Sample name:	license.js
Analysis ID:	1665818
MD5:	d6c142afbb5a25e452e0f902d3b43a3b
SHA1:	e310a551f718339f79d8b0a74119358d2f6ef51e
SHA256:	5230c4ebf4f03787e6f4b78233ea6a1ccd5bdede1fbd23ba7e21339c01b0d0e7
Tags:	jsvjw0rmuser-smica83
Infos:

Detection

VjW0rm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Sigma detected: Drops script at startup location

Yara detected VjW0rm

C2 URLs / IPs found in malware configuration

Drops script or batch files to the startup folder

Joe Sandbox ML detected suspicious sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Script Initiated Connection

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vjw0rm	VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).	No Attribution	https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics https://bazaar.abuse.ch/browse/signature/Vjw0rm/ https://community.riskiq.com/article/24759ad2 https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm

Signatures

AV Detection

Found malware configuration

Source: amsi32_8080.amsi.csv

Malware Configuration Extractor: VjW0rm {"C2 url": "http://sbhfth.mywire.org:79/Vre"}

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.8%

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://sbhfth.mywire.org:79/Vre

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 46.196.24.72:79

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TURKSAT-ASTR TURKSAT-ASTR

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sbhfth.mywire.org

Source: cscript.exe, 00000002.00000002.2483893657.0000000005082000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org/
Source: cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org/nes
Source: cscript.exe, 0000000B.00000002.2482660302.000000000563F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/
Source: cscript.exe, 00000002.00000002.2487726350.00000000062B4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2483893657.0000000005012000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487038170.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484173340.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2489402859.0000000007493000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2477266822.0000000003108000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487268076.0000000006630000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2483626347.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre1
Source: cscript.exe, 00000002.00000002.2483893657.0000000005082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre2-AD358843EC24i
Source: cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre476756634-1002x
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreB
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreC
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreI
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreP
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreYn
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vref
Source: cscript.exe, 00000002.00000002.2487038170.0000000005F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vrey$
Source: cscript.exe, 00000002.00000002.2487726350.00000000062B4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: MSScriptControl.ScriptControl HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: license.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@8/4@1/1

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Local\Temp\license.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.ScriptFullName, "\""); var shell = WScript.CreateObject("WScript.Shell"); shell.Run(cmd, 0, false); WScript.Quit(0);}sc.Language = "VBScript";sc.Timeout = -1;sc.AllowUI = true;sc.AddObject("wscript", WScript, true);sc.AddCode(code);IHost.ScriptFullName();IHost.CreateObject("WScript.Shell");IWshShell3.Run(""%SystemRoot%\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\lic", "0", "false")
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.ScriptFullName, "\""); var shell = WScript.CreateObject("WScript.Shell"); shell.Run(cmd, 0, false); WScript.Quit(0);}sc.Language = "VBScript";sc.Timeout = -1;sc.AllowUI = true;sc.AddObject("wscript", WScript, true);sc.AddCode(code);IHost.ScriptFullName();IHost.CreateObject("WScript.Shell");IWshShell3.Run(""%SystemRoot%\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Loc", "0", "false")

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EB6A push esp; retf	2_2_0562EB85
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EC4C push eax; retf	2_2_0562EC4D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EB50 push esp; retf	2_2_0562EB51
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562E5B5 push esp; retf	2_2_0562EB1D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 11_2_07E0FACC pushad ; retf	11_2_07E0FBA1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 11_2_07E0FB35 pushad ; retf	11_2_07E0FBA1

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11840STYL3			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11840STYL3			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000000.00000003.1230126354.000002129073C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0m*
Source: cscript.exe, 00000002.00000002.2487726350.00000000062C9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: cscript.exe, 00000002.00000002.2486908588.0000000005EA0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2477471425.0000000002B28000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2477266822.0000000003108000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected VjW0rm

Source: Yara match	File source: amsi32_8080.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8100.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8100, type: MEMORYSTR

Remote Access Functionality

Yara detected VjW0rm

Source: Yara match	File source: amsi32_8080.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8100.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8100, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
46.196.24.72	sbhfth.mywire.org	Turkey		47524	TURKSAT-ASTR	true

Contacted Domains

Name	IP	Active
sbhfth.mywire.org	46.196.24.72	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sbhfth.mywire.org:79/Vre	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: amsi32_8080.amsi.csv

Malware Configuration Extractor: VjW0rm {"C2 url": "http://sbhfth.mywire.org:79/Vre"}

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.8%

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://sbhfth.mywire.org:79/Vre

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 46.196.24.72:79

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: TURKSAT-ASTR TURKSAT-ASTR

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sbhfth.mywire.org

Source: cscript.exe, 00000002.00000002.2483893657.0000000005082000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org/
Source: cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org/nes
Source: cscript.exe, 0000000B.00000002.2482660302.000000000563F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/
Source: cscript.exe, 00000002.00000002.2487726350.00000000062B4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2483893657.0000000005012000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487038170.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484173340.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2489402859.0000000007493000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2477266822.0000000003108000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487268076.0000000006630000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2483626347.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre1
Source: cscript.exe, 00000002.00000002.2483893657.0000000005082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre2-AD358843EC24i
Source: cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre476756634-1002x
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreB
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreC
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreI
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreP
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreYn
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vref
Source: cscript.exe, 00000002.00000002.2487038170.0000000005F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vrey$
Source: cscript.exe, 00000002.00000002.2487726350.00000000062B4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: MSScriptControl.ScriptControl HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Java / VBScript file with very long strings (likely obfuscated code)

Source: license.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@8/4@1/1

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Local\Temp\license.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.ScriptFullName, "\""); var shell = WScript.CreateObject("WScript.Shell"); shell.Run(cmd, 0, false); WScript.Quit(0);}sc.Language = "VBScript";sc.Timeout = -1;sc.AllowUI = true;sc.AddObject("wscript", WScript, true);sc.AddCode(code);IHost.ScriptFullName();IHost.CreateObject("WScript.Shell");IWshShell3.Run(""%SystemRoot%\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\lic", "0", "false")
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.ScriptFullName, "\""); var shell = WScript.CreateObject("WScript.Shell"); shell.Run(cmd, 0, false); WScript.Quit(0);}sc.Language = "VBScript";sc.Timeout = -1;sc.AllowUI = true;sc.AddObject("wscript", WScript, true);sc.AddCode(code);IHost.ScriptFullName();IHost.CreateObject("WScript.Shell");IWshShell3.Run(""%SystemRoot%\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Loc", "0", "false")

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EB6A push esp; retf	2_2_0562EB85
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EC4C push eax; retf	2_2_0562EC4D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EB50 push esp; retf	2_2_0562EB51
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562E5B5 push esp; retf	2_2_0562EB1D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 11_2_07E0FACC pushad ; retf	11_2_07E0FBA1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 11_2_07E0FB35 pushad ; retf	11_2_07E0FBA1

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11840STYL3			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11840STYL3			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000000.00000003.1230126354.000002129073C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0m*
Source: cscript.exe, 00000002.00000002.2487726350.00000000062C9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected VjW0rm

Source: Yara match	File source: amsi32_8080.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8100.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8100, type: MEMORYSTR

Remote Access Functionality

Yara detected VjW0rm

Source: Yara match	File source: amsi32_8080.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8100.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8100, type: MEMORYSTR

ID:	1665818
Product:	CloudBasic
Start time:	21:41:13
Start date:	15.04.2025
Sample:	license.js
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d6c142afbb5a25e452e0f902d3b43a3b
SHA1:	e310a551f718339f79d8b0a74119358d2f6ef51e
SHA256:	5230c4ebf4f03787e6f4b78233ea6a1ccd5bdede1fbd23ba7e21339c01b0d0e7
Filetype:	Text - UTF-16 (LE) encoded (2002/1) 64.44%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\license.js	Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators	D6C142AFBB5A25E452E0F902D3B43A3B	E310A551F718339F79D8B0A74119358D2F6EF51E	5230C4EBF4F03787E6F4B78233EA6A1CCD5BDEDE1FBD23BA7E21339C01B0D0E7
C:\Users\user\AppData\Local\Temp\license.js:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js	Unicode text, UTF-16, little-endian text, with very long lines (32767), with no line terminators	D6C142AFBB5A25E452E0F902D3B43A3B	E310A551F718339F79D8B0A74119358D2F6EF51E	5230C4EBF4F03787E6F4B78233EA6A1CCD5BDEDE1FBD23BA7E21339C01B0D0E7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
license.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report license.js

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
license.js

Malware Threat Intel
Provided by