Edit tour

Windows Analysis Report
license.js

Overview

General Information

Sample name:	license.js
Analysis ID:	1665818
MD5:	d6c142afbb5a25e452e0f902d3b43a3b
SHA1:	e310a551f718339f79d8b0a74119358d2f6ef51e
SHA256:	5230c4ebf4f03787e6f4b78233ea6a1ccd5bdede1fbd23ba7e21339c01b0d0e7
Tags:	jsvjw0rmuser-smica83
Infos:

Detection

VjW0rm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

JScript performs obfuscated calls to suspicious functions

Sigma detected: Drops script at startup location

Yara detected VjW0rm

C2 URLs / IPs found in malware configuration

Drops script or batch files to the startup folder

Joe Sandbox ML detected suspicious sample

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Script Initiated Connection

Sigma detected: Startup Folder File Write

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7860 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cscript.exe (PID: 8080 cmdline: "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js" MD5: CB601B41D4C8074BE8A84AED564A94DC)

conhost.exe (PID: 8088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

wscript.exe (PID: 7644 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cscript.exe (PID: 8100 cmdline: "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js" MD5: CB601B41D4C8074BE8A84AED564A94DC)

conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vjw0rm	VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).	No Attribution	https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics https://bazaar.abuse.ch/browse/signature/Vjw0rm/ https://community.riskiq.com/article/24759ad2 https://info.spamhaus.com/hubfs/Botnet%20Reports/2022%20Q3%20Botnet%20Threat%20Update.pdf https://lifars.com/wp-content/uploads/2021/09/Vjw0rm-.pdf	https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm

Malware Configuration

Threatname: VjW0rm

{"C2 url": "http://sbhfth.mywire.org:79/Vre"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: cscript.exe PID: 8080	JoeSecurity_VjW0rm	Yara detected VjW0rm	Joe Security
Process Memory Space: cscript.exe PID: 8100	JoeSecurity_VjW0rm	Yara detected VjW0rm	Joe Security

Other

Source	Rule	Description	Author	Strings
amsi32_8080.amsi.csv	JoeSecurity_VjW0rm	Yara detected VjW0rm	Joe Security
amsi32_8100.amsi.csv	JoeSecurity_VjW0rm	Yara detected VjW0rm	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: "C:\Users\user\AppData\Local\Temp\license.js", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\cscript.exe, ProcessId: 8080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11840STYL3

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 46.196.24.72, DestinationIsIpv6: false, DestinationPort: 79, EventID: 3, Image: C:\Windows\SysWOW64\cscript.exe, Initiated: true, ProcessId: 8080, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49717

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js" , ProcessId: 7644, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js" , ProcessId: 7644, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js", ProcessId: 7860, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\cscript.exe, ProcessId: 8080, TargetFilename: C:\Users\user\AppData\Local\Temp\license.js

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\Temp\license.js", EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\cscript.exe, ProcessId: 8080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11840STYL3

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 46.196.24.72, DestinationIsIpv6: false, DestinationPort: 79, EventID: 3, Image: C:\Windows\SysWOW64\cscript.exe, Initiated: true, ProcessId: 8080, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49717

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\cscript.exe, ProcessId: 8080, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js", ProcessId: 7860, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cscript.exe, ProcessId: 8080, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: amsi32_8080.amsi.csv

Malware Configuration Extractor: VjW0rm {"C2 url": "http://sbhfth.mywire.org:79/Vre"}

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 95.8%

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://sbhfth.mywire.org:79/Vre

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 46.196.24.72:79

Source: Joe Sandbox View

ASN Name: TURKSAT-ASTR TURKSAT-ASTR

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sbhfth.mywire.org

Source: cscript.exe, 00000002.00000002.2483893657.0000000005082000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org/
Source: cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org/nes
Source: cscript.exe, 0000000B.00000002.2482660302.000000000563F000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/
Source: cscript.exe, 00000002.00000002.2487726350.00000000062B4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2483893657.0000000005012000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487038170.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484173340.00000000056E3000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2489402859.0000000007493000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2484407905.00000000057C4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2477266822.0000000003108000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487268076.0000000006630000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2483626347.0000000005681000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre1
Source: cscript.exe, 00000002.00000002.2483893657.0000000005082000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre2-AD358843EC24i
Source: cscript.exe, 0000000B.00000002.2484407905.00000000057D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vre476756634-1002x
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreB
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreC
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreI
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreP
Source: cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/VreYn
Source: cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vref
Source: cscript.exe, 00000002.00000002.2487038170.0000000005F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sbhfth.mywire.org:79/Vrey$
Source: cscript.exe, 00000002.00000002.2487726350.00000000062B4000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: MSScriptControl.ScriptControl HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Source: license.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@8/4@1/1

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Local\Temp\license.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\license.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\license.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: winrnr.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.ScriptFullName, "\""); var shell = WScript.CreateObject("WScript.Shell"); shell.Run(cmd, 0, false); WScript.Quit(0);}sc.Language = "VBScript";sc.Timeout = -1;sc.AllowUI = true;sc.AddObject("wscript", WScript, true);sc.AddCode(code);IHost.ScriptFullName();IHost.CreateObject("WScript.Shell");IWshShell3.Run(""%SystemRoot%\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\lic", "0", "false")
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: WScript.ScriptFullName, "\""); var shell = WScript.CreateObject("WScript.Shell"); shell.Run(cmd, 0, false); WScript.Quit(0);}sc.Language = "VBScript";sc.Timeout = -1;sc.AllowUI = true;sc.AddObject("wscript", WScript, true);sc.AddCode(code);IHost.ScriptFullName();IHost.CreateObject("WScript.Shell");IWshShell3.Run(""%SystemRoot%\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Loc", "0", "false")

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EB6A push esp; retf	2_2_0562EB85
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EC4C push eax; retf	2_2_0562EC4D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562EB50 push esp; retf	2_2_0562EB51
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 2_2_0562E5B5 push esp; retf	2_2_0562EB1D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 11_2_07E0FACC pushad ; retf	11_2_07E0FBA1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 11_2_07E0FB35 pushad ; retf	11_2_07E0FBA1

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to dropped file

Source: C:\Windows\SysWOW64\cscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js

Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\license.js\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11840STYL3			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 11840STYL3			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: wscript.exe, 00000000.00000003.1230126354.000002129073C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
Source: cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0m*
Source: cscript.exe, 00000002.00000002.2487726350.00000000062C9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\Desktop\license.js"			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe" /e:jscript "C:\Users\user\AppData\Local\Temp\license.js"			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: cscript.exe, 00000002.00000002.2486908588.0000000005EA0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2477471425.0000000002B28000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000002.00000002.2487726350.00000000062A0000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487727961.0000000006A5B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2487494276.00000000066BE000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.2477266822.0000000003108000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected VjW0rm

Source: Yara match	File source: amsi32_8080.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8100.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8100, type: MEMORYSTR

Remote Access Functionality

Yara detected VjW0rm

Source: Yara match	File source: amsi32_8080.amsi.csv, type: OTHER
Source: Yara match	File source: amsi32_8100.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 8100, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	Valid Accounts	11 Windows Management Instrumentation	22 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	21 Registry Run Keys / Startup Folder	21 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report license.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VjW0rm

Yara Signatures

Memory Dumps

Other

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
license.js