Loading ...

Play interactive tourEdit tour

Analysis Report http://congratulations.take-reward-now.xyz/static/_common/gcc91g1y3wqj.js


General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:201048
Start date:15.01.2020
Start time:01:20:26
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://congratulations.take-reward-now.xyz/static/_common/gcc91g1y3wqj.js
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
  • EGA enabled
Analysis stop reason:Timeout
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted):,,,,,,,,,,,
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, go.microsoft.com.edgekey.net, auto.au.download.windowsupdate.com.c.footprint.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.


Threshold10 - 100falseclean


StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true


Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Winlogon Helper DLLProcess Injection2Masquerading1Credential DumpingProcess Discovery1Remote File Copy1Data from Local SystemData CompressedStandard Non-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting1Port MonitorsAccessibility FeaturesProcess Injection2Network SniffingFile and Directory Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionScripting1Input CaptureSystem Information Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section

Software Vulnerabilities:

Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exeJump to behavior


Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /static/_common/gcc91g1y3wqj.js HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: congratulations.take-reward-now.xyzConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: congratulations.take-reward-now.xyz

System Summary:

Classification labelShow sources
Source: classification engineClassification label: clean1.win@5/9@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF7B52B549F9940EFE.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: wscript.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4988 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\gcc91g1y3wqj.js'
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4988 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VINVDFP6\gcc91g1y3wqj.js' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdb source: wscript.exe

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exeBinary or memory string: Shell_TrayWnd
Source: wscript.exeBinary or memory string: Progman
Source: wscript.exeBinary or memory string: "Program Manager"

Language, Device and Operating System Detection:

Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend


  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 201048 URL: http://congratulations.take... Startdate: 15/01/2020 Architecture: WINDOWS Score: 1 5 iexplore.exe 12 65 2->5         started        process3 7 iexplore.exe 27 5->7         started        10 wscript.exe 5->10         started        dnsIp4 12 congratulations.take-reward-now.xyz, 49709, 49710, 80 unknown United States 7->12


Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches


No Antivirus matches


http://congratulations.take-reward-now.xyz/static/_common/gcc91g1y3wqj.js0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context


No context


No context


No context

JA3 Fingerprints

No context

Dropped Files

No context



This section contains all screenshots as thumbnails, including those not shown in the slideshow.