Analysis Report http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047

Overview

General Information

Sample URL:	http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047
Analysis ID:	392889
Infos:
Most interesting Screenshot:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Found WSH timer for Javascript or VBS script (likely evasive script)

Potential browser exploit detected (process start blacklist hit)

Classification

Signatures

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49742 version: TLS 1.2

Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 0000000D.00000002.904846709.00000209375B0000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 0000000D.00000002.904846709.00000209375B0000.00000002.00000001.sdmp

Software Vulnerabilities:

Potential browser exploit detected (process start blacklist hit)

Source: C:\Program Files\internet explorer\iexplore.exe

Process created: C:\Windows\System32\wscript.exe

Source: unknown

DNS traffic detected: queries for: codepoints.net

Source: wscript.exe, 0000000D.00000003.729131342.00000209392D1000.00000004.00000001.sdmp	String found in binary or memory: https://use.typekit.net
Source: wscript.exe, 0000000D.00000003.729206190.000002093930D000.00000004.00000001.sdmp	String found in binary or memory: https://use.typekit.net:G

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443

Source: unknown	HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@5/9@1/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BACD341B-A159-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF181345E7CC054BD.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6892 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\codepoint.js'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6892 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\codepoint.js'	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 0000000D.00000002.904846709.00000209375B0000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 0000000D.00000002.904846709.00000209375B0000.00000002.00000001.sdmp

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: wscript.exe, 0000000D.00000002.904918744.0000020937A80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wscript.exe, 0000000D.00000002.904918744.0000020937A80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 0000000D.00000002.904918744.0000020937A80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: wscript.exe, 0000000D.00000002.904918744.0000020937A80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.132.46	codepoints.net	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
codepoints.net	172.67.132.46	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	false	1%, Virustotal, Browse	low

ID:	392889
Product:	CloudBasic
Start time:	23:53:08
Start date:	19.04.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BACD341B-A159-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	63C210596BA8430CE15F8FB3B6D249D1	5D50CCB96AF48C9F6293B3992B00F81A1017B046	11BD99350A5AF2948531B54D8A6EB5731614F6E32CD2DE35FA33588CCA1F0675
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BACD341D-A159-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	1C2972613848EC9E93E2E068F4FAC735	A03BD40A142E7E7D95FF7D3B5715E22597DDFECD	7394474F9BB1DEC697CF0303BDAAB1E9A01208DCC63B01D210671F687E52303E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\codepoint.js.m2r13t2.partial	UTF-8 Unicode text, with very long lines, with no line terminators	3C67217E710120291B75E8C13546E320	AA9D4DC6BCB030B4B3669D98D1F2474D60544A5C	BC3DAD26E9361E22809C5DA883066BFC4C724FDFBD552BB6E048F7DF5353FA38
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\codepoint.js.m2r13t2.partial:Zone.Identifier	ASCII text, with CRLF line terminators	FBCCF14D504B7B2DBCB5A5BDA75BD93B	D59FC84CDD5217C6CF74785703655F78DA6B582B	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\codepoint.js:Zone.Identifier	very short file (no magic)	ECCBC87E4B5CE2FE28308FD9F2A7BAF3	77DE68DAECD823BABBB58EDB1C8E14D7106E83BB	4E07408562BEDB8B60CE05C1DECFE3AD16B72230967DE01F640B7E4729B49FCE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\codepoint[1].js	UTF-8 Unicode text, with very long lines, with no line terminators	3C67217E710120291B75E8C13546E320	AA9D4DC6BCB030B4B3669D98D1F2474D60544A5C	BC3DAD26E9361E22809C5DA883066BFC4C724FDFBD552BB6E048F7DF5353FA38
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	EAB023F74C7A0D3B35935F1D7C242560	2034F413A40B4A08AAB3DD2232C9E75CB082EC72	DA7B11CFA7DCC7523DA89A6020DB5EA07912CE8FB8A16ADE8E61CC150D6E1CA5
C:\Users\user\AppData\Local\Temp\~DFF10E4E5C2FE6A606.TMP	data	87D717A7239FBFCFA6CE0CA547C583F0	D1F8622B5CBA4F9D8CE762090A64825CB05EDBB3	958EDB88873835EDEA1CDD82D0128ADA5BEC43242C062E4DB2967499455E639D
C:\Users\user\AppData\Local\Temp\~DFF181345E7CC054BD.TMP	data	42CBB93022266593F3358865644E168C	995496AF94565B4FE101551FBE96E86159406F7F	1C4C5610D495EAB04D485C792486E339F6A8A83FF9CC7738D35AC3F9C2698F52

Analysis Report http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs