Analysis Report http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047

Overview

General Information

Sample URL: http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047
Analysis ID: 392890
Infos:

Most interesting Screenshot:

Detection

Score: 1
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Found WSH timer for Javascript or VBS script (likely evasive script)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Source: unknown HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: global traffic HTTP traffic detected: GET /static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: codepoints.netConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: codepoints.net
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: wget.exe, 00000002.00000002.640905312.0000000000B40000.00000004.00000020.sdmp, cmdline.out.2.dr String found in binary or memory: http://codepoints.net/static/js/codepoint.js
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: wget.exe, 00000002.00000002.641324998.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp, wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: wget.exe, 00000002.00000002.641324998.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: cmdline.out.2.dr String found in binary or memory: https://codepoints.net/static/js/codepoint.js
Source: wget.exe, 00000002.00000003.640620928.0000000002CFD000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: wscript.exe, 00000004.00000003.644926297.000001E10A792000.00000004.00000001.sdmp String found in binary or memory: https://use.typekit.net
Source: wscript.exe, 00000004.00000003.645147006.000001E10A7DB000.00000004.00000001.sdmp String found in binary or memory: https://use.typekit.net:G
Source: wget.exe, 00000002.00000003.640648036.0000000002CBC000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown HTTPS traffic detected: 172.67.132.46:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: classification engine Classification label: clean1.win@5/3@1/2
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_01
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047'
Source: unknown Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\download\codepoint.js!3c67217e710120291b75e8c13546e320@_=1618365050047.js'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047' Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB08CF push cs; retf 2_2_02CB08E6
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB0A4F push cs; retf 2_2_02CB0A66
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB03D7 push eax; retf 2_2_02CB0406
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB0B6F push ds; retf 2_2_02CB0B86
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB047F push es; retf 2_2_02CB050E
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB0C77 pushad ; retf 2_2_02CB0CA6
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB050F push ds; retf 2_2_02CB059E
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB0107 push ss; retf 2_2_02CB011E
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB0197 push cs; retf 2_2_02CB01C6
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB04AF push es; retf 2_2_02CB050E
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB0C2F push eax; retf 2_2_02CB0C76
Source: C:\Windows\SysWOW64\wget.exe Code function: 2_2_02CB06BF pushad ; retf 2_2_02CB06D6
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 392890 URL: http://codepoints.net/stati... Startdate: 19/04/2021 Architecture: WINDOWS Score: 1 5 cmd.exe 2 2->5         started        7 wscript.exe 2->7         started        process3 9 wget.exe 3 5->9         started        12 conhost.exe 5->12         started        dnsIp4 14 codepoints.net 172.67.132.46, 443, 49756, 49757 CLOUDFLARENETUS United States 9->14 16 192.168.2.1 unknown unknown 9->16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.132.46
 codepoints.net United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
codepoints.net 172.67.132.46 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://codepoints.net/static/js/codepoint.js!3c67217e710120291b75e8c13546e320?_=1618365050047 false
    		high