Analysis Report Facture-FB745M1597.js

Overview

General Information

Sample Name: Facture-FB745M1597.js
Analysis ID: 394542
MD5: 50f7c9a878f0db313f567b7de59dc13b
SHA1: 48706cb3be8f045d43ef0b6aa56a3655f27ba2f4
SHA256: 897a89f435f8ec6e8731231a4b0ed8d2feb81daa57924acb1e7d47381af46b8b
Infos:

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

JScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Potential obfuscated javascript found
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses a known web browser user agent for HTTP communication

Classification

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /LklKHfvvvCDcx45jv454545/index.php HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.energym63.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /LklKHfvvvCDcx45jv454545/index.php HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.energym63.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: www.energym63.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 21 Apr 2021 15:10:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveSet-Cookie: route=1619017820.031.19726.874988; Path=/; HttpOnlyData Raw: 31 32 64 0d 0a 20 20 20 20 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 27 20 78 6d 6c 3a 6c 61 6e 67 3d 27 65 6e 27 20 6c 61 6e 67 3d 27 65 6e 27 3e 0d 0a 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 0d 0a 20 20 0d 0a 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 12d <html xmlns='http://www.w3.org/1999/xhtml' xml:lang='en' lang='en'><meta http-equiv='Content-Type' content='text/html;charset=UTF-8'><head> <title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL / was not found on this server.</p></html>
Source: wscript.exe, 00000000.00000002.225476465.000002838B44F000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.217916044.000002838D4F1000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.225062222.000002838D158000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.223300582.000002838D1D0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.223330353.000002838D153000.00000004.00000001.sdmp String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.php
Source: wscript.exe, 00000000.00000003.217927319.000002838D4FA000.00000004.00000001.sdmp String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.php(
Source: wscript.exe, 00000000.00000002.225476465.000002838B44F000.00000004.00000001.sdmp String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.php6
Source: wscript.exe, 00000000.00000002.225476465.000002838B44F000.00000004.00000001.sdmp String found in binary or memory: http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.phpU
Source: wscript.exe, 00000000.00000002.225400514.000002838B3CC000.00000004.00000020.sdmp String found in binary or memory: https://login.live.com

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: Facture-FB745M1597.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal60.evad.winJS@1/0@1/1
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK

Data Obfuscation:

barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Echo(lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[0],5,lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[1]);var Base64={_keyStr:lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[2],decode:function(oooooooooooooooooooooooooooooooooooooooooooooooooooooooo____________________________________________ooooooooooooooooooooo__________________________________________________ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooouuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuoooooollllllllllllllllllllllllllllliiiiioooooooooooooooooo________){var _0xb8c0x4=lllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuttttttttttttttttttttttttttttttttttttttttttttttttttuullllllllllllllllllllllllllllluuuulllllllllllllllloooooooooooooo________[3];var uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuullllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllluuuuuuooooooooooo________,uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuullllllllllllllllllllllllllllllllllllllllllllllllllllnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnllllllnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnllllllluuuuuuooooooooooo________,_0xb8c0x7;var _0xb8c0x8,uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuullllllllllllllllllllllllllllllllllllllllllllllllllllnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnllllllllllllluuuuuuooooooooooo________,_0xb8c0xa,_0xb8c0xb;var uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuooooooooooo________=0;oooooooooooooooooooooooooooooooooooooooooooooooooooooooo____________________________________________ooooooooooooooooooooo__________________________________________________ooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooouuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuu
Potential obfuscated javascript found
Source: Facture-FB745M1597.js Initial file: High amount of function use 4

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: wscript.exe, 00000000.00000002.226839023.000002838D380000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000003.217939846.000002838D50C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.223263406.000002838B4A1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW gI
Source: wscript.exe, 00000000.00000002.226839023.000002838D380000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.226839023.000002838D380000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.226839023.000002838D380000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: www.energym63.com
Source: C:\Windows\System32\wscript.exe Network Connect: 46.182.4.120 80 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 394542 Sample: Facture-FB745M1597.js Startdate: 21/04/2021 Architecture: WINDOWS Score: 60 11 Potential obfuscated javascript found 2->11 5 wscript.exe 12 2->5         started        process3 dnsIp4 9 www.energym63.com 46.182.4.120, 49723, 80 HOSTEUR-NET-COREHosteurNETWORKCOREFR France 5->9 13 System process connects to network (likely due to code injection or exploit) 5->13 15 JScript performs obfuscated calls to suspicious functions 5->15 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.182.4.120
 www.energym63.com France
204818 HOSTEUR-NET-COREHosteurNETWORKCOREFR true

Contacted Domains

Name IP Active
www.energym63.com 46.182.4.120 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.energym63.com/LklKHfvvvCDcx45jv454545/index.php true
  • Avira URL Cloud: safe
 unknown