Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
COMPANY PROFILE.js

Overview

General Information

Sample Name:COMPANY PROFILE.js
Analysis ID:643821
MD5:daec0171877cee02240ced6f2375f4fd
SHA1:05e57011ce5cef3366d07618069aa7d78c1b2ab5
SHA256:6d3822e701b2a76d459edbd31e2e79e88728668d248a7cca42a67016ccdc901e
Tags:js
Infos:

Detection

WSHRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected WSHRAT
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for submitted file
JScript performs obfuscated calls to suspicious functions
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Wscript called in batch mode (surpress errors)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Potential malicious VBS script found (has network functionality)
JavaScript source code contains call to eval containing suspicious API calls
Drops VBS files to the startup folder
Windows Shell Script Host drops VBS files
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query the security center for anti-virus and firewall products
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • wscript.exe (PID: 5680 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\COMPANY PROFILE.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 240 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\bzNGARVMiK.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 5772 cmdline: C:\Windows\System32\wscript.exe" "C:\Users\user\AppData\Roaming\dnsBIN.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 3696 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\dnsBIN.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 6244 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\dnsBIN.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 6412 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\dnsBIN.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 6576 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnsBIN.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 6652 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\dnsBIN.vbs MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: wscript.exe PID: 5772JoeSecurity_WSHRATYara detected WSHRATJoe Security

    Data Obfuscation

    barindex
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5772, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnsBIN.vbs
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: COMPANY PROFILE.jsReversingLabs: Detection: 17%
    Source: http://vjhorm.duckdns.org:4733/is-readyORAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-ready0PAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyQQAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyVAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-ready;Avira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-ready3BF0562D5CAZAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyBAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.orgAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyeAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyDAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-ready0600806D9B6Avira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyi5:0Avira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-ready3BF0562D5CAAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyJAvira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyttrings1Avira URL Cloud: Label: malware
    Source: http://vjhorm.duckdns.org:4733/is-readyPAvira URL Cloud: Label: malware
    Source: C:\Users\user\AppData\Roaming\dnsBIN.vbsAvira: detection malicious, Label: VBS/Agent.BH.3
    Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnsBIN.vbsAvira: detection malicious, Label: VBS/Agent.BH.3
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

    Software Vulnerabilities

    barindex
    Source: COMPANY PROFILE.jsArgument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', '"gYMty=","WSH.CreateObject("adodb.stream")",-510']Go to definition
    Source: COMPANY PROFILE.jsArgument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', '"gYMty=","WSH.CreateObject("adodb.stream")",-510']Go to definition
    Source: COMPANY PROFILE.jsArgument value : ['"gYMty=WSH.CreateObject("adodb.stream")"', 'gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-510', '"gYMty","WSH.CreateObject("adodb.stream")"']Go to definition
    Source: COMPANY PROFILE.jsReturn value : ['"gYMty=WSH.CreateObject("adodb.stream")"', 'gYMty,WSH.CreateObject("adodb.stream")', 'var H3br3w,WSH.CreateObject("microsoft.xmldom").createElement("mko"),H3br3w.dataType,"bin.base64",H3', '"gYMty=","WSH.CreateObject("adodb.stream")",-510', 'gYMty=,WSH.CreateObject("adodb.stream"),-510', '"gYMty","WSH.CreateObject("adodb.stream")"']Go to definition
    Source: COMPANY PROFILE.jsArgument value: ['"gYMty=WSH.CreateObject("adodb.stream")"', '"var H3br3w=WSH.CreateObject("microsoft.xmldom").createElement("mko")"']Go to definition

    Networking

    barindex
    Source: C:\Windows\System32\wscript.exeDomain query: vjhorm.duckdns.org
    Source: C:\Windows\System32\wscript.exeNetwork Connect: 91.193.75.135 4733Jump to behavior
    Source: C:\Windows\System32\wscript.exeDropped file: httpobj.setrequestheader "user-agent:",informationJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .write objhttpdownload.responsebodyJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .savetofile strsavetoJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .write objhttpdownload.responsebodyJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .savetofile strsavetoJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: httpobj.setrequestheader "user-agent:",informationJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .write objhttpdownload.responsebodyJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .savetofile strsavetoJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .write objhttpdownload.responsebodyJump to dropped file
    Source: C:\Windows\System32\wscript.exeDropped file: .savetofile strsavetoJump to dropped file
    Source: unknownDNS query: name: vjhorm.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.4:49758 -> 91.193.75.135:4733
    Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
    Source: Joe Sandbox ViewIP Address: 91.193.75.135 91.193.75.135
    Source: wscript.exe, 00000002.00000003.311614078.000002055AB53000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.311595710.000002055AB4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org
    Source: wscript.exe, 00000002.00000003.311614078.000002055AB53000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.311595710.000002055AB4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org:
    Source: wscript.exe, 00000002.00000003.640001038.000002055AB4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.682932179.000002055AB41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.668415382.000002055AB41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.419285862.000002055AB4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.343787004.000002055AB4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.697972030.000002055AB32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.774929872.000002055A0FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.420709417.000002055AB55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.715319730.000002055AAF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.344390004.000002055AB55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.715031854.000002055AB32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000002.775344718.000002055AAE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.389153803.000002055AB32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.419478657.000002055AB55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.435497311.000002055AB53000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.545293308.000002055AB53000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.668402649.000002055AB32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.484655691.000002055AB41000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.419128493.000002055AB32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.450294236.000002055AB32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.499570476.000002055AB56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org:4733/is-ready
    Source: wscript.exe, 00000002.00000002.775344718.000002055AAE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org:4733/is-ready0600806D9B6
    Source: wscript.exe, 00000002.00000003.499570476.000002055AB56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org:4733/is-ready0P
    Source: wscript.exe, 00000002.00000003.595982569.000002055AB56000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.610620932.000002055AB4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.610894615.000002055AB55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org:4733/is-ready3BF0562D5CA
    Source: wscript.exe, 00000002.00000003.715186976.000002055AB4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.715267543.000002055AB54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org:4733/is-ready3BF0562D5CAZ
    Source: wscript.exe, 00000002.00000003.389153803.000002055AB32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://vjhorm.duckdns.org:4733/is-ready;
    Source: wscript.exe, 00000002.00000003.595956212.000002055AB32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.343819098.000002055AB55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000002.00000003.595982569.000002055AB56000.00000004.00000020.0002