Windows Analysis Report
qwgrp.js

Overview

General Information

Sample Name:	qwgrp.js
Analysis ID:	679318
MD5:	5eeaaf798aff4328ae6afdffc28546bd
SHA1:	a161f51b686662e887b83cf8b2b0ea31e102d76f
SHA256:	8fae44f0db835c7ced4cddafcf64b8221822ae0384a8575911f84b98f9bf7dc3
Tags:	aptDangerousPasswordjsLazarus

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Program does not show much activity (idle)

Java / VBScript file with very long strings (likely obfuscated code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Signatures

Java / VBScript file with very long strings (likely obfuscated code)

Source: qwgrp.js

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean1.winJS@1/0@0/0

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	679318
Product:	CloudBasic
Start time:	15:21:10
Start date:	05.08.2022
Sample:	qwgrp.js
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5eeaaf798aff4328ae6afdffc28546bd
SHA1:	a161f51b686662e887b83cf8b2b0ea31e102d76f
SHA256:	8fae44f0db835c7ced4cddafcf64b8221822ae0384a8575911f84b98f9bf7dc3
Filetype:	Text - UTF-16 (LE) encoded (2002/1) 64.44%

Windows Analysis Report
qwgrp.js

Overview

General Information

Detection

Signatures

Classification

Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report qwgrp.js

Overview

General Information

Detection

Signatures

Classification

Signatures

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
qwgrp.js