Windows Analysis Report
AutoUpdater.js

Overview

General Information

Sample Name: AutoUpdater.js
Analysis ID: 679454
MD5: c249583badbaef9a09e430a433a35914
SHA1: 6fec191fc99d6d4bf85ece108d0cdb191d2a9fcf
SHA256: 376180cf80a62085441a0b2a19e9b0fb2abdf3e1020955cfc4bd549e4bcc6726
Tags: js
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Uses a known web browser user agent for HTTP communication
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware

Classification

Source: unknown HTTPS traffic detected: 77.91.127.52:443 -> 192.168.2.4:49772 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: 2b1c.telegram.godsmightywhispers.com
Source: C:\Windows\System32\wscript.exe Network Connect: 77.91.127.52 443 Jump to behavior
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Source: AutoUpdater.js Return value : ['"send"'] Go to definition
Source: AutoUpdater.js Return value : ['"send"'] Go to definition
Source: AutoUpdater.js Return value : ['"send"'] Go to definition
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /updateResource HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2b1c.telegram.godsmightywhispers.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.127.52 77.91.127.52
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown DNS traffic detected: queries for: 2b1c.telegram.godsmightywhispers.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown HTTP traffic detected: POST /updateResource HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2b1c.telegram.godsmightywhispers.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 77.91.127.52:443 -> 192.168.2.4:49772 version: TLS 1.2
Java / VBScript file with very long strings (likely obfuscated code)
Source: AutoUpdater.js Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal52.evad.winJS@1/0@1/1
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: 2b1c.telegram.godsmightywhispers.com
Source: C:\Windows\System32\wscript.exe Network Connect: 77.91.127.52 443 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679454 Sample: AutoUpdater.js Startdate: 05/08/2022 Architecture: WINDOWS Score: 52 11 JavaScript source code contains functionality to generate code involving HTTP requests or file downloads 2->11 5 wscript.exe 12 2->5         started        process3 dnsIp4 9 2b1c.telegram.godsmightywhispers.com 77.91.127.52, 443, 49772 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 5->9 13 System process connects to network (likely due to code injection or exploit) 5->13 signatures5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.127.52
 2b1c.telegram.godsmightywhispers.com Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted Domains

Name IP Active
2b1c.telegram.godsmightywhispers.com 77.91.127.52 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://2b1c.telegram.godsmightywhispers.com/updateResource true
  • Avira URL Cloud: safe
 unknown