Windows Analysis Report
AutoUpdater.js

Overview

General Information

Sample Name: AutoUpdater.js
Analysis ID: 679454
MD5: c249583badbaef9a09e430a433a35914
SHA1: 6fec191fc99d6d4bf85ece108d0cdb191d2a9fcf
SHA256: 376180cf80a62085441a0b2a19e9b0fb2abdf3e1020955cfc4bd549e4bcc6726
Tags: js
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
JA3 SSL client fingerprint seen in connection with other malware
Yara signature match
Java / VBScript file with very long strings (likely obfuscated code)
Uses a known web browser user agent for HTTP communication
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)
Internet Provider seen in connection with other malware

Classification

Source: unknown HTTPS traffic detected: 77.91.127.52:443 -> 192.168.2.3:49737 version: TLS 1.2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: 2b1c.telegram.godsmightywhispers.com
Source: C:\Windows\System32\wscript.exe Network Connect: 77.91.127.52 443 Jump to behavior
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /updateResource HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2b1c.telegram.godsmightywhispers.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 77.91.127.52 77.91.127.52
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: unknown DNS traffic detected: queries for: 2b1c.telegram.godsmightywhispers.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: wscript.exe, 00000000.00000003.296302163.0000019F6FEDE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.297684112.0000019F6FEDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/.
Source: wscript.exe, 00000000.00000002.297453139.0000019F6DF14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296658717.0000019F6DE99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/updateResource
Source: wscript.exe, 00000000.00000003.296699224.0000019F6DF14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.297453139.0000019F6DF14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/updateResource$
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/updateResource~
Source: wscript.exe, 00000000.00000002.297463765.0000019F6DF24000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296451624.0000019F6DF22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com;
Source: unknown HTTP traffic detected: POST /updateResource HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2b1c.telegram.godsmightywhispers.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 77.91.127.52:443 -> 192.168.2.3:49737 version: TLS 1.2
Yara signature match
Source: Process Memory Space: wscript.exe PID: 5700, type: MEMORYSTR Matched rule: apt_CN_Tetris_JS_advanced_1 date = 2020-09-06, author = @imp0rtp3 (modified by Florian Roth), description = Unique code from Jetriz, Swid & Jeniva of the Tetris framework, reference = https://imp0rtp3.wordpress.com/2021/08/12/tetris
Java / VBScript file with very long strings (likely obfuscated code)
Source: AutoUpdater.js Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal48.evad.winJS@1/0@1/1
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.297677604.0000019F6FECF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296293724.0000019F6FECF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPY

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\wscript.exe Domain query: 2b1c.telegram.godsmightywhispers.com
Source: C:\Windows\System32\wscript.exe Network Connect: 77.91.127.52 443 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 679454 Sample: AutoUpdater.js Startdate: 05/08/2022 Architecture: WINDOWS Score: 48 4 wscript.exe 12 2->4         started        dnsIp3 8 2b1c.telegram.godsmightywhispers.com 77.91.127.52, 443, 49737 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 4->8 10 System process connects to network (likely due to code injection or exploit) 4->10 signatures4
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.91.127.52
 2b1c.telegram.godsmightywhispers.com Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted Domains

Name IP Active
2b1c.telegram.godsmightywhispers.com 77.91.127.52 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://2b1c.telegram.godsmightywhispers.com/updateResource true
  • Avira URL Cloud: safe
 unknown