Source: unknown |
HTTPS traffic detected: 77.91.127.52:443 -> 192.168.2.3:49737 version: TLS 1.2 |
Source: C:\Windows\System32\wscript.exe |
Domain query: 2b1c.telegram.godsmightywhispers.com |
|
Source: C:\Windows\System32\wscript.exe |
Network Connect: 77.91.127.52 443 |
Jump to behavior |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: global traffic |
HTTP traffic detected: POST /updateResource HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2b1c.telegram.godsmightywhispers.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache |
Source: Joe Sandbox View |
IP Address: 77.91.127.52 77.91.127.52 |
Source: Joe Sandbox View |
ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU |
Source: unknown |
DNS traffic detected: queries for: 2b1c.telegram.godsmightywhispers.com |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49737 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49737 -> 443 |
Source: wscript.exe, 00000000.00000003.296302163.0000019F6FEDE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.297684112.0000019F6FEDE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/ |
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/. |
Source: wscript.exe, 00000000.00000002.297453139.0000019F6DF14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296658717.0000019F6DE99000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/updateResource |
Source: wscript.exe, 00000000.00000003.296699224.0000019F6DF14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.297453139.0000019F6DF14000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/updateResource$ |
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://2b1c.telegram.godsmightywhispers.com/updateResource~ |
Source: wscript.exe, 00000000.00000002.297463765.0000019F6DF24000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296451624.0000019F6DF22000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com; |
Source: unknown |
HTTP traffic detected: POST /updateResource HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 2b1c.telegram.godsmightywhispers.comContent-Length: 44Connection: Keep-AliveCache-Control: no-cache |
Source: unknown |
HTTPS traffic detected: 77.91.127.52:443 -> 192.168.2.3:49737 version: TLS 1.2 |
Source: Process Memory Space: wscript.exe PID: 5700, type: MEMORYSTR |
Matched rule: apt_CN_Tetris_JS_advanced_1 date = 2020-09-06, author = @imp0rtp3 (modified by Florian Roth), description = Unique code from Jetriz, Swid & Jeniva of the Tetris framework, reference = https://imp0rtp3.wordpress.com/2021/08/12/tetris |
Source: AutoUpdater.js |
Initial sample: Strings found which are bigger than 50 |
Source: C:\Windows\System32\wscript.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: classification engine |
Classification label: mal48.evad.winJS@1/0@1/1 |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Window found: window name: WSH-Timer |
Jump to behavior |
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.297677604.0000019F6FECF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296293724.0000019F6FECF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: wscript.exe, 00000000.00000002.297436981.0000019F6DEF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296673454.0000019F6DEDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.296707627.0000019F6DEF3000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWPY |
Source: C:\Windows\System32\wscript.exe |
Domain query: 2b1c.telegram.godsmightywhispers.com |
|
Source: C:\Windows\System32\wscript.exe |
Network Connect: 77.91.127.52 443 |
Jump to behavior |
Source: C:\Windows\System32\wscript.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |