Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order Requirement 2022.js

Overview

General Information

Sample Name:Order Requirement 2022.js
Analysis ID:715072
MD5:e873a424159d2557551d0f4684af7a5f
SHA1:7dfcc66a95100143fae12531151355d2016718f0
SHA256:0d5a587f0c1dcff512f6112ee48859608db08307aa39887cc71480998d7070d4
Tags:jsVjw0rm
Infos:

Detection

WSHRat, VjW0rm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected WSHRAT
Detected WSHRat
System process connects to network (likely due to code injection or exploit)
Sigma detected: Register Wscript In Run Key
JScript performs obfuscated calls to suspicious functions
Yara detected VjW0rm
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Drops script at startup location
Sigma detected: VjW0rm
Snort IDS alert for network traffic
Wscript called in batch mode (surpress errors)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
JavaScript source code contains functionality to generate code involving a shell, file or stream
Potential malicious VBS/JS script found (suspicious encoded strings)
Drops script or batch files to the startup folder
Uses known network protocols on non-standard ports
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Java / VBScript file with very long strings (likely obfuscated code)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to query the security center for anti-virus and firewall products
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Creates a start menu entry (Start Menu\Programs\Startup)
Stores files to the Windows start menu directory
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 672 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Order Requirement 2022.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 748 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 2332 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • wscript.exe (PID: 6100 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 1248 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 2804 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 5412 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 1876 cmdline: C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 3232 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CekIalTska.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 5292 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 2772 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • wscript.exe (PID: 1956 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
      • wscript.exe (PID: 5776 cmdline: C:\Windows\System32\wscript.exe" //B "C:\Users\user\AppData\Roaming\CekIalTska.js MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_WSHRATYara detected WSHRATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.845740262.000001E45640E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VjW0rmYara detected VjW0rmJoe Security
      0000000E.00000003.546167949.000001E45640E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VjW0rmYara detected VjW0rmJoe Security
        00000002.00000003.346293587.0000025291B28000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
          00000001.00000002.847480480.00000228B28AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_VjW0rmYara detected VjW0rmJoe Security
            0000000D.00000002.894056339.000001B9F4488000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_WSHRATYara detected WSHRATJoe Security
              Click to see the 93 entries

              Sigma Signatures

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 672, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Order Requirement 2022.js

              Persistence and Installation Behavior

              barindex
              Sigma detected: Register Wscript In Run Key
              Source: Registry Key setAuthor: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Roaming\Order Requirement 2022.js", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 672, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Order Requirement 2022
              Sigma detected: VjW0rm
              Source: Registry Key setAuthor: Joe Security: Data: Details: FALSE, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 748, TargetObject: HKEY_CURRENT_USER\vjw0rm

              Snort Signatures

              Timestamp:192.168.2.5109.248.150.1384973320222017516 10/03/22-15:58:08.503396
              SID:2017516
              Source Port:49733
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384980020222017516 10/03/22-16:00:06.684129
              SID:2017516
              Source Port:49800
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384978220222017516 10/03/22-15:59:34.417510
              SID:2017516
              Source Port:49782
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384979620222017516 10/03/22-16:00:01.475367
              SID:2017516
              Source Port:49796
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384974320222017516 10/03/22-15:58:25.510035
              SID:2017516
              Source Port:49743
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384974920222017516 10/03/22-15:58:35.892450
              SID:2017516
              Source Port:49749
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384973720222017516 10/03/22-15:58:13.983128
              SID:2017516
              Source Port:49737
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384979220222017516 10/03/22-15:59:50.918382
              SID:2017516
              Source Port:49792
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384980620222017516 10/03/22-16:00:17.051647
              SID:2017516
              Source Port:49806
              Destination Port:2022
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.5109.248.150.1384973220222017516 10/03/22-15:58:03.289656
              SID:2017516
              Source Port:49732
              Destination Port:2022
              Protocol:TCP