Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Chrom#U0435.U#U0440dat#U0435.zip

Overview

General Information

Sample Name:Chrom#U0435.U#U0440dat#U0435.zip
Analysis ID:736959
MD5:c4971c73424f2728ef8771d8dcc5d7bc
SHA1:00636308cac7b4d8dadd2590042ff1bbeb702e43
SHA256:26106b07597873612b6cffd05d7f46564db4a2f90964c49906191bf0c8d7b180

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64_ra
  • wscript.exe (PID: 888 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
  • wscript.exe (PID: 6516 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
  • cleanup
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.31.1.1.153158532039597 11/03/22-12:35:25.057076
SID:2039597
Source Port:53158
Destination Port:53
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.31.1.1.156466532039597 11/03/22-12:35:01.413784
SID:2039597
Source Port:56466
Destination Port:53
Protocol:UDP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49695 version: TLS 1.2

Networking

barindex
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.138.69.102 443
Source: TrafficSnort IDS: 2039597 ET TROJAN SocGholish CnC Domain in DNS Lookup (portraits .studio-94-photography .com) 192.168.2.3:56466 -> 1.1.1.1:53
Source: TrafficSnort IDS: 2039597 ET TROJAN SocGholish CnC Domain in DNS Lookup (portraits .studio-94-photography .com) 192.168.2.3:53158 -> 1.1.1.1:53
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49695 version: TLS 1.2
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal56.evad.winZIP@2/0@0/11
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js"
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js"
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: Chrom#U0435.U#U0440dat#U0435.zipJoe Sandbox Cloud Basic: Detection: clean Score: 2Perma Link
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.138.69.102 443
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Scripting
Path Interception11
Process Injection
11
Process Injection
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Scripting
LSASS Memory1
Remote System Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

This section contains all screenshots as thumbnails, including those not shown in the slideshow.