Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Chrom#U0435.U#U0440dat#U0435.zip

Overview

General Information

Sample Name:Chrom#U0435.U#U0440dat#U0435.zip
Analysis ID:736959
MD5:c4971c73424f2728ef8771d8dcc5d7bc
SHA1:00636308cac7b4d8dadd2590042ff1bbeb702e43
SHA256:26106b07597873612b6cffd05d7f46564db4a2f90964c49906191bf0c8d7b180

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64_ra
  • wscript.exe (PID: 888 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
  • wscript.exe (PID: 6516 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
  • cleanup
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.31.1.1.153158532039597 11/03/22-12:35:25.057076
SID:2039597
Source Port:53158
Destination Port:53
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.31.1.1.156466532039597 11/03/22-12:35:01.413784
SID:2039597
Source Port:56466
Destination Port:53
Protocol:UDP
Classtype:A Network Trojan was detected

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49695 version: TLS 1.2

Networking

barindex
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.138.69.102 443
Source: TrafficSnort IDS: 2039597 ET TROJAN SocGholish CnC Domain in DNS Lookup (portraits .studio-94-photography .com) 192.168.2.3:56466 -> 1.1.1.1:53
Source: TrafficSnort IDS: 2039597 ET TROJAN SocGholish CnC Domain in DNS Lookup (portraits .studio-94-photography .com) 192.168.2.3:53158 -> 1.1.1.1:53
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownTCP traffic detected without corresponding DNS query: 188.138.69.102
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49693 version: TLS 1.2
Source: unknownHTTPS traffic detected: 188.138.69.102:443 -> 192.168.2.3:49695 version: TLS 1.2
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal56.evad.winZIP@2/0@0/11
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js"
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\alfredo\AppData\Local\Temp\Temp1_Chrom#U0435.U#U0440dat#U0435.zip\AutoUpdater.js"
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: Chrom#U0435.U#U0440dat#U0435.zipJoe Sandbox Cloud Basic: Detection: clean Score: 2Perma Link
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\wscript.exeNetwork Connect: 188.138.69.102 443
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Scripting
Path Interception11
Process Injection
11
Process Injection
OS Credential Dumping2
System Information Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Scripting
LSASS Memory1
Remote System Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Chrom#U0435.U#U0440dat#U0435.zip2%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPDomainCountryFlagASNASN NameMalicious
188.138.69.102
unknownGermany
8972GD-EMEA-DC-SXB1DEtrue
Joe Sandbox Version:36.0.0 Rainbow Opal
Analysis ID:736959
Start date and time:2022-11-03 12:34:09 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:Chrom#U0435.U#U0440dat#U0435.zip
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.evad.winZIP@2/0@0/11
Cookbook Comments:
  • Found application associated with file extension: .zip
  • Exclude process from analysis (whitelisted): dllhost.exe, rundll32.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 40.126.32.76, 40.126.32.68, 20.190.160.14, 40.126.32.138, 20.190.160.20, 40.126.32.74, 20.190.160.22, 40.126.32.134
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, prda.aadg.msidentity.com, login.live.com, login.msa.msidentity.com, www.tm.a.prd.aadg.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
No created / dropped files found
File type:Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):7.989712194941986
TrID:
  • ZIP compressed archive (8000/1) 100.00%
File name:Chrom#U0435.U#U0440dat#U0435.zip
File size:35984
MD5:c4971c73424f2728ef8771d8dcc5d7bc
SHA1:00636308cac7b4d8dadd2590042ff1bbeb702e43
SHA256:26106b07597873612b6cffd05d7f46564db4a2f90964c49906191bf0c8d7b180
SHA512:c7ee9f54aa268876a41bd80531f73d7ebe64b872045d575e42dd2219fd2a0f8d3d35273ee2eb71aacfa4c25f2e333e764a69c69b8b9b6c9b10f327993aa5b043
SSDEEP:768:2O4RfJ6aSiQdlwKFiPXG/fv4OnPQKvUprXo4RiixFcSinbIS3LzQS:2FRR6aSnrFiP2/fv4On1soIxWBn87S
TLSH:47F2F12C494935ACC1E32A3A527947880F96E3635433E0AF972D9D6177EB2E56C83234
File Content Preview:PK........%YcU~e.`............AutoUpdater.js...w.I.0........I%.[.. ....*$ ).5."|AB..Z.....kn...d...=...iR....mn....h....7.7...**6._uY.....Ku._U....N.......vr.*U.*g:+....o..l..Q........sVlo..Og.....s.....d./.........:...........;....+i.6..e:........8~f..0.
Icon Hash:f4ccccccccccccdc