File name:

Updаte.js

Full analysis: https://app.any.run/tasks/c2b2daa6-068d-4676-9015-580284ab484b
Verdict: Malicious activity
Analysis date: February 03, 2025, 12:02:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
socgholish
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (4318), with no line terminators
MD5:

BB9D2571BC271776846DAF6D56ACEBDD

SHA1:

43858A1787E573C0FFA3C9C9C6FCA3E5FF3463B6

SHA256:

D258936EB4CE610A7D079DE16850758B065EEBAD7D1116198749B37641AB0D79

SSDEEP:

96:7kaHl97HmJwtKBlqRltYCwQ443lYpSFql6nzTH3uBKD7:w6Xt/yCwQ4410AqATXIKX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 6568)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 6568)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 6568)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6568)

    • Connects to the CnC server

      • svchost.exe (PID: 2192)
      • wscript.exe (PID: 6568)

    • SOCGHOLISH has been detected (SURICATA)

      • svchost.exe (PID: 2192)
      • wscript.exe (PID: 6568)

  • SUSPICIOUS

    • Adds, changes, or deletes HTTP request header (SCRIPT)

      • wscript.exe (PID: 6568)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)
      • wscript.exe (PID: 6568)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 6568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SOCGHOLISH wscript.exe #SOCGHOLISH svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6568"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\Updаte.jsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
927
Read events
923
Write events
4
Delete events
0

Modification events

(PID) Process:(6568) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6568) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6568) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6568) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
DD9F130000000000
Executable files
0
Suspicious files
6
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6568wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25binary
MD5:3A9B939F0E34A54F75558F59CB3C5892
SHA256:E7C8E4B205C904C4BA624E0869045CEDBE322968F998E2C0F94820E740532D57
6568wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19binary
MD5:DF46323488AD0A75BBA579C75F54C12C
SHA256:18DE253A4F50126ACCB3B64C08222C7ACF6B8B2407FAE080611D681E43E8DF7E
6568wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\441E177CD26715B62262568C2D07A085binary
MD5:F73852B3C7A1D3B49A97C09DBED1BBD7
SHA256:E3CF2B52B5EB73D29B121F11E782AF70971308B581635E0C8A942CF07E0C61A0
6568wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25binary
MD5:CDB421DDA891B855376DDDC756F98254
SHA256:1E4CDB7E2D188B7440057FCE98E4E564CE792FF47CDA86E4941EF2717DBD4BD8
6568wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19binary
MD5:C0CA5677E9BB78FC863E62144B0955EF
SHA256:711E48C0D0CDAA894A58063286181B33F761D91BD75F5A69185E0C1CEBD3206D
6568wscript.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\441E177CD26715B62262568C2D07A085binary
MD5:FAEC7FC02241D06FE7D79CE2DAC6D2EB
SHA256:073C1B4520CA58F33B49E861BB9F248F074305C89A114124931E054C66A067E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
32
DNS requests
16
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6568
wscript.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
whitelisted
6568
wscript.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCECO3bePBuysaUZYeCOq3ZOg%3D
unknown
whitelisted
6568
wscript.exe
GET
200
104.18.38.233:80
http://zerossl.ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQzH%2F4%2F%2FQuEFihPlI1WwH4Dktj2TQQUD2vmS845R672fpAeefAwkZLIX6MCEQCgHiGW1%2B2C4SLLetMc8z3H
unknown
whitelisted
6468
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6272
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6272
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6072
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1864
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1176
svchost.exe
20.190.160.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.23.77.188:80
AKAMAI-AS
DE
unknown
6568
wscript.exe
45.76.228.18:443
cpanel.buyjlindustriesonline.com
AS-CHOOPA
US
malicious
6568
wscript.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
whitelisted
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.67
  • 40.126.32.68
  • 20.190.160.128
  • 20.190.160.3
  • 20.190.160.17
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.2
whitelisted
cpanel.buyjlindustriesonline.com
  • 45.76.228.18
malicious
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
zerossl.ocsp.sectigo.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE SocGholish CnC Domain in DNS Lookup (cpanel .buyjlindustriesonline .com)
6568
wscript.exe
Domain Observed Used for C2 Detected
ET MALWARE SocGholish CnC Domain in TLS SNI (cpanel .buyjlindustriesonline .com)
6568
wscript.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Updаte.js