Loading ...

Analysis Report 02_Excel Basic.docx_

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109772
Start date:11.02.2019
Start time:17:44:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 27s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:02_Excel Basic.docx_ (renamed file extension from docx_ to js)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winJS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): wermgr.exe, MusNotifyIcon.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Winlogon Helper DLLPort MonitorsScripting1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesObfuscated Files or Information1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: 02_Excel Basi.jsAvira: Label: HTML/ExpKit.Gen2
Multi AV Scanner detection for submitted fileShow sources
Source: 02_Excel Basi.jsvirustotal: Detection: 26%Perma Link

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: 02_Excel Basi.jsInitial sample: Strings found which are bigger than 50
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal56.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 02_Excel Basi.jsvirustotal: Detection: 26%
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: 02_Excel Basi.jsStatic file information: File size 3632060 > 1048576

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 109772 Sample: 02_Excel Basic.docx_ Startdate: 11/02/2019 Architecture: WINDOWS Score: 56 7 Antivirus detection for submitted file 2->7 9 Multi AV Scanner detection for submitted file 2->9 5 wscript.exe 2->5         started        process3

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
02_Excel Basi.js27%virustotalBrowse
02_Excel Basi.js100%AviraHTML/ExpKit.Gen2

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.