Loading ...

Analysis Report http://trafficapi.nl/static/main.js

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:123504
Start date:15.04.2019
Start time:21:31:42
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 53s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://trafficapi.nl/static/main.js
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.win@5/9@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExploitation for Client Execution1Winlogon Helper DLLProcess Injection1Process Injection1Credential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol3
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: http://trafficapi.nl/static/main.jsvirustotal: Detection: 9%Perma Link
Source: trafficapi.nlvirustotal: Detection: 7%Perma Link
Source: http://trafficapi.nl/static/main.jsvirustotal: Detection: 9%Perma Link

Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exeJump to behavior

Networking:

barindex
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 15 Apr 2019 19:32:35 GMTServer: Apache/2.4.18 (Ubuntu)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 1253Connection: closeContent-Type: application/javascriptData Raw: 1f 8b 08 00 00 00 00 00 00 03 95 57 6d 6f db 36 10 fe 6c ff 0a 46 1f 6c 0a 51 64 a7 eb 86 c1 9e 3a 04 ed b6 64 48 90 a2 f6 80 ae 81 3f 28 12 6d 2b b6 48 8d a2 ea 04 86 fe fb ee 28 51 a6 fc 12 a4 86 91 88 e4 bd 3e cf dd 51 ee d2 79 c1 23 95 08 4e dd 6d d7 3c 93 84 27 ea eb dd ed 52 a9 8c ba 64 db ed 12 f8 7c 0f 25 79 4e d7 b8 39 d6 1b c9 9c d0 4d c2 63 b1 f1 41 f8 1a f6 bf b0 ff 0a 96 2b 54 21 f5 a7 d6 20 01 e1 6c 43 da 72 d4 ad 0c 95 84 ad 73 56 2b 9d d0 bc 82 c8 be b3 af f7 8f 4f 2c 52 d4 b9 4b 22 29 72 31 57 da f5 74 fa d9 31 b6 aa 60 25 53 85 e4 bb 78 61 bb c9 2e 4d f8 d5 53 f8 4c 23 c1 e7 c9 42 e7 d7 e4 73 56 6d fa 85 5c db 59 54 e6 c6 5d db 85 2d ae 5e 32 f6 23 f2 29 53 4b 11 db 1a ad 03 c8 59 c9 82 35 19 1d e8 c7 ec b1 58 dc 8a c5 11 0b e6 08 6c cc 43 80 b5 05 0b 72 98 33 1e 4f 94 4c 38
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /static/main.js HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: trafficapi.nlConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: trafficapi.nl
Urls found in memory or binary dataShow sources
Source: wscript.exe, main.js.uzisgyd.partial.3.drString found in binary or memory: http://hashtag.connectioncdn.com/f
Source: wscript.exeString found in binary or memory: http://www.validationtest.contoso.com/test%d.html

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.win@5/9@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFFA248999E02501CE.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line arguments (.Net)Show sources
Source: wscript.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2472 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\main.js'
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2472 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\I9HE86MU\main.js' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: MpOAV.pdb source: wscript.exe
Source: Binary string: wscript.pdb source: wscript.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exeBinary or memory string: Shell_TrayWnd
Source: wscript.exeBinary or memory string: Progman
Source: wscript.exeBinary or memory string: "Program Manager"

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 123504 URL: http://trafficapi.nl/static/main.js Startdate: 15/04/2019 Architecture: WINDOWS Score: 48 15 Multi AV Scanner detection for domain / URL 2->15 6 iexplore.exe 8 65 2->6         started        process3 process4 8 iexplore.exe 27 6->8         started        11 wscript.exe 6->11         started        dnsIp5 13 trafficapi.nl 209.126.103.59, 49832, 49833, 80 unknown United States 8->13

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
http://trafficapi.nl/static/main.js9%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
trafficapi.nl7%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://hashtag.connectioncdn.com/f0%virustotalBrowse
http://hashtag.connectioncdn.com/f0%Avira URL Cloudsafe
http://trafficapi.nl/static/main.js9%virustotalBrowse
http://trafficapi.nl/static/main.js0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.