Loading ...

Play interactive tourEdit tour

Analysis Report office_strings_176f6558dbb440f26decec866f7cb844.js

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:132303
Start date:15.05.2019
Start time:23:37:23
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:office_strings_176f6558dbb440f26decec866f7cb844.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winJS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting2Winlogon Helper DLLPort MonitorsScripting2Credential DumpingQuery Registry1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDLL Side-Loading1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: office_strings_176f6558dbb440f26decec866f7cb844.jsInitial sample: Strings found which are bigger than 50
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean1.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
This is likely a benign javascript web libraryShow sources
Source: C:\Windows\SysWOW64\wscript.exeWindow detected: OKScript:C:\Users\user\Desktop\office_strings_176f6558dbb440f26decec866f7cb844.jsLine:119Char:3Error:'window' is undefinedCode:800A1391Source: Microsoft JScript runtime error

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 132303 Sample: office_strings_176f6558dbb440f26decec866f7cb844.js Startdate: 15/05/2019 Architecture: WINDOWS Score: 1 4 wscript.exe 2->4         started       

Simulations

Behavior and APIs

TimeTypeDescription
23:38:20API Interceptor1x Sleep call for process: wscript.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
office_strings_176f6558dbb440f26decec866f7cb844.js0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w10x64
  • wscript.exe (PID: 2976 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\office_strings_176f6558dbb440f26decec866f7cb844.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):4.955925390354034
TrID:
  • Java Script (4500/0) 52.93%
  • Digital Micrograph Script (4001/1) 47.07%
File name:office_strings_176f6558dbb440f26decec866f7cb844.js
File size:18566
MD5:9ea4d01e23e7e6636e497284a521f224
SHA1:43732c7947f4feaf58e6402668e118f686768819
SHA256:77c7a89d3e1baf935879f0df362c7eccb62b6a1be77b76b29d17cf5f40f71794
SHA512:abae6a1dad6578bf81ac4faaf328235eacc8cc7e3e7791c3205d7c547e5d81628c13f55e9b42bc0f568ce8bf6ea8f69516696f703e637d479cdce01e9765dea6
SSDEEP:384:MsZKKvPj+Ua6rLgmdHX1wdRYtcvQzsljReG:hZNj+h6rLgIhtcvjhReG
File Content Preview:/* Version: 16.0.10827.10000 */....if (window.Type && window.Type.registerNamespace) {..Type.registerNamespace("Strings");} else {..if(typeof(window['"Strings"']) == 'undefined') {..window['"Strings"'] = new Object(); window['"Strings"']. __namespace = tr

File Icon

Icon Hash:e8d69ece968a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:23:38:20
Start date:15/05/2019
Path:C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):true
Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\office_strings_176f6558dbb440f26decec866f7cb844.js'
Imagebase:0x980000
File size:147456 bytes
MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high