Loading ...

Play interactive tourEdit tour

Analysis Report aria-web-telemetry_61706856e3e3739d63f6a39a713dc3c3.js

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:132304
Start date:15.05.2019
Start time:23:37:29
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:aria-web-telemetry_61706856e3e3739d63f6a39a713dc3c3.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winJS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting2Winlogon Helper DLLPort MonitorsScripting2Credential DumpingQuery Registry1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDLL Side-Loading1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: aria-web-telemetry_61706856e3e3739d63f6a39a713dc3c3.jsInitial sample: Strings found which are bigger than 50
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean1.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 132304 Sample: aria-web-telemetry_61706856e3e3739d63f6a39a713dc3c3.js Startdate: 15/05/2019 Architecture: WINDOWS Score: 1 4 wscript.exe 2->4         started       

Simulations

Behavior and APIs

No simulations

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
aria-web-telemetry_61706856e3e3739d63f6a39a713dc3c3.js0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Startup

  • System is w10x64
  • wscript.exe (PID: 4916 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\aria-web-telemetry_61706856e3e3739d63f6a39a713dc3c3.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:ASCII text, with very long lines, with no line terminators
Entropy (8bit):5.402309029666371
TrID:
  • Java Script (6500/0) 65.00%
  • Java Script embedded in Visual Basic Script (3500/0) 35.00%
File name:aria-web-telemetry_61706856e3e3739d63f6a39a713dc3c3.js
File size:43452
MD5:ab160cbc15a05701d835200e65385636
SHA1:ea957163097f8dfc315693f9f3e85529477a5652
SHA256:4b01583f47575a9b732d2cb98e019066e540f653cae5db198fb45e19b9e3a860
SHA512:311fd6d1282541b8770bed123a4c1e719ca35dc637f61595d5815c67bdf1d7091a685a23ed6a4d34a4e3c66820f03962d5e6cd8d7c2b206d682395284b30f251
SSDEEP:768:Oms2CBhppkzGfU/9TEShO8a32JtFhreFFpu+ejL8mrKrWKvBvNqyJNH8ERCheyY:xCBhpnfUFTEShO8xDqZOhdY
File Content Preview:!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else{var i=t();for(var n in i)("object"==typeof exports?exports:e)[n]=i[n]}}(this,function(){return function(e){function t(n){if(i[n])return i[n].exports;var r=i[n]={i:

File Icon

Icon Hash:e8d69ece968a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior