Loading ...

Play interactive tourEdit tour

Analysis Report Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.js

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:132308
Start date:15.05.2019
Start time:23:47:24
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 45s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:without instrumentation
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winJS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting2Winlogon Helper DLLPort MonitorsScripting2Credential DumpingQuery Registry1Application Deployment SoftwareData from Local SystemData CompressedData Obfuscation
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDLL Side-Loading1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback Channels
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: * Copyright (c) 2013-present, Facebook, Inc. equals www.facebook.com (Facebook)
Urls found in memory or binary dataShow sources
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: http://adamwdraper.github.com/Numeral-js/
Source: wscript.exe, 00000000.00000003.4979148413.00000000058B1000.00000004.sdmpString found in binary or memory: http://aka.ms/fabric-icon-usage
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: http://fb.me/use-check-prop-types
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: http://fusejs.io)
Source: Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: http://jedwatson.github.io/classnames
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: http://kiro.me)
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://aka.ms/fabric-assets-license
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://github.com/jonschlinkert/is-extendable
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://github.com/jonschlinkert/is-number
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://github.com/jonschlinkert/isobject
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://github.com/jonschlinkert/object.omit
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://github.com/jonschlinkert/randomatic
Source: wscript.exe, 00000000.00000003.4976375298.00000000058D0000.00000004.sdmp, Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsString found in binary or memory: https://spoprod-a.akamaihd.net/files/fabric/assets/icons/

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5fd99fdc562505228edce2c47.jsInitial sample: Strings found which are bigger than 50
Tries to load missing DLLsShow sources
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wow64log.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean1.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 132308 Sample: Microsoft.Office.Smartlookup.Vendors#U007evendor_7b70c4a5... Startdate: 15/05/2019 Architecture: WINDOWS Score: 1 4 wscript.exe 2->4         started       

Simulations

Behavior and APIs

TimeTypeDescription
23:48:24API Interceptor1x Sleep call for process: wscript.exe modified

Antivirus and Machine Learning Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.