Windows Analysis Report
deobvuscted.js

Overview

General Information

Sample name: deobvuscted.js
Analysis ID: 1426985
MD5: f27654bf029399ff659c3d5003acd8c2
SHA1: 72f3a9b1d7513577723ccc9211bbe907a6c38297
SHA256: 9dfc38f8f103624e6a3a5dad86d370ff9f58f2f48447002f15c8d6f3b5941f58
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found potential dummy code loops (likely to delay analysis)
JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)
Sigma detected: WScript or CScript Dropper
Abnormal high CPU Usage
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Abnormal high CPU Usage
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 49%
Java / VBScript file with very long strings (likely obfuscated code)
Source: deobvuscted.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal52.evad.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)
Source: deobvuscted.js Check function source code vs Regexp: /\w+ *\(\) *{\w+ *['|"].+['|"];? *}/.test("function () { jbxlog ( [ "exec", 17764 ], [ "f", "" ] ) ; return "newState"; }")
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging
barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 42% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1426985 Sample: deobvuscted.js Startdate: 16/04/2024 Architecture: WINDOWS Score: 52 8 Sigma detected: WScript or CScript Dropper 2->8 10 JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation) 2->10 5 wscript.exe 2->5         started        process3 signatures4 12 Found potential dummy code loops (likely to delay analysis) 5->12
No contacted IP infos