Loading ...

Play interactive tourEdit tour

Analysis Report https://click.clickanalytics208.com/s_code.js?cid=240&v=73a55f6de3dee2a751c3

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:173086
Start date:11.09.2019
Start time:20:30:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://click.clickanalytics208.com/s_code.js?cid=240&v=73a55f6de3dee2a751c3
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.win@5/9@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 104.103.90.39, 152.199.19.161, 205.185.216.10, 205.185.216.42, 93.184.221.240, 67.27.151.254, 67.27.154.126, 67.27.155.126, 8.253.208.121, 8.253.208.112
  • Excluded domains from analysis (whitelisted): ie9comview.vo.msecnd.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu.azureedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting1Winlogon Helper DLLProcess Injection1Process Injection1Credential DumpingQuery Registry1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol2
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesScripting1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureFile and Directory Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: click.clickanalytics208.comVirustotal: Detection: 8%Perma Link

Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exeJump to behavior

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: click.clickanalytics208.com
Urls found in memory or binary dataShow sources
Source: wscript.exeString found in binary or memory: http://www.validationtest.contoso.com/test%d.html
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.win@5/9@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\LowJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: wscript.exeString found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3032 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LTYLVBDO\s_code.js'
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3032 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LTYLVBDO\s_code.js' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: MpOAV.pdb source: wscript.exe
Source: Binary string: wscript.pdb source: wscript.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exeBinary or memory string: Shell_TrayWnd
Source: wscript.exeBinary or memory string: Progman
Source: wscript.exeBinary or memory string: "Program Manager"

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 173086 URL: https://click.clickanalytic... Startdate: 11/09/2019 Architecture: WINDOWS Score: 48 15 Multi AV Scanner detection for domain / URL 2->15 6 iexplore.exe 12 66 2->6         started        process3 process4 8 iexplore.exe 27 6->8         started        11 wscript.exe 6->11         started        dnsIp5 13 click.clickanalytics208.com 81.4.122.101, 443, 49745, 49746 unknown Netherlands 8->13

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
click.clickanalytics208.com8%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.validationtest.contoso.com/test%d.html0%VirustotalBrowse
http://www.validationtest.contoso.com/test%d.html0%Avira URL Cloudsafe
http://www.validationtest.contoso.com/test%d.html0%Google Safe Browsingsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.