Loading ...

Play interactive tourEdit tour

Analysis Report view_attach_i1j.js

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:228101
Start date:06.05.2020
Start time:22:40:23
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:view_attach_i1j.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.evad.winJS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample might executed code dummy loops to delay execution, try to increase analysis time



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting12Winlogon Helper DLLProcess Injection1Virtualization/Sandbox Evasion11Credential DumpingVirtualization/Sandbox Evasion11Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionScripting12Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesSystem Information Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
JavaScript source code contains functionality to generate code involving a shell, file or streamShow sources
Source: view_attach_i1j.jsReturn value : ['"ADODB.Stream"']Go to definition
Source: view_attach_i1j.jsReturn value : ['"ADODB.Stream"']Go to definition
Source: view_attach_i1j.jsReturn value : ['"ADODB.Stream"']Go to definition

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: view_attach_i1j.jsInitial sample: Strings found which are bigger than 50
Classification labelShow sources
Source: classification engineClassification label: mal48.evad.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: view_attach_i1j.jsStatic file information: File size 3134701 > 1048576
Binary contains paths to debug symbolsShow sources
Source: Binary string: scrrun.pdb source: wscript.exe, 00000000.00000002.1514028420.000002339B630000.00000002.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: wscript.exe, 00000000.00000002.1513867622.000002339B5C0000.00000002.00000001.sdmp
Source: Binary string: wscript.pdb source: wscript.exe, 00000000.00000002.1513867622.000002339B5C0000.00000002.00000001.sdmp
Source: Binary string: scrrun.pdbUGP source: wscript.exe, 00000000.00000002.1514028420.000002339B630000.00000002.00000001.sdmp

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)Show sources
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exe, 00000000.00000002.1513566375.000002339A1B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: wscript.exe, 00000000.00000002.1513566375.000002339A1B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000000.00000002.1513566375.000002339A1B0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: wscript.exe, 00000000.00000002.1513566375.000002339A1B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.