Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:32853
Start time:18:24:57
Joe Sandbox Product:CloudBasic
Start date:27.09.2017
Overall analysis duration:0h 1m 10s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:mal.js
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AIS enabled
Detection:CLEAN
Classification:clean2.winJS@1/0@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold20 - 100Report FP / FNclean


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: wscript.exe, mal.jsString found in binary or memory: http://moroplinghaptan.info/eroorrrs
Source: wscript.exeString found in binary or memory: http://moroplinghaptan.info/eroorrrsb

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean2.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: mal.jsInitial sample: Strings found which are bigger than 50

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 3128Thread sleep time: -60000s >= -60s
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Simulations

Behavior and APIs

TimeTypeDescription
18:25:16API Interceptor1x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Startup

  • system is w7
  • wscript.exe (PID: 3068 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mal.js' MD5: 979D74799EA6C8B8167869A68DF5204A)
  • cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:ASCII text, with very long lines, with no line terminators
TrID:
  • Visual Basic Script (6000/0) 60.00%
  • Java Script embedded in Visual Basic Script (2000/0) 20.00%
  • Java Script (2000/0) 20.00%
File name:mal.js
File size:12785
MD5:55499faa58eff7df21c743165b08818d
SHA1:9bef9f18158fa0468ea1f5f09ff8793740e6810d
SHA256:6130e3ae0ab3f45fa3cb07745df4a57268036f0d44b64b8155332b36629d0d6e
SHA512:f047b964f6051c753a0e711ab711233fa7fbca0965080119897058c134b28a6d03520e4b43b9a7ab2e3b1996fe6dbc969594b2a2b23e8b74ed3e8c9597b7227e
File Content Preview:var wtHCTXBiNQWAbLgZxsPCsvcODxAFltACnmkXXRJheHZnjOhXSutDdzmeRaLCBwPwbJotxPdGJjUFkTOlirqldCNBhJhoAIrYfbFpyCKfwOVGVoXezOdXtPOCEKgfLqOWWetswKjtCEzUjcGbDUzHAFQIkyxXvaxkRRBlOzeheslqFxTfz = [];var ZflLnmxVddzPcnzqchnWgzPzyHWQNDOtRcUQrkFhxYKoBjfTbTntdICLXEpxnnfg

File Icon

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:18:25:16
Start date:27/09/2017
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mal.js'
Imagebase:0x75340000
File size:141824 bytes
MD5 hash:979D74799EA6C8B8167869A68DF5204A
Programmed in:C, C++ or other language

Disassembly

Code Analysis

Reset < >