Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report #U5e94#U4ed8#U5e10#U5355.JS

Overview

General Information

Sample Name:#U5e94#U4ed8#U5e10#U5355.JS
Analysis ID:339444
MD5:8928fc2990f2c4ecb3209c4281c68612
SHA1:409182c8b6e8f83c4841473d8a31602493129da9
SHA256:22ad37a20a155fd94df9ac2d68eb8099eb21d24c95689b7b6a2ff28c1b67765e

Most interesting Screenshot:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)

Classification

Startup

  • System is w10x64
  • wscript.exe (PID: 6028 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\#U5e94#U4ed8#U5e10#U5355.JS' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: #U5e94#U4ed8#U5e10#U5355.JSInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: clean1.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionPath InterceptionScripting2OS Credential DumpingSystem Information Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
#U5e94#U4ed8#U5e10#U5355.JS4%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Red Diamond
Analysis ID:339444
Start date:14.01.2021
Start time:03:52:54
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:#U5e94#U4ed8#U5e10#U5355.JS
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winJS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .JS
  • Stop behavior analysis, all processes terminated

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:ISO-8859 text, with very long lines, with CRLF line terminators
Entropy (8bit):5.127302452418976
TrID:
    File name:#U5e94#U4ed8#U5e10#U5355.JS
    File size:1832
    MD5:8928fc2990f2c4ecb3209c4281c68612
    SHA1:409182c8b6e8f83c4841473d8a31602493129da9
    SHA256:22ad37a20a155fd94df9ac2d68eb8099eb21d24c95689b7b6a2ff28c1b67765e
    SHA512:adfeded01713d7c483de7a33baa0d8f3217c156b8014194fad95ceb3f3a96f3b4fd1961b0b2c910650f49946f998f5df84334af6e661caefba719892f04e8c2e
    SSDEEP:48:iGEH+dEFhQbeI30BTyrOk5/BWygtvGOdCktpOCKCWWco:XEIGU3/gtvNP5
    File Content Preview:function pageInit()..{.. xRecordSet.New("cdsForm.cds_fp");.....ss="select *,ltrim(str(sjje,10,2)) as sjjea,ltrim(str(sjje/(1+yhsl/1000)*yhsl/1000,10,2)) as yhsea,ltrim(str(sjje/(1+yhsl/1000),10,2)) as wse,"...+" .. (select top 1 lxr from wlh where wlh.lb=

    File Icon

    Icon Hash:e8d69ece968a9ec4

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    Analysis Process: wscript.exe PID: 6028 Parent PID: 5856

    General

    Start time:03:53:41
    Start date:14/01/2021
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\#U5e94#U4ed8#U5e10#U5355.JS'
    Imagebase:0x7ff68f930000
    File size:163840 bytes
    MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Chronological Activities

    Disassembly

    Code Analysis

    JavaScript Code

    Call Graph

    Graph

    • Executed
    • Not Executed
    callgraph clusterC0 clusterC2C0 clusterC4C2 clusterC6C2 clusterC8C2 clusterC10C2 clusterC12C2 clusterC14C2 clusterC16C2 clusterC18C2 clusterC20C0 clusterC22C20 clusterC24C0 clusterC26C24 clusterC28C24 clusterC30C24 clusterC32C24 clusterC34C0 clusterC36C34 clusterC38C0 clusterC40C38 clusterC42C0 clusterC44C42 E1C0 entry:C0 F3C2 pageInit F5C4 New F3C2->F5C4 F7C6 ShareVar F3C2->F7C6 F9C8 Open F3C2->F9C8 F11C10 ShareVar F3C2->F11C10 F13C12 New F3C2->F13C12 F15C14 FieldValue F3C2->F15C14 F17C16 Open F3C2->F17C16 F19C18 ShareVar F3C2->F19C18 F21C20 DoTotalVisible F23C22 Eof F21C20->F23C22 F25C24 Openyf F27C26 New F25C24->F27C26 F29C28 ShareVar F25C24->F29C28 F31C30 Open F25C24->F31C30 F33C32 ShareVar F25C24->F33C32 F35C34 OnEof F37C36 Eof F35C34->F37C36 F39C38 OnFirst F41C40 First F39C38->F41C40 F43C42 OnNext F45C44 Next F43C42->F45C44

    Script:

    Code
    0
    function pageInit() {
      1
      xRecordSet.New ( "cdsForm.cds_fp" );
        2
        ss = "select *,ltrim(str(sjje,10,2)) as sjjea,ltrim(str(sjje/(1+yhsl/1000)*yhsl/1000,10,2)) as yhsea,ltrim(str(sjje/(1+yhsl/1000),10,2)) as wse," + " (select top 1 lxr from wlh where wlh.lb=cmhctdyffpwlh.lb and wlh.dm=cmhctdyffpwlh.dm) as attn, " + " (select top 1 tdh from tddl where tddl.ztdid=cmhctdyffpwlh.tdid) as tdha, " + " (case when (mdd is null or mdd='') then (case when (jhdd is null or jhdd = '' ) then xhg else jhdd end) else mdd end) as xhga " + " from cmhctdyffpwlh" + " where fpid=" + xScript.ShareVar ( "fpid" );
          3
          xRecordSet.Open ( "cdsForm.cds_fp", xScript.ShareVar ( "dbname" ), "", ss );
            4
            xRecordSet.New ( "cdsForm.cds_td" );
              5
              ss = "gettdxcxs " + xRecordSet.FieldValue ( "cdsForm.cds_fp.tdid" );
                6
                xRecordSet.Open ( "cdsForm.cds_td", xScript.ShareVar ( "dbname" ), "", ss );
                  7
                  }
                    8
                    function DoTotalVisible() {
                      9
                      if ( xRecordSet.Eof ( "cdsForm.cds_fp" ) == 1 )
                        10
                        return "true";
                          11
                          else
                            12
                            return "false";
                              13
                              }
                                14
                                function Openyf() {
                                  15
                                  xRecordSet.New ( "cdsForm.cds_yf" );
                                    16
                                    ss = "select yf.*,(case when ((fymc in (select fymc from fydm)) and ((select top 1 fjmc from fydm where fydm.fymc=yf.fymc)!='')) then (select top 1 fjmc from fydm where fydm.fymc=yf.fymc) else fymc end) as fjmc,ltrim(str((yf.jg*(case when yf.ysyf='\x04e6\xfffd\xfffd' then 1 else -1 end)),12,2)) as jga,ltrim(str((yf.sjje*(case when yf.ysyf='\x04e6\xfffd\xfffd' then 1 else -1 end)),12,2)) as sjjea from yf where (fpid=" + xScript.ShareVar ( "fpid" ) + ")";
                                      17
                                      xRecordSet.Open ( "cdsForm.cds_yf", xScript.ShareVar ( "dbname" ), "", ss );
                                        18
                                        }
                                          19
                                          function OnEof(tablename) {
                                            20
                                            return xRecordSet.Eof ( "cdsForm.cds_" + tablename );
                                              21
                                              }
                                                22
                                                function OnFirst(tablename) {
                                                  23
                                                  xRecordSet.First ( "cdsForm.cds_" + tablename );
                                                    24
                                                    }
                                                      25
                                                      function OnNext(tablename) {
                                                        26
                                                        xRecordSet.Next ( "cdsForm.cds_" + tablename );
                                                          27
                                                          }
                                                            Reset < >