Analysis Report COVID_19_Test_Result_Doctor_Note.js

Overview

General Information

Sample Name: COVID_19_Test_Result_Doctor_Note.js
Analysis ID: 365159
MD5: 0bca3422ec870f28791d61a4fa25367f
SHA1: 36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa
SHA256: 7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6
Infos:

Most interesting Screenshot:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found potential dummy code loops (likely to delay analysis)
JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)
Potential obfuscated javascript found
Abnormal high CPU Usage
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)

Classification

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 98%
Java / VBScript file with very long strings (likely obfuscated code)
Source: COVID_19_Test_Result_Doctor_Note.js Initial sample: Strings found which are bigger than 50
Source: classification engine Classification label: mal52.evad.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation:

barindex
Potential obfuscated javascript found
Source: COVID_19_Test_Result_Doctor_Note.js Initial file: High amount of function use 25
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)
Source: COVID_19_Test_Result_Doctor_Note.js Check function source code vs Regexp: /\w+ *\(\) *{\w+ *['|"].+['|"];? *}/.test("function () { jbxlog ( [ "exec", 348 ], [ "f", "" ] ) ; return 'newState'; }") Go to definition
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\System32\wscript.exe Process Stats: CPU usage > 90% for more than 60s
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365159 Sample: COVID_19_Test_Result_Doctor... Startdate: 09/03/2021 Architecture: WINDOWS Score: 52 8 Potential obfuscated javascript found 2->8 10 JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation) 2->10 5 wscript.exe 2->5         started        process3 signatures4 12 Found potential dummy code loops (likely to delay analysis) 5->12
No contacted IP infos