Analysis Report

Overview

General Information

Joe Sandbox Version:	20.0.0
Analysis ID:	36716
Start time:	18:17:26
Joe Sandbox Product:	CloudBasic
Start date:	11.11.2017
Overall analysis duration:	0h 3m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	fly.jse
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Detection:	MAL
Classification:	mal52.evad.troj.winJSE@5/1@0/1
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
HDC Information:	Failed
Cookbook Comments:	Found application associated with file extension: .jse
Warnings:	Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	52	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

Networking:

Urls found in memory or binary data

Show sources

Source: wscript.exe	String found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301
Source: wscript.exe	String found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301/
Source: wscript.exe	String found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301H?
Source: wscript.exe	String found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301z
Source: wscript.exe	String found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&178628
Source: wscript.exe	String found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&178628z

Detected TCP or UDP traffic on non-standard ports

Show sources

Source: global traffic

TCP traffic: 192.168.2.2:49165 -> 185.159.82.54:7500

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

System Summary:

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscript.pdb source: wscript.exe
Source:	Binary string: wscript.pdbN source: wscript.exe
Source:	Binary string: scrrun.pdb source: wscript.exe

Classification label

Show sources

Source: classification engine

Classification label: mal52.evad.troj.winJSE@5/1@0/1

Creates files inside the user directory

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="0"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="220"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="296"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="332"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="340"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="380"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="424"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="432"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="440"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="548"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="616"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="664"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="788"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="816"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="848"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="956"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1156"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1204"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1264"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1420"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1432"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1744"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1000"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1772"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1400"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1636"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1624"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2856"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2952"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3100"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="0"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="220"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="296"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="332"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="340"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="380"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="424"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="432"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="440"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="548"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="616"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="664"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="788"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="816"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="848"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="956"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1156"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1204"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1264"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1420"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1432"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1744"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1000"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1772"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1400"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1636"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1624"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2856"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2952"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3100"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3268"::GetOwner
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3296"::GetOwner

Reads ini files

Show sources

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\fly.jse'
Source: unknown	Process created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Suspicious javascript / visual basic script found (invalid extension)

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\fly.jse'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: wscript.exe	Binary or memory string: Progman
Source: wscript.exe	Binary or memory string: Program Manager
Source: wscript.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\wscript.exe

System information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: wscript.exe	Binary or memory string: vmtoolsda
Source: wscript.exe	Binary or memory string: VBoxService
Source: wscript.exe	Binary or memory string: zvmtoolsdg

Enumerates the file system

Show sources

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 3136	Thread sleep time: -180000s >= -60s
Source: C:\Windows\explorer.exe TID: 3264	Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3288	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3336	Thread sleep time: -180000s >= -60s

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.159.82.54 76

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Show sources

Source: wscript.exe

Binary or memory string: lordPE.exe

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
18:17:16	API Interceptor	6x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms
18:18:07	API Interceptor	2x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms
18:18:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.159.82.54	Fatt.997.jse	2a25e8d76dba3aa89b2f1d6a40eab4b02788d90c040da019a2d02992da6aa0ef	malicious	Browse
185.159.82.54	pdf_fattura.n0821.jse	343a816b2c9deb38c6a59f4c16234a8d54080ca152cbc0b6c8983f92e68d7d46	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTING-SOLUTIONS-HostingSolutionLtdUS	17781.doc	ae84b2929442052d01a18d4277c5c64d2a3674fe5bb3308a1171bd671245387c	malicious	Browse	185.159.82.23
	1&1.pdf.facture.jse	224ad333eb3b27056b968c453ad007aa5a4a613730da767937c7c2511bf2b84f	malicious	Browse	185.159.82.50
	17781.doc	ae84b2929442052d01a18d4277c5c64d2a3674fe5bb3308a1171bd671245387c	malicious	Browse	185.159.82.23
	armsvc.jse	9c8661b95f8df00bc3f5f1abca172fdffc21e6816cf6e435ae936791676c96a8	malicious	Browse	185.159.82.142

Dropped Files

No context

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

Networking:

Boot Survival:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshot