Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:36716
Start time:18:17:26
Joe Sandbox Product:CloudBasic
Start date:11.11.2017
Overall analysis duration:0h 3m 44s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:fly.jse
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal52.evad.troj.winJSE@5/1@0/1
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .jse
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold520 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: wscript.exeString found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301
Source: wscript.exeString found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301/
Source: wscript.exeString found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301H?
Source: wscript.exeString found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&10301z
Source: wscript.exeString found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&178628
Source: wscript.exeString found in binary or memory: https://185.159.82.54:7500/OO/lafamilia.php?add=stayoutofmyterritory&u=1831032064&o=0&v=20&178628z
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.2:49165 -> 185.159.82.54:7500

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

System Summary:

barindex
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdb source: wscript.exe
Source: Binary string: wscript.pdbN source: wscript.exe
Source: Binary string: scrrun.pdb source: wscript.exe
Classification labelShow sources
Source: classification engineClassification label: mal52.evad.troj.winJSE@5/1@0/1
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="0"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="220"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="296"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="332"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="340"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="380"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="424"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="432"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="440"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="548"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="616"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="664"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="788"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="816"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="848"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="956"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1156"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1204"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1264"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1420"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1432"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1744"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1000"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1772"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1400"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1636"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1624"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2856"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2952"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3100"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecQuery - Select * from Win32_Process
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="0"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="4"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="220"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="296"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="332"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="340"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="380"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="424"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="432"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="440"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="548"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="616"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="664"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="788"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="816"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="848"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="920"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="956"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1156"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1204"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1264"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1420"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1432"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1744"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1000"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1772"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1400"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1636"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="1624"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2856"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="2952"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3100"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3268"::GetOwner
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process.Handle="3296"::GetOwner
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\fly.jse'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Suspicious javascript / visual basic script found (invalid extension)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\fly.jse'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse'

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exeBinary or memory string: Progman
Source: wscript.exeBinary or memory string: Program Manager
Source: wscript.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

barindex
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: wscript.exeBinary or memory string: vmtoolsda
Source: wscript.exeBinary or memory string: VBoxService
Source: wscript.exeBinary or memory string: zvmtoolsdg
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 3136Thread sleep time: -180000s >= -60s
Source: C:\Windows\explorer.exe TID: 3264Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3288Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3336Thread sleep time: -180000s >= -60s

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\wscript.exeNetwork Connect: 185.159.82.54 76

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: wscript.exeBinary or memory string: lordPE.exe

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 36716 Sample:  fly.jse Startdate:  11/11/2017 Architecture:  WINDOWS Score:  52 1 wscript.exe 7 main->1      started     2 explorer.exe 1 main->2      started     3 explorer.exe 2 main->3      started     6061sig System process connects to network (likely due to code injection or exploit) 522d1e190973sig Detected TCP or UDP traffic on non-standard ports 13312sig Suspicious javascript / visual basic script found (invalid extension) 13313sig Suspicious javascript / visual basic script found (invalid extension) 6064sig System process connects to network (likely due to code injection or exploit) d1e190973 185.159.82.54, 7500 HOSTING-SOLUTIONS-HostingSolutionLtdUS Netherlands d1e190973->522d1e190973sig 1->6061sig 1->d1e190973 2->13312sig 3->13313sig 4 wscript.exe 6 3->4      started     4->6064sig process1 dnsIp1 signatures1 process4 signatures4 fileCreated1 fileCreated4

Simulations

Behavior and APIs

TimeTypeDescription
18:17:16API Interceptor6x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms
18:18:07API Interceptor2x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms
18:18:07AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fly.jse

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
185.159.82.54Fatt.997.jse2a25e8d76dba3aa89b2f1d6a40eab4b02788d90c040da019a2d02992da6aa0efmaliciousBrowse
    pdf_fattura.n0821.jse343a816b2c9deb38c6a59f4c16234a8d54080ca152cbc0b6c8983f92e68d7d46maliciousBrowse

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      HOSTING-SOLUTIONS-HostingSolutionLtdUS17781.docae84b2929442052d01a18d4277c5c64d2a3674fe5bb3308a1171bd671245387cmaliciousBrowse
      • 185.159.82.23
      1&1.pdf.facture.jse224ad333eb3b27056b968c453ad007aa5a4a613730da767937c7c2511bf2b84fmaliciousBrowse
      • 185.159.82.50
      17781.docae84b2929442052d01a18d4277c5c64d2a3674fe5bb3308a1171bd671245387cmaliciousBrowse
      • 185.159.82.23
      armsvc.jse9c8661b95f8df00bc3f5f1abca172fdffc21e6816cf6e435ae936791676c96a8maliciousBrowse
      • 185.159.82.142

      Dropped Files

      No context

      Screenshot