Windows Analysis Report config_xml.js

Overview

General Information

Sample Name: config_xml.js
Analysis ID: 491729
MD5: 21ec939eb873eda0ac91bf0c4dbb2a6e
SHA1: 4b88725c8b4f09edccf7cc70557c26c6a5d34ccf
SHA256: cc6f27e54cac322380736bc5c7153a4ac07ce4466f69e06d780dba9e8b27a2b8
Infos:

Most interesting Screenshot:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Program does not show much activity (idle)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Java / VBScript file with very long strings (likely obfuscated code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Source: wscript.exe, 00000000.00000003.243677857.0000023FA0B63000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp, config_xml.js String found in binary or memory: http://www.techsmith.com/xmp/tsc/
Source: wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp String found in binary or memory: http://www.techsmith.com/xmp/tscHS/
Source: wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp String found in binary or memory: http://www.techsmith.com/xmp/tscIQ/

System Summary:

barindex
Java / VBScript file with very long strings (likely obfuscated code)
Source: config_xml.js Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: clean2.winJS@1/0@0/0

Data Obfuscation:

barindex
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: config_xml.js String : entropy: 5.36, length: 5551, content: '<x:xmpmeta tsc:version="2.0.1" xmlns:x="adobe:ns:meta/" xmlns:tsc="http://www.techsmith.com/xmp/tsc Go to definition
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 491729 Sample: config_xml.js Startdate: 27/09/2021 Architecture: WINDOWS Score: 2 4 wscript.exe 2->4         started       
No contacted IP infos