Play interactive tour

Edit tour

Windows Analysis Report config_xml.js

Overview

General Information

Sample Name:	config_xml.js
Analysis ID:	491729
MD5:	21ec939eb873eda0ac91bf0c4dbb2a6e
SHA1:	4b88725c8b4f09edccf7cc70557c26c6a5d34ccf
SHA256:	cc6f27e54cac322380736bc5c7153a4ac07ce4466f69e06d780dba9e8b27a2b8
Infos:
Most interesting Screenshot:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Program does not show much activity (idle)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Java / VBScript file with very long strings (likely obfuscated code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5252 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\config_xml.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: wscript.exe, 00000000.00000003.243677857.0000023FA0B63000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp, config_xml.js	String found in binary or memory: http://www.techsmith.com/xmp/tsc/
Source: wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp	String found in binary or memory: http://www.techsmith.com/xmp/tscHS/
Source: wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp	String found in binary or memory: http://www.techsmith.com/xmp/tscIQ/

Source: config_xml.js

Initial sample: Strings found which are bigger than 50

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: clean2.winJS@1/0@0/0

Source: config_xml.js

String : entropy: 5.36, length: 5551, content: '<x:xmpmeta tsc:version="2.0.1" xmlns:x="adobe:ns:meta/" xmlns:tsc="http://www.techsmith.com/xmp/tsc

Go to definition

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting3	Path Interception	Path Interception	Scripting3	OS Credential Dumping	System Information Discovery2	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Encoding1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.techsmith.com/xmp/tscHS/	wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp	false	high
http://www.techsmith.com/xmp/tsc/	wscript.exe, 00000000.00000003.243677857.0000023FA0B63000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp, config_xml.js	false	high
http://www.techsmith.com/xmp/tscIQ/	wscript.exe, 00000000.00000002.244089604.0000023FA0B05000.00000004.00000040.sdmp	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491729
Start date:	27.09.2021
Start time:	20:49:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	config_xml.js
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean2.winJS@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .js Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 2.20.86.117, 95.100.54.203, 20.50.102.62, 209.197.3.8, 8.248.133.254, 8.253.204.249, 8.248.141.254, 67.27.235.126, 67.27.235.254, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43, 20.82.210.154 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.377651253467105
TrID:
File name:	config_xml.js
File size:	5604
MD5:	21ec939eb873eda0ac91bf0c4dbb2a6e
SHA1:	4b88725c8b4f09edccf7cc70557c26c6a5d34ccf
SHA256:	cc6f27e54cac322380736bc5c7153a4ac07ce4466f69e06d780dba9e8b27a2b8
SHA512:	24752b9d8c9886c4dc5125ad2fee1dc4fc4662506a75fba58f10485b723b7268d6a4888f8fab9512724231f5dc3af9bb9d0aa809ad13379d556fefcaee1619e1
SSDEEP:	96:o0wHkvZV1Nc6oN8tRuq9LjYtCrTcU5E9B5Jvhuk/tCaRItvo6ya25FG9+Igghe:7wHkhV1N9s8tRuc1AHSryIgh
File Content Preview:	var TSC = TSC \|\| {};....TSC.embedded_config_xml = '<x:xmpmeta tsc:version="2.0.1" xmlns:x="adobe:ns:meta/" xmlns:tsc="http://www.techsmith.com/xmp/tsc/">\.. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:xmp="http://ns.adobe.com/

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 20:50:10.730859041 CEST	53	57820	8.8.8.8	192.168.2.7
Sep 27, 2021 20:50:14.180495024 CEST	50848	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:50:14.202661037 CEST	53	50848	8.8.8.8	192.168.2.7
Sep 27, 2021 20:50:27.646245003 CEST	61242	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:50:27.711581945 CEST	53	61242	8.8.8.8	192.168.2.7
Sep 27, 2021 20:50:45.832585096 CEST	58562	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:50:45.861569881 CEST	53	58562	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:03.900257111 CEST	56590	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:03.915033102 CEST	53	56590	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:05.012512922 CEST	60501	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:05.187891960 CEST	53	60501	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:05.792732000 CEST	53775	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:05.876506090 CEST	53	53775	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:06.496449947 CEST	51837	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:06.520729065 CEST	53	51837	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:06.814421892 CEST	55411	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:07.333543062 CEST	63668	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:07.428704023 CEST	53	63668	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:07.817033052 CEST	55411	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:07.849396944 CEST	53	55411	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:07.928739071 CEST	54640	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:07.942589998 CEST	53	54640	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:08.453267097 CEST	58739	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:08.468170881 CEST	53	58739	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:09.588356972 CEST	60338	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:09.602119923 CEST	53	60338	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:10.477353096 CEST	58717	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:10.489172935 CEST	53	58717	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:11.290668964 CEST	59762	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:11.363423109 CEST	53	59762	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:12.399214983 CEST	54329	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:12.413085938 CEST	53	54329	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:13.129100084 CEST	58052	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:13.172167063 CEST	53	58052	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:25.376945019 CEST	54008	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:25.396162033 CEST	53	54008	8.8.8.8	192.168.2.7
Sep 27, 2021 20:51:59.575700998 CEST	59451	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:51:59.611306906 CEST	53	59451	8.8.8.8	192.168.2.7
Sep 27, 2021 20:52:00.782526016 CEST	52914	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:52:00.817006111 CEST	53	52914	8.8.8.8	192.168.2.7
Sep 27, 2021 20:52:33.744435072 CEST	64569	53	192.168.2.7	8.8.8.8
Sep 27, 2021 20:52:33.772869110 CEST	53	64569	8.8.8.8	192.168.2.7

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: wscript.exe PID: 5252 Parent PID: 3292

General

Start time:	20:50:17
Start date:	27/09/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\config_xml.js'
Imagebase:	0x7ff637900000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	var TSC = TSC \|\| {
1	};
2	TSC.embedded_config_xml = '<x:xmpmeta tsc:version="2.0.1" xmlns:x="adobe:ns:meta/" xmlns:tsc="http://www.techsmith.com/xmp/tsc/">\ <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpDM="http://ns.adobe.com/xmp/1.0/DynamicMedia/" xmlns:xmpG="http://ns.adobe.com/xap/1.0/g/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:tscDM="http://www.techsmith.com/xmp/tscDM/" xmlns:tscIQ="http://www.techsmith.com/xmp/tscIQ/" xmlns:tscHS="http://www.techsmith.com/xmp/tscHS/" xmlns:stDim="http://ns.adobe.com/xap/1.0/sType/Dimensions#" xmlns:stFnt="http://ns.adobe.com/xap/1.0/sType/Font#" xmlns:exif="http://ns.adobe.com/exif/1.0" xmlns:dc="http://purl.org/dc/elements/1.1/">\ <rdf:Description dc:date="2021-01-06 03:54:52 PM" dc:source="Camtasia,9.1.5,enu" dc:title="IRA 4 Opening an HSA" tscDM:firstFrame="IRA_4_Opening_an_HSA_First_Frame.png" tscDM:originId="46616561-CE58-4861-8B4A-9EF7977D77D3" tscDM:project="IRA 4 Opening an HSA">\ <xmpDM:duration xmpDM:scale="1/1000" xmpDM:value="1323400"/>\ <xmpDM:videoFrameSize stDim:unit="pixel" stDim:h="1080" stDim:w="1920"/>\ <tsc:langName>\ <rdf:Bag>\ <rdf:li xml:lang="en-US">English</rdf:li></rdf:Bag>\ </tsc:langName>\ <xmpDM:Tracks>\ <rdf:Bag>\ <rdf:li>\ <rdf:Description xmpDM:trackType="Quiz" xmpDM:frameRate="f1000" xmpDM:trackName="Quiz" tscIQ:quizGuid="6BBC71A1-675F-44A0-9FE5-0D915F2ADDF3" tscIQ:authoredEmail="Luvx9TN6xFxfPq7WPANX76+0SSg/F7ibYtr7dxc1HGYNW61hZp796SUSqFt9RJkIV2AJgkGX1qdx\ xZbFwIi6Oc4n+GsrlDvigxUTJq+1mvl3exA8KnNRb5je80BeZ8TAhK4hKboMU3/K+pDDw30/UHlj\ a2u2UHpf8Cq4KIff7SQVXqcDFfhPYCrlsm4SLjy4wJuiNTNTKy1DSUJGDuU0qIuItydrwiMfW7H1\ JiLoOtZ/myk392mTo3lZpbMJqNqQ9oAdJ5dDps3EakKu/eq9iMsG88WmL9ruICYlV1FB7V2IYNId\ 947/sfVVK9qMwkhzwD2Znc9etzzxvfnwx+71hA==" tscIQ:requireUserId="0" tscIQ:locale="en-US" tscIQ:reportMethod="SCORM" tscIQ:allowSkipQuiz="0" tscIQ:clientId="1CDF22D874AC443FBBB68075B4AE31CD" tscIQ:hideReplay="1" tscIQ:quizHash="907a95f5861921d2855e2109564537b7">\ <xmpDM:markers>\ <rdf:Seq>\ <rdf:li><rdf:Description xmpDM:startTime="1314800" tscIQ:feedback="1" tscIQ:questionSetName="Completion Acknowledgement"><tscIQ:questions><rdf:Seq><rdf:li><rdf:Description tscIQ:type="MC" tscIQ:id="0"><tscIQ:question>I have finished viewing IRA Training #4: Opening a Health Savings Account (HSA).</tscIQ:question><tscIQ:correctAnswer>1</tscIQ:correctAnswer><tscIQ:answerArray><rdf:Seq><rdf:li><rdf:Description tscIQ:orderId="0"><tscIQ:answer>True</tscIQ:answer></rdf:Description></rdf:li><rdf:li><rdf:Description tscIQ:orderId="1"><tscIQ:answer>False</tscIQ:answer></rdf:Description></rdf:li></rdf:Seq></tscIQ:answerArray><tscIQ:feedback><rdf:Bag><rdf:li><rdf:Description tscIQ:reason="correct"><xmpDM:name><rdf:Alt><rdf:li>Thank you!</rdf:li></rdf:Alt></xmpDM:name></rdf:Description></rdf:li><rdf:li><rdf:Description tscIQ:reason="incorrect"><xmpDM:name><rdf:Alt><rdf:li>Please come back another time!</rdf:li></rdf:Alt></xmpDM:name></rdf:Description></rdf:li></rdf:Bag></tscIQ:feedback></rdf:Description></rdf:li></rdf:Seq></tscIQ:questions></rdf:Description></rdf:li></rdf:Seq>\ </xmpDM:markers>\ <tscIQ:QuizParams><rdf:Bag><rdf:li xmpDM:name="txtPrev" xmpDM:value="Previous"/><rdf:li xmpDM:name="txtNext" xmpDM:value="Next"/><rdf:li xmpDM:name="txtAnswerQuestion" xmpDM:value="Completion Acknowledgement"/><rdf:li xmpDM:name="txtSubmit" xmpDM:value="Submit Response"/><rdf:li xmpDM:name="txtReview" xmpDM:value="Replay Last Section"/><rdf:li xmpDM:name="txtReviewAnswer" xmpDM:value="View Response"/><rdf:li xmpDM:name="txtContinue" xmpDM:value="Continue"/></rdf:Bag></tscIQ:QuizParams></rdf:Description>\ </rdf:li>\ </rdf:Bag>\ </xmpDM:Tracks>\ <tscDM:controller>\ <rdf:Description xmpDM:name="tscplayer">\ <tscDM:parameters>\ <rdf:Bag>\ <rdf:li xmpDM:name="autohide" xmpDM:value="true"/><rdf:li xmpDM:name="autoplay" xmpDM:value="false"/><rdf:li xmpDM:name="loop" xmpDM:value="false"/><rdf:li xmpDM:name="searchable" xmpDM:value="true"/><rdf:li xmpDM:name="captionsenabled" xmpDM:value="false"/><rdf:li xmpDM:name="sidebarenabled" xmpDM:value="false"/><rdf:li xmpDM:name="unicodeenabled" xmpDM:value="false"/><rdf:li xmpDM:name="backgroundcolor" xmpDM:value="000000"/><rdf:li xmpDM:name="sidebarlocation" xmpDM:value="left"/><rdf:li xmpDM:name="endaction" xmpDM:value="stop"/><rdf:li xmpDM:name="endactionparam" xmpDM:value="true"/><rdf:li xmpDM:name="locale" xmpDM:value="en-US"/></rdf:Bag>\ </tscDM:parameters>\ <tscDM:controllerText>\ <rdf:Bag>\ </rdf:Bag>\ </tscDM:controllerText>\ </rdf:Description>\ </tscDM:controller>\ <tscDM:contentList>\ <rdf:Description>\ <tscDM:files>\ <rdf:Seq>\ <rdf:li xmpDM:name="0" xmpDM:value="IRA 4 Opening an HSA.zip"/><rdf:li xmpDM:name="1" xmpDM:value="IRA_4_Opening_an_HSA_First_Frame.png"/><rdf:li xmpDM:name="2" xmpDM:value="IRA_4_Opening_an_HSA_Thumbnails.png"/></rdf:Seq>\ </tscDM:files>\ </rdf:Description>\ </tscDM:contentList>\ </rdf:Description>\ </rdf:RDF>\ </x:xmpmeta>';

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.Some data encoding systems may also result in data compression, such as gzip.
Tactics:	Command and Control
Data Sources:	Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report config_xml.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wscript.exe PID: 5252 Parent PID: 3292

General

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Call Graph

Graph

Script:

Code