Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report config_xml.js

Overview

General Information

Sample Name:config_xml.js
Analysis ID:491729
MD5:21ec939eb873eda0ac91bf0c4dbb2a6e
SHA1:4b88725c8b4f09edccf7cc70557c26c6a5d34ccf
SHA256:cc6f27e54cac322380736bc5c7153a4ac07ce4466f69e06d780dba9e8b27a2b8
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)
Java / VBScript file with very long strings (likely obfuscated code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6372 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\config_xml.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: wscript.exe, 00000000.00000002.666056971.00000287402E5000.00000004.00000040.sdmpString found in binary or memory: http://ns.ad
Source: wscript.exe, 00000000.00000002.665941348.000002873FFBA000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.666105863.0000028741DD0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.665639824.000002873FFDF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.666056971.00000287402E5000.00000004.00000040.sdmp, config_xml.jsString found in binary or memory: http://www.techsmith.com/xmp/tsc/
Source: config_xml.jsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: clean1.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionPath InterceptionScripting2OS Credential DumpingSystem Information Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ns.ad0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.techsmith.com/xmp/tsc/wscript.exe, 00000000.00000002.665941348.000002873FFBA000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.666105863.0000028741DD0000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.665639824.000002873FFDF000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.666056971.00000287402E5000.00000004.00000040.sdmp, config_xml.jsfalse
    		high
    http://ns.adwscript.exe, 00000000.00000002.666056971.00000287402E5000.00000004.00000040.sdmpfalse
    • URL Reputation: safe
    		unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:491729
    Start date:27.09.2021
    Start time:20:56:37
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 2m 57s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:config_xml.js
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Run name:Without Instrumentation
    Number of analysed new started processes analysed:5
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:CLEAN
    Classification:clean1.winJS@1/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .js
    • Stop behavior analysis, all processes terminated
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:ASCII text, with very long lines, with CRLF line terminators
    Entropy (8bit):5.377651253467105
    TrID:
      File name:config_xml.js
      File size:5604
      MD5:21ec939eb873eda0ac91bf0c4dbb2a6e
      SHA1:4b88725c8b4f09edccf7cc70557c26c6a5d34ccf
      SHA256:cc6f27e54cac322380736bc5c7153a4ac07ce4466f69e06d780dba9e8b27a2b8
      SHA512:24752b9d8c9886c4dc5125ad2fee1dc4fc4662506a75fba58f10485b723b7268d6a4888f8fab9512724231f5dc3af9bb9d0aa809ad13379d556fefcaee1619e1
      SSDEEP:96:o0wHkvZV1Nc6oN8tRuq9LjYtCrTcU5E9B5Jvhuk/tCaRItvo6ya25FG9+Igghe:7wHkhV1N9s8tRuc1AHSryIgh
      File Content Preview:var TSC = TSC || {};....TSC.embedded_config_xml = '<x:xmpmeta tsc:version="2.0.1" xmlns:x="adobe:ns:meta/" xmlns:tsc="http://www.techsmith.com/xmp/tsc/">\.. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:xmp="http://ns.adobe.com/

      File Icon

      Icon Hash:e8d69ece968a9ec4

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      System Behavior

      Analysis Process: wscript.exe PID: 6372 Parent PID: 3424

      General

      Start time:20:57:32
      Start date:27/09/2021
      Path:C:\Windows\System32\wscript.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\config_xml.js'
      Imagebase:0x7ff7f7de0000
      File size:163840 bytes
      MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      Code Analysis

      Reset < >