Loading ...

Play interactive tourEdit tour

Windows Analysis Report scormwrapper.js

Overview

General Information

Sample Name:scormwrapper.js
Analysis ID:491730
MD5:d9453ab6437c824f601116afef114b2a
SHA1:b1a4933bd6c9358c2257e830fc4e353950708af6
SHA256:d0ad0f96bfa360ca88d7ca4b03245e30ec42044a3c920f32e0781e906a8dd163
Infos:

Most interesting Screenshot:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Program does not show much activity (idle)
Java / VBScript file with very long strings (likely obfuscated code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 6908 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\scormwrapper.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: scormwrapper.jsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: clean1.winJS@1/0@0/0
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting2Path InterceptionPath InterceptionScripting2OS Credential DumpingSystem Information Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
scormwrapper.js0%VirustotalBrowse
scormwrapper.js0%MetadefenderBrowse
scormwrapper.js0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:491730
Start date:27.09.2021
Start time:20:51:15
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 47s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:scormwrapper.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.winJS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .js
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.82.210.154, 40.127.240.158, 131.253.33.200, 13.107.22.200, 20.49.150.241, 23.54.113.53
  • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, settingsfd-geo.trafficmanager.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
Entropy (8bit):4.525867459002923
TrID:
  • Text - UTF-8 encoded (3003/1) 100.00%
File name:scormwrapper.js
File size:7170
MD5:d9453ab6437c824f601116afef114b2a
SHA1:b1a4933bd6c9358c2257e830fc4e353950708af6
SHA256:d0ad0f96bfa360ca88d7ca4b03245e30ec42044a3c920f32e0781e906a8dd163
SHA512:a66349740bd1d4da0e10ee7d1211f7891198a4505e7d7ba24813da6f23ce8a78bf7dd6a406fbea3149fa20fe9ff06d25384f85605ed98754e325f02abcfa0612
SSDEEP:96:DEK6rsXfyz6mDa9mgdaWmtG2LM4TLCJRCm0YkxMqqDTz:joxzIdbZ2LpLBm0Ytqg
File Content Preview:...// SCORM 1.2 and SCORM 2004 API Wrapper....var MAX_PARENTS_TO_SEARCH = 500;..var apiHandle = null;..var noAPIFound = "false";..var apiVersion;..../*******************************************************************************..*

File Icon

Icon Hash:e8d69ece968a9ec4

Network Behavior

Network Port Distribution

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Sep 27, 2021 20:52:09.022147894 CEST5453153192.168.2.48.8.8.8
Sep 27, 2021 20:52:09.058024883 CEST53545318.8.8.8192.168.2.4
Sep 27, 2021 20:52:09.385171890 CEST4971453192.168.2.48.8.8.8
Sep 27, 2021 20:52:09.419708014 CEST53497148.8.8.8192.168.2.4
Sep 27, 2021 20:52:10.820574045 CEST5802853192.168.2.48.8.8.8
Sep 27, 2021 20:52:10.837553978 CEST53580288.8.8.8192.168.2.4
Sep 27, 2021 20:52:10.868519068 CEST5309753192.168.2.48.8.8.8
Sep 27, 2021 20:52:10.883301020 CEST53530978.8.8.8192.168.2.4
Sep 27, 2021 20:52:11.038671970 CEST4925753192.168.2.48.8.8.8
Sep 27, 2021 20:52:11.071935892 CEST53492578.8.8.8192.168.2.4
Sep 27, 2021 20:52:17.587707996 CEST6238953192.168.2.48.8.8.8
Sep 27, 2021 20:52:18.609345913 CEST6238953192.168.2.48.8.8.8
Sep 27, 2021 20:52:18.628458977 CEST53623898.8.8.8192.168.2.4
Sep 27, 2021 20:52:43.650975943 CEST4991053192.168.2.48.8.8.8
Sep 27, 2021 20:52:43.669414043 CEST53499108.8.8.8192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:20:52:12
Start date:27/09/2021
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\scormwrapper.js'
Imagebase:0x7ff789ed0000
File size:163840 bytes
MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis

Reset < >