Loading ...

Play interactive tourEdit tour

Windows Analysis Report techsmith-smart-player.min.js

Overview

General Information

Sample Name:techsmith-smart-player.min.js
Analysis ID:491731
MD5:31b067a1e7db6f55f3727e7a820ab510
SHA1:feddeec3efe8f5cbc7a517575088b234e2d47272
SHA256:9d50de298d630f270c794af5b28be40ad0bb392e96efa0a224658f896fc3f04a
Infos:

Most interesting Screenshot:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential obfuscated javascript found
Program does not show much activity (idle)
Java / VBScript file with very long strings (likely obfuscated code)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 2208 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\techsmith-smart-player.min.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: techsmith-smart-player.min.jsString found in binary or memory: https://www.techsmith.com/redirect.asp?target=media_not_found&ver=4.
Source: techsmith-smart-player.min.jsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: sus22.evad.winJS@1/0@0/0

Data Obfuscation:

barindex
Potential obfuscated javascript foundShow sources
Source: techsmith-smart-player.min.jsInitial file: High amount of function use 3152
Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting12Path InterceptionPath InterceptionScripting12OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
techsmith-smart-player.min.js0%VirustotalBrowse
techsmith-smart-player.min.js0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.techsmith.com/redirect.asp?target=media_not_found&ver=4.techsmith-smart-player.min.jsfalse
    high

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:491731
    Start date:27.09.2021
    Start time:20:54:22
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 2m 49s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:techsmith-smart-player.min.js
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:5
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:SUS
    Classification:sus22.evad.winJS@1/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .js
    • Stop behavior analysis, all processes terminated
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 2.20.86.117
    • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.dc-msedge.net, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, store-images.s-microsoft.com-c.edgekey.net
    • Report size getting too big, too many NtProtectVirtualMemory calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
    Entropy (8bit):5.534536421918308
    TrID:
    • Java Script (8502/1) 68.00%
    • Digital Micrograph Script (4001/1) 32.00%
    File name:techsmith-smart-player.min.js
    File size:648978
    MD5:31b067a1e7db6f55f3727e7a820ab510
    SHA1:feddeec3efe8f5cbc7a517575088b234e2d47272
    SHA256:9d50de298d630f270c794af5b28be40ad0bb392e96efa0a224658f896fc3f04a
    SHA512:61de2b2d460e8a9371d6c1b3788df3cf03799045d251834b727e830074193d52e109579e90c5663da833bc5fe5cfd2309b1d2793d9322a85159be7e6b0914386
    SSDEEP:12288:72n29MkPfvEb/7/DpxO1RfrrJg003l+9b:7S26KfvEr7/DiDrNg0089b
    File Content Preview:/*! TechSmith Smart Player v5.6.2 */....!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("un

    File Icon

    Icon Hash:e8d69ece968a9ec4

    Network Behavior

    Network Port Distribution

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Sep 27, 2021 20:55:15.808137894 CEST5453153192.168.2.48.8.8.8
    Sep 27, 2021 20:55:15.841213942 CEST53545318.8.8.8192.168.2.4
    Sep 27, 2021 20:55:16.341289997 CEST4971453192.168.2.48.8.8.8
    Sep 27, 2021 20:55:16.355416059 CEST53497148.8.8.8192.168.2.4

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Start time:20:55:19
    Start date:27/09/2021
    Path:C:\Windows\System32\wscript.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\techsmith-smart-player.min.js'
    Imagebase:0x7ff7edc40000
    File size:163840 bytes
    MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Code Analysis

    Reset < >