Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:22.0.0
Analysis ID:50169
Start time:21:06:42
Joe Sandbox Product:CloudBasic
Start date:13.03.2018
Overall analysis duration:0h 3m 24s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:bmi.js
Cookbook file name:default.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Javascript)
Analysis stop reason:Timeout
Detection:SUS
Classification:sus21.winJS@1/0@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold210 - 100Report FP / FNsuspicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: wscript.exeString found in binary or memory: http://www.youtube.co equals www.youtube.com (Youtube)
Source: wscript.exeString found in binary or memory: http://www.youtube.com/embed equals www.youtube.com (Youtube)
Source: wscript.exeString found in binary or memory: http://www.youtube.com/watch equals www.youtube.com (Youtube)
Source: wscript.exeString found in binary or memory: mage//www.youtube.com/embedxlb= equals www.youtube.com (Youtube)
Urls found in memory or binary dataShow sources
Source: wscript.exeString found in binary or memory: http://www.youtube.co
Source: wscript.exeString found in binary or memory: http://www.youtube.com/embed
Source: wscript.exeString found in binary or memory: http://www.youtube.com/watch

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: sus21.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: bmi.jsVirustotal: hash found
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: bmi.jsInitial sample: Strings found which are bigger than 50
Suspicious javascript / visual basic script found (invalid extension)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\bmi.js'

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 50169 Sample: bmi.js Startdate: 13/03/2018 Architecture: WINDOWS Score: 21 7 Suspicious javascript / visual basic script found (invalid extension) 2->7 5 wscript.exe 2->5         started        process3

Simulations

Behavior and APIs

TimeTypeDescription
21:07:33API Interceptor2x Sleep call for process: wscript.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
bmi.js0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot