Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0
Analysis ID:379266
Start time:10:02:46
Joe Sandbox Product:Cloud
Start date:28.09.2017
Overall analysis duration:0h 3m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:mal.js
Cookbook file name:JavaScript Instrumentation.jbs
Analysis system description:Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • VBA Instrumentation enabled
  • JavaScript Instrumentation enabled
Detection:MAL
Classification:mal48.evad.winJS@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, WMIADAP.exe, dllhost.exe


Detection

StrategyScoreRangeReportingDetection
Threshold480 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine



Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: mal.jsString found in binary or memory: http://moroplinghaptan.info/eroorrrs

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.evad.winJS@1/0@0/0
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: mal.jsInitial sample: Strings found which are bigger than 50

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Malware Analysis System Evasion:

barindex
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 3356Thread sleep time: -60000s >= -60s
Program does not show much activity (idle)Show sources
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
JavaScript source code contains functionality to check date of execution (likely for evasion)Show sources
Source: mal.jsEvasive datetime check: Date checked versus '2017-09-28 09:52:05'Go to definition
JavaScript source code contains functionality to compute date of execution (likely for evasion)Show sources
Source: mal.jsAPI name: ['getMonth']Go to definition
Source: mal.jsAPI name: ['getDate']Go to definition
Source: mal.jsAPI name: ['getYear']Go to definition
Source: mal.jsAPI name: ['getMinutes', 'getHours', 'getSeconds']Go to definition

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Simulations

Behavior and APIs

TimeTypeDescription
10:03:56API Interceptor1x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot

windows-stand

Startup

  • System is w7_1
  • wscript.exe (PID: 3320 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mal.js' MD5: 979D74799EA6C8B8167869A68DF5204A)
  • cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:ASCII text, with very long lines, with no line terminators
TrID:
  • Visual Basic Script (6000/0) 60.00%
  • Java Script embedded in Visual Basic Script (2000/0) 20.00%
  • Java Script (2000/0) 20.00%
File name:mal.js
File size:12785
MD5:55499faa58eff7df21c743165b08818d
SHA1:9bef9f18158fa0468ea1f5f09ff8793740e6810d
SHA256:6130e3ae0ab3f45fa3cb07745df4a57268036f0d44b64b8155332b36629d0d6e
SHA512:f047b964f6051c753a0e711ab711233fa7fbca0965080119897058c134b28a6d03520e4b43b9a7ab2e3b1996fe6dbc969594b2a2b23e8b74ed3e8c9597b7227e
File Content Preview:var wtHCTXBiNQWAbLgZxsPCsvcODxAFltACnmkXXRJheHZnjOhXSutDdzmeRaLCBwPwbJotxPdGJjUFkTOlirqldCNBhJhoAIrYfbFpyCKfwOVGVoXezOdXtPOCEKgfLqOWWetswKjtCEzUjcGbDUzHAFQIkyxXvaxkRRBlOzeheslqFxTfz = [];var ZflLnmxVddzPcnzqchnWgzPzyHWQNDOtRcUQrkFhxYKoBjfTbTntdICLXEpxnnfg

File Icon

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Start time:10:03:55
Start date:28/09/2017
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mal.js'
Imagebase:0x754d0000
File size:141824 bytes
MD5 hash:979D74799EA6C8B8167869A68DF5204A
Programmed in:C, C++ or other language

Disassembly

Call Graph

Graph

  • Executed
  • Not Executed
%3 clusterC0 clusterC2C0 clusterC4C2 clusterC6C2 clusterC8C2 clusterC10C2 clusterC12C2 clusterC14C2 clusterC16C2 clusterC18C0 clusterC20C18 clusterC22C18 clusterC24C0 clusterC26C24 clusterC28C26 clusterC30C0 clusterC32C30 clusterC34C32 clusterC36C32 clusterC38C32 clusterC40C32 clusterC42C32 clusterC44C32 clusterC46C0 clusterC48C46 clusterC50C48 clusterC52C48 clusterC54C48 clusterC56C0 clusterC58C0 clusterC60C0 E1C0 entry:C0 F3C2 UiZBAJNGbeQqnFCnINgnTINnlgfUJKyScfWaALTobXAgiNJPyPmYFvqpAVuHdCTjavLtApFomuJuPZafGrErDcnUBldegAXVgbWqeLnqUANIAJmloRJfBuHtgxblTREQDSUbSADenESoteReGCqfijqnuZqlbNNIJFpZklNhhgtzIVffSJjAgkL E1C0->F3C2 F19C18 GdDiHIOYqpVVYosXYRxyHBeGmoHvSjICPeTLtyRdwjrtskUhmSJOejTaoTmbLBDjWjswuDpDBFdpzZrbkcfcOXjgiKEtRBiIpXQuUsittZCZHtltmdrjPmkINaCiJPzZEwlqGwrLpKRJHVjZrAHqzcGwKqBxPNQWFJxpsYLdakjUivXOchuucdQjNZTVbstZQloirBDiJIxLVczeHraBUj E1C0->F19C18 F25C24 GYPCSKFpNyTTgASpRrGPTqIUgYZAOeFTwaVVYdWQczXkZpdSujsHzoBZmFICZnPvqzGRNLPBKJkhtOZrmeuZaBHmTSSUenFiSiSf E1C0->F25C24 F31C30 phThfQTHCsQcqyrazOpExbtfrRiwiyBBKcWHCQcGAhPkGPSEOiHhYBIycRohdujxpoZwvlEPjDDaasYLqpYLLGfqNwWjKQTrJyzaNvaQCKpYnXDVUxjseouWALRfIrLUgRHXwQDTrYWDkaenoOiZpGQUxUaffAVFLHsoKIrjl E1C0->F31C30 F57C56 Sleep E1C0->F57C56 F59C58 floor E1C0->F59C58 F61C60 random E1C0->F61C60 F5C4 CreateObject F3C2->F5C4 F7C6 createElement F3C2->F7C6 F9C8 CreateObject F3C2->F9C8 F11C10 Open F3C2->F11C10 F13C12 Write F3C2->F13C12 F15C14 SaveToFile F3C2->F15C14 F17C16 Close <