ID: 57677 Sample Name: update.js Cookbook: default.jbs Time: 17:36:18 Date: 02/05/2018 Version: 22.0.0 Table of Contents
Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Signature Overview 5 Networking: 6 System Summary: 6 Anti Debugging: 6 Malware Analysis System Evasion: 6 Hooking and other Techniques for Hiding and Protection: 6 Language, Device and Operating System Detection: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 Dropped Files 8 Screenshots 8 Startup 9 Created / dropped Files 9 Contacted Domains/Contacted IPs 9 Contacted Domains 9 Contacted IPs 9 Static File Info 10 General 10 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wscript.exe PID: 3436 Parent PID: 3024 10 General 10 File Activities 11 Disassembly 11 Code Analysis 11
Copyright Joe Security LLC 2018 Page 2 of 13 JavaScript Code 11 Script: 11 Code 11
Copyright Joe Security LLC 2018 Page 3 of 13 Analysis Report
Overview
General Information
Joe Sandbox Version: 22.0.0 Analysis ID: 57677 Start time: 17:36:18 Joe Sandbox Product: CloudBasic Start date: 02.05.2018 Overall analysis duration: 0h 2m 18s Hypervisor based Inspection enabled: false Report type: light Sample file name: update.js Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winJS@1/0@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .js Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe
Detection
Strategy Score Range Reporting Detection
Threshold 1 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2018 Page 4 of 13 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Signature Overview
Copyright Joe Security LLC 2018 Page 5 of 13 • Networking • System Summary • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection
Click to jump to signature section
Networking:
Urls found in memory or binary data
System Summary:
Java / VBScript file with very long strings (likely obfuscated code)
Classification label
Reads software policies
Sample is known by Antivirus (Virustotal or Metascan)
Uses an in-process (OLE) Automation server
This is likely a benign javascript web library
Anti Debugging:
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Malware Analysis System Evasion:
Found WSH timer for Javascript or VBS script (likely evasive script)
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Language, Device and Operating System Detection:
Queries the cryptographic machine GUID
Behavior Graph
Copyright Joe Security LLC 2018 Page 6 of 13 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Behavior Graph Is Windows Process Number of created Registry Values ID: 57677 Number of created Files
Visual Basic Sample: update.js Delphi
Startdate: 02/05/2018 Java
Architecture: WINDOWS .Net C# or VB.NET
Score: 1 C, C++ or other language
Is malicious started
wscript.exe
Simulations
Behavior and APIs
Time Type Description 17:36:45 API Interceptor 2x Sleep call for process: wscript.exe modified
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link update.js 0% virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
Copyright Joe Security LLC 2018 Page 7 of 13 Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
Dropped Files
No context
Screenshots
Copyright Joe Security LLC 2018 Page 8 of 13 Startup
System is w7 wscript.exe (PID: 3436 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\update.js' MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup
Created / dropped Files
No created / dropped files found
Contacted Domains/Contacted IPs
Contacted Domains
No contacted domains info
Contacted IPs
No contacted IP infos
Copyright Joe Security LLC 2018 Page 9 of 13 Static File Info
General
File type: ASCII text, with very long lines, with CRLF line t erminators Entropy (8bit): 5.430308436586633 TrID: Java Script (6500/0) 52.00% Digital Micrograph Script (4001/1) 32.01% Java Script embedded in Visual Basic Script (2000/0) 16.00% File name: update.js File size: 4754 MD5: ce5175ded9db1abe659162ed2382c235 SHA1: 8175fdb89af4b4f3555214cd5aa2d6f630dd773f SHA256: dc47fbd3274fa288baa643824a014b5be258ad686d008cb 768889c32911814b6 SHA512: 8e1cd010fff6c7d44b4da68784e2494099c97a5f5619dc7 d54e2d91201ac425e6e4a083e1a2d5d92a29bcec93af9c a6394dc78155773f51fde4b7d0b76e54cfa File Content Preview: //(c)2017, MIT Style License
File Icon
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: wscript.exe PID: 3436 Parent PID: 3024
General
Start time: 17:36:45 Start date: 02/05/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\update.js' Imagebase: 0xcd0000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Has administrator privileges: true
Copyright Joe Security LLC 2018 Page 10 of 13 Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Offset Length Completion Count Address Symbol
Disassembly
Code Analysis
JavaScript Code
Script:
Code 0 function $bu_getBrowser(ua_str) { 1 var n, t, ua = ua_str || navigator.userAgent, donotnotify = false; 2 var names = { 3 i : 'Internet Explorer', 4 e : "Edge", 5 f : 'Firefox', 6 o : 'Opera', 7 s : 'Safari', 8 n : 'Netscape', 9 c : "Chrome", 10 a : "Android Browser", 11 y : "Yandex Browser", 12 v : "Vivaldi", 13 x : "Other" 14 }; 15 function ignore(reason, pattern) { 16 if ( RegExp ( pattern, "i" ).test ( ua ) ) 17 return reason; 18 } 19 var ig = ignore ( "bot", "bot|spider|googlebot|facebook|slurp|bingbot|google web preview|mediapartnersadsbot|AOLBu ild|Baiduspider|DuckDuckBot|Teoma" ) || ignore ( "discontinued browser", "camino|flot|k-meleon|fennec|galeon|chrom eframe|coolnovo" ) || ignore ( "complicated device browser", "SMART-TV|SmartTV" ) || ignore ( "niche browser", "Dorad o|Whale|SamsungBrowser|MIDP|wii|UCBrowser|Chromium|Puffin|Opera Mini|maxthon|maxton|dolfin|dolphin|seamon key|opera mini|netfront|moblin|maemo|arora|kazehakase|epiphany|konqueror|rekonq|symbian|webos|PaleMoon|Qup Zilla|Otter|Midori|qutebrowser" ) || ignore ( "mobilew without upgrade path or landing page", "iphone|ipod|ipad|kindle|s ilk|blackberry|bb10|RIM|PlayBook|meego|nokia" ) || ignore ( "android(chrome) web view", "; wv" ); 20 if ( ig ) 21 return { 22 n : "x", 23 v : 0, 24 t : "other browser", 25 donotnotify : ig 26 }; 27 var mobile = ( /iphone|ipod|ipad|android|mobile|phone|ios|iemobile/i.test ( ua ) ); 28 var pats = [ [ "Trident.*rv:VV", "i" ], [ "Trident.VV", "io" ], [ "MSIE.VV", "i" ], [ "Edge.VV", "e" ], [ "Vivaldi.VV", "v" ], [ "OPR.VV" , "o" ], [ "YaBrowser.VV", "y" ], [ "Chrome.VV", "c" ], [ "Firefox.VV", "f" ], [ "Version.VV.{0,10}Safari", "s" ], [ "Safari.VV", "so" ], [ "Opera.*Version.VV", "o" ], [ "Opera.VV", "o" ], [ "Netscape.VV", "n" ] ]; 29 for ( var i = 0 ; i < pats.length ; i ++ ) 30 if ( ua.match ( new RegExp ( pats[i][0].replace ( "VV", "(\\d+\\.?\\d?)" ) ), "i" ) ) 31 { 32 n = pats[i][1]; 33 break ; 34 } 35 var v = parseFloat ( RegExp.$1 ); 36 if ( ! n ) 37 return { 38 n : "x", 39 v : 0, 40 t : names[n], 41 mobile : mobile 42 }; 43 if ( ua.indexOf ( 'Android' ) > - 1 ) 44 { 45 var ver = parseInt ( ( /WebKit\/([0-9]+)/i.exec ( ua ) || 0 )[1], 10 ) || 2000; 46 if ( ver <= 534 ) 47 return { 48 n : "a", 49 v : ver, 50 t : names.a, 51 mob : true, Copyright Joe Security LLC 2018 Page 11 of 13 Code 52 donotnotify : donotnotify, 53 mobile : mobile 54 }; 55 } 56 if ( /windows.nt.5.0|windows.nt.4.0|windows.95|windows.98|os x 10.2|os x 10.3|os x 10.4|os x 10.5|os x 10.6|os x 10.7/.test ( ua ) ) 57 donotnotify = "oldOS"; 58 if ( n == "f" && ( Math.round ( v ) == 45 || Math.round ( v ) == 52 ) ) 59 donotnotify = "ESR"; 60 if ( n == "so" ) 61 { 62 v = 4.0; 63 n = "s"; 64 } 65 if ( n == "i" && v == 7 && window.XDomainRequest ) 66 v = 8; 67 if ( n == "io" ) 68 { 69 n = "i"; 70 if ( v > 6 ) 71 v = 11; 72 else 73 if ( v > 5 ) 74 v = 10; 75 else 76 if ( v > 4 ) 77 v = 9; 78 else 79 if ( v > 3.1 ) 80 v = 8; 81 else 82 if ( v > 3 ) 83 v = 7; 84 else 85 v = 9; 86 } 87 if ( n == "e" ) 88 return { 89 n : "i", 90 v : v, 91 t : names[n] + " " + v, 92 donotnotify : donotnotify, 93 mobile : mobile 94 }; 95 return { 96 n : n, 97 v : v, 98 t : names[n] + " " + v, 99 donotnotify : donotnotify, 100 mobile : mobile 101 }; 102 } 103 var $buo = function (op, test) { 104 var jsv = 24; 105 var n = window.navigator, b; 106 window._buorgres = this.op = op || { 107 }; 108 var ll = op.l || ( n.languages ? n.languages[0] : null ) || n.language || n.browserLanguage || n.userLanguage || document.docum entElement.getAttribute ( "lang" ) || "en"; 109 this.op.ll = ll = ll.replace ( "_", "-" ).toLowerCase ( ).substr ( 0, 2 ); 110 this.op.apiver = this.op.api || this.op.c || - 1; 111 var vsakt = { 112 i : 12, 113 f : 52, 114 o : 43, 115 s : 10, 116 n : 20, 117 c : 56, 118 y : 16.9, 119 v : 1.6 120 }; 121 var vsdefault = { 122 i : 10, 123 f : - 4, 124 o : - 4, 125 s : - 2, 126 n : 12, 127 c : - 4, 128 a : 534, 129 y : - 1, 130 v : - 0.2 131 }; 132 if ( this.op.apiver < 4 ) 133 var vsmin = { 134 i : 9, 135 f : 10, 136 o : 20, 137 s : 7, 138 n : 12 Copyright Joe Security LLC 2018 Page 12 of 13 Code 139 }; 140 else 141 var vsmin = { 142 i : 8, 143 f : 5, 144 o : 12.5, 145 s : 6.2, 146 n : 12 147 }; 148 var myvs = op.vs || { 149 }; 150 var vs = op.vs || vsdefault; 151 for (b in vsdefault ) 152 { 153 if ( ! vs[b] ) 154 vs[b] = vsdefault[b]; 155 if ( vsakt[b] && vs[b] >= vsakt[b] ) 156 vs[b] = vsakt[b] - 0.2; 157 if ( vsakt[b] && vs[b] < 0 ) 158 vs[b] = vsakt[b] + vs[b]; 159 if ( vsmin[b] && vs[b] < vsmin[b] ) 160 vs[b] = vsmin[b]; 161 } 162 this.op.vsf = vs; 163 if ( op.reminder < 0.1 || op.reminder === 0 ) 164 this.op.reminder = 0; 165 else 166 this.op.reminder = op.reminder || 24; 167 this.op.reminderClosed = op.reminderClosed || ( 24 * 7 ); 168 this.op.onshow = op.onshow || function (o) { 169 }; 170 this.op.onclick = op.onclick || function (o) { 171 }; 172 this.op.onclose = op.onclose || function (o) { 173 }; 174 var pageurl = this.op.pageurl = op.pageurl || location.hostname || "x"; 175 if ( op.l ) 176 this.op.url = op.url || "//browser-update.org/" + ll + "/update-browser.html#" + jsv + ":" + pageurl; 177 else 178 this.op.url = op.url || "//browser-update.org/update-browser.html#" + jsv + ":" + pageurl; 179 this.op.newwindow = ( op.newwindow !== false ); 180 this.op.test = test || op.test || ( location.hash == "#test-bu" ) || ( location.hash == "#test-bu-beta" ) || false; 181 var bb = $bu_getBrowser ( ); 182 if ( ! this.op.test && ( ! bb || ! bb.n || bb.n == "x" || bb.donotnotify !== false || ( document.cookie.indexOf ( "browserupdateorg =pause" ) > - 1 && this.op.reminder > 0 ) || bb.v > vs[bb.n] || ( bb.mobile && op.mobile === false ) ) ) 183 return ; 184 this.op.setCookie = 185 function (hours) { 186 document.cookie = 'browserupdateorg=pause; expires=' + new Date ( new Date ( ).getTime ( ) + 3600000 * hours ).toGMT String ( ) + '; path=/'; 187 }; 188 if ( this.op.reminder > 0 ) 189 this.op.setCookie ( this.op.reminder ); 190 if ( this.op.nomessage ) 191 { 192 op.onshow ( this.op ); 193 return ; 194 } 195 var e = document.createElement ( "script" ); 196 e.src = op.jsshowurl || ( /file:/.test ( location.href ) && "http://browser-update.org/update.show.min.js" ) || "//browser-updat e.org/update.show.min.js"; 197 document.body.appendChild ( e ); 198 }; 199 var $buoop = window.$buoop || { 200 }; 201 $buo ( $buoop );
Copyright Joe Security LLC 2018 Page 13 of 13