ID: 57677 Sample Name: update.js Cookbook: default.jbs Time: 17:36:18 Date: 02/05/2018 Version: 22.0.0 Table of Contents

Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Signature Overview 5 Networking: 6 System Summary: 6 Anti Debugging: 6 Malware Analysis System Evasion: 6 Hooking and other Techniques for Hiding and Protection: 6 Language, Device and Operating System Detection: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 Dropped Files 8 Screenshots 8 Startup 9 Created / dropped Files 9 Contacted Domains/Contacted IPs 9 Contacted Domains 9 Contacted IPs 9 Static File Info 10 General 10 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wscript.exe PID: 3436 Parent PID: 3024 10 General 10 File Activities 11 Disassembly 11 Code Analysis 11

Copyright Joe Security LLC 2018 Page 2 of 13 JavaScript Code 11 Script: 11 Code 11

Copyright Joe Security LLC 2018 Page 3 of 13 Analysis Report

Overview

General Information

Joe Sandbox Version: 22.0.0 Analysis ID: 57677 Start time: 17:36:18 Joe Sandbox Product: CloudBasic Start date: 02.05.2018 Overall analysis duration: 0h 2m 18s Hypervisor based Inspection enabled: false Report type: light Sample file name: update.js Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winJS@1/0@0/0 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Failed HDC Information: Failed Cookbook Comments: Adjust boot time Correcting counters for adjusted boot time Found application associated with file extension: .js Stop behavior analysis, all processes terminated Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe

Detection

Strategy Score Range Reporting Detection

Threshold 1 0 - 100 Report FP / FN

Confidence

Strategy Score Range Further Analysis Required? Confidence

Copyright Joe Security LLC 2018 Page 4 of 13 Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Signature Overview

Copyright Joe Security LLC 2018 Page 5 of 13 • Networking • System Summary • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection

Click to jump to signature section

Networking:

Urls found in memory or binary data

System Summary:

Java / VBScript file with very long strings (likely obfuscated code)

Classification label

Reads software policies

Sample is known by Antivirus (Virustotal or Metascan)

Uses an in-process (OLE) Automation server

This is likely a benign javascript web library

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Behavior Graph

Copyright Joe Security LLC 2018 Page 6 of 13 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped

Behavior Graph Is Windows Process Number of created Registry Values ID: 57677 Number of created Files

Visual Basic Sample: update.js Delphi

Startdate: 02/05/2018 Java

Architecture: WINDOWS .Net C# or VB.NET

Score: 1 C, C++ or other language

Is malicious started

wscript.exe

Simulations

Behavior and APIs

Time Type Description 17:36:45 API Interceptor 2x Sleep call for process: wscript.exe modified

Antivirus Detection

Initial Sample

Source Detection Scanner Label Link update.js 0% virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Copyright Joe Security LLC 2018 Page 7 of 13 Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Copyright Joe Security LLC 2018 Page 8 of 13 Startup

System is w7 wscript.exe (PID: 3436 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\update.js' MD5: 979D74799EA6C8B8167869A68DF5204A) cleanup

Created / dropped Files

No created / dropped files found

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Copyright Joe Security LLC 2018 Page 9 of 13 Static File Info

General

File type: ASCII text, with very long lines, with CRLF line t erminators Entropy (8bit): 5.430308436586633 TrID: Java Script (6500/0) 52.00% Digital Micrograph Script (4001/1) 32.01% Java Script embedded in Visual Basic Script (2000/0) 16.00% File name: update.js File size: 4754 MD5: ce5175ded9db1abe659162ed2382c235 SHA1: 8175fdb89af4b4f3555214cd5aa2d6f630dd773f SHA256: dc47fbd3274fa288baa643824a014b5be258ad686d008cb 768889c32911814b6 SHA512: 8e1cd010fff6c7d44b4da68784e2494099c97a5f5619dc7 d54e2d91201ac425e6e4a083e1a2d5d92a29bcec93af9c a6394dc78155773f51fde4b7d0b76e54cfa File Content Preview: //(c)2017, MIT Style License ..//it is recommended to directly link to this file because we update the detection code..function $bu_ge tBrowser(ua_str){var n,t,ua=ua_str||navigator.userAgent ,donotnotify=false;var names={i:'I

File Icon

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: wscript.exe PID: 3436 Parent PID: 3024

General

Start time: 17:36:45 Start date: 02/05/2018 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\update.js' Imagebase: 0xcd0000 File size: 141824 bytes MD5 hash: 979D74799EA6C8B8167869A68DF5204A Has administrator privileges: true

Copyright Joe Security LLC 2018 Page 10 of 13 Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis

JavaScript Code

Script:

Code 0 function $bu_getBrowser(ua_str) { 1 var n, t, ua = ua_str || navigator.userAgent, donotnotify = false; 2 var names = { 3 i : 'Internet Explorer', 4 e : "Edge", 5 f : 'Firefox', 6 o : 'Opera', 7 s : 'Safari', 8 n : 'Netscape', 9 c : "Chrome", 10 a : "Android Browser", 11 y : "Yandex Browser", 12 v : "Vivaldi", 13 x : "Other" 14 }; 15 function ignore(reason, pattern) { 16 if ( RegExp ( pattern, "i" ).test ( ua ) ) 17 return reason; 18 } 19 var ig = ignore ( "bot", "bot|spider|googlebot|facebook|slurp|bingbot|google web preview|mediapartnersadsbot|AOLBu ild|Baiduspider|DuckDuckBot|Teoma" ) || ignore ( "discontinued browser", "camino|flot|k-meleon|fennec|galeon|chrom eframe|coolnovo" ) || ignore ( "complicated device browser", "SMART-TV|SmartTV" ) || ignore ( "niche browser", "Dorad o|Whale|SamsungBrowser|MIDP|wii|UCBrowser|Chromium|Puffin|Opera Mini|maxthon|maxton|dolfin|dolphin|seamon key|opera mini|netfront|moblin|maemo|arora|kazehakase|epiphany|konqueror|rekonq|symbian|webos|PaleMoon|Qup Zilla|Otter|Midori|qutebrowser" ) || ignore ( "mobilew without upgrade path or landing page", "iphone|ipod|ipad|kindle|s ilk|blackberry|bb10|RIM|PlayBook|meego|nokia" ) || ignore ( "android(chrome) web view", "; wv" ); 20 if ( ig ) 21 return { 22 n : "x", 23 v : 0, 24 t : "other browser", 25 donotnotify : ig 26 }; 27 var mobile = ( /iphone|ipod|ipad|android|mobile|phone|ios|iemobile/i.test ( ua ) ); 28 var pats = [ [ "Trident.*rv:VV", "i" ], [ "Trident.VV", "io" ], [ "MSIE.VV", "i" ], [ "Edge.VV", "e" ], [ "Vivaldi.VV", "v" ], [ "OPR.VV" , "o" ], [ "YaBrowser.VV", "y" ], [ "Chrome.VV", "c" ], [ "Firefox.VV", "f" ], [ "Version.VV.{0,10}Safari", "s" ], [ "Safari.VV", "so" ], [ "Opera.*Version.VV", "o" ], [ "Opera.VV", "o" ], [ "Netscape.VV", "n" ] ]; 29 for ( var i = 0 ; i < pats.length ; i ++ ) 30 if ( ua.match ( new RegExp ( pats[i][0].replace ( "VV", "(\\d+\\.?\\d?)" ) ), "i" ) ) 31 { 32 n = pats[i][1]; 33 break ; 34 } 35 var v = parseFloat ( RegExp.$1 ); 36 if ( ! n ) 37 return { 38 n : "x", 39 v : 0, 40 t : names[n], 41 mobile : mobile 42 }; 43 if ( ua.indexOf ( 'Android' ) > - 1 ) 44 { 45 var ver = parseInt ( ( /WebKit\/([0-9]+)/i.exec ( ua ) || 0 )[1], 10 ) || 2000; 46 if ( ver <= 534 ) 47 return { 48 n : "a", 49 v : ver, 50 t : names.a, 51 mob : true, Copyright Joe Security LLC 2018 Page 11 of 13 Code 52 donotnotify : donotnotify, 53 mobile : mobile 54 }; 55 } 56 if ( /windows.nt.5.0|windows.nt.4.0|windows.95|windows.98|os x 10.2|os x 10.3|os x 10.4|os x 10.5|os x 10.6|os x 10.7/.test ( ua ) ) 57 donotnotify = "oldOS"; 58 if ( n == "f" && ( Math.round ( v ) == 45 || Math.round ( v ) == 52 ) ) 59 donotnotify = "ESR"; 60 if ( n == "so" ) 61 { 62 v = 4.0; 63 n = "s"; 64 } 65 if ( n == "i" && v == 7 && window.XDomainRequest ) 66 v = 8; 67 if ( n == "io" ) 68 { 69 n = "i"; 70 if ( v > 6 ) 71 v = 11; 72 else 73 if ( v > 5 ) 74 v = 10; 75 else 76 if ( v > 4 ) 77 v = 9; 78 else 79 if ( v > 3.1 ) 80 v = 8; 81 else 82 if ( v > 3 ) 83 v = 7; 84 else 85 v = 9; 86 } 87 if ( n == "e" ) 88 return { 89 n : "i", 90 v : v, 91 t : names[n] + " " + v, 92 donotnotify : donotnotify, 93 mobile : mobile 94 }; 95 return { 96 n : n, 97 v : v, 98 t : names[n] + " " + v, 99 donotnotify : donotnotify, 100 mobile : mobile 101 }; 102 } 103 var $buo = function (op, test) { 104 var jsv = 24; 105 var n = window.navigator, b; 106 window._buorgres = this.op = op || { 107 }; 108 var ll = op.l || ( n.languages ? n.languages[0] : null ) || n.language || n.browserLanguage || n.userLanguage || document.docum entElement.getAttribute ( "lang" ) || "en"; 109 this.op.ll = ll = ll.replace ( "_", "-" ).toLowerCase ( ).substr ( 0, 2 ); 110 this.op.apiver = this.op.api || this.op.c || - 1; 111 var vsakt = { 112 i : 12, 113 f : 52, 114 o : 43, 115 s : 10, 116 n : 20, 117 c : 56, 118 y : 16.9, 119 v : 1.6 120 }; 121 var vsdefault = { 122 i : 10, 123 f : - 4, 124 o : - 4, 125 s : - 2, 126 n : 12, 127 c : - 4, 128 a : 534, 129 y : - 1, 130 v : - 0.2 131 }; 132 if ( this.op.apiver < 4 ) 133 var vsmin = { 134 i : 9, 135 f : 10, 136 o : 20, 137 s : 7, 138 n : 12 Copyright Joe Security LLC 2018 Page 12 of 13 Code 139 }; 140 else 141 var vsmin = { 142 i : 8, 143 f : 5, 144 o : 12.5, 145 s : 6.2, 146 n : 12 147 }; 148 var myvs = op.vs || { 149 }; 150 var vs = op.vs || vsdefault; 151 for (b in vsdefault ) 152 { 153 if ( ! vs[b] ) 154 vs[b] = vsdefault[b]; 155 if ( vsakt[b] && vs[b] >= vsakt[b] ) 156 vs[b] = vsakt[b] - 0.2; 157 if ( vsakt[b] && vs[b] < 0 ) 158 vs[b] = vsakt[b] + vs[b]; 159 if ( vsmin[b] && vs[b] < vsmin[b] ) 160 vs[b] = vsmin[b]; 161 } 162 this.op.vsf = vs; 163 if ( op.reminder < 0.1 || op.reminder === 0 ) 164 this.op.reminder = 0; 165 else 166 this.op.reminder = op.reminder || 24; 167 this.op.reminderClosed = op.reminderClosed || ( 24 * 7 ); 168 this.op.onshow = op.onshow || function (o) { 169 }; 170 this.op.onclick = op.onclick || function (o) { 171 }; 172 this.op.onclose = op.onclose || function (o) { 173 }; 174 var pageurl = this.op.pageurl = op.pageurl || location.hostname || "x"; 175 if ( op.l ) 176 this.op.url = op.url || "//browser-update.org/" + ll + "/update-browser.html#" + jsv + ":" + pageurl; 177 else 178 this.op.url = op.url || "//browser-update.org/update-browser.html#" + jsv + ":" + pageurl; 179 this.op.newwindow = ( op.newwindow !== false ); 180 this.op.test = test || op.test || ( location.hash == "#test-bu" ) || ( location.hash == "#test-bu-beta" ) || false; 181 var bb = $bu_getBrowser ( ); 182 if ( ! this.op.test && ( ! bb || ! bb.n || bb.n == "x" || bb.donotnotify !== false || ( document.cookie.indexOf ( "browserupdateorg =pause" ) > - 1 && this.op.reminder > 0 ) || bb.v > vs[bb.n] || ( bb.mobile && op.mobile === false ) ) ) 183 return ; 184 this.op.setCookie = 185 function (hours) { 186 document.cookie = 'browserupdateorg=pause; expires=' + new Date ( new Date ( ).getTime ( ) + 3600000 * hours ).toGMT String ( ) + '; path=/'; 187 }; 188 if ( this.op.reminder > 0 ) 189 this.op.setCookie ( this.op.reminder ); 190 if ( this.op.nomessage ) 191 { 192 op.onshow ( this.op ); 193 return ; 194 } 195 var e = document.createElement ( "script" ); 196 e.src = op.jsshowurl || ( /file:/.test ( location.href ) && "http://browser-update.org/update.show.min.js" ) || "//browser-updat e.org/update.show.min.js"; 197 document.body.appendChild ( e ); 198 }; 199 var $buoop = window.$buoop || { 200 }; 201 $buo ( $buoop );

Copyright Joe Security LLC 2018 Page 13 of 13