ID: 382893 Sample Name: phish_survey.js Cookbook: default.jbs Time: 20:27:42 Date: 06/04/2021 Version: 31.0.0 Emerald Table of Contents
Table of Contents 2 Analysis Report phish_survey.js 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 General 9 File Icon 9 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wscript.exe PID: 6168 Parent PID: 3388 10 General 10 File Activities 10 Disassembly 10 Code Analysis 10
Copyright Joe Security LLC 2021 Page 2 of 10 Analysis Report phish_survey.js
Overview
General Information Detection Signatures Classification
Sample phish_survey.js Name: FFoouunndd WSSHH tttiiimeerrr fffoorrr JJaavvaassccrrriiippttt oorrr VV…
Analysis ID: 382893 JFJaaovvuaan d/// VVWBBSSSHccr rritiipipmttt feffiiilrllee f owwrii ittJthha vveaerrsryyc rllloiopnntg go srs …V MD5: b3c1f68ef7299a7… PJParrrovogagrr ra/a mVB ddSooceersisp ntn ofoitltte ss hwhooitwhw vmeuurycc hhlo aanccgttt iiivsviii… SHA1: b8e9103fffa864a… Ransomware Program does not show much activi
Miner Spreading SHA256: 3dff3ec3f9cc6fd9…
mmaallliiiccciiioouusss Infos: malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious Most interesting Screenshot: cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 100%
Startup
System is w10x64 wscript.exe (PID: 6168 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\phish_survey.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
• Networking
Copyright Joe Security LLC 2021 Page 3 of 10 • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Scripting 2 Path Path Scripting 2 OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Interception Interception Credential Information Services Local Over Other Obfuscation Insecure Track Device System Dumping Discovery 2 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Obfuscated LSASS Application Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Files or Memory Window Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Information 1 Discovery Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization
Behavior Graph
Copyright Joe Security LLC 2021 Page 4 of 10 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 382893 Visual Basic Sample: phish_survey.js Startdate: 06/04/2021 Delphi Architecture: WINDOWS Java Score: 1 .Net C# or VB.NET
C, C++ or other language
started Is malicious
Internet wscript.exe
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2021 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link phish_survey.js 0% Virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link j.hn/) 0% URL Reputation safe j.hn/) 0% URL Reputation safe j.hn/) 0% URL Reputation safe j.hn/) 0% URL Reputation safe
Copyright Joe Security LLC 2021 Page 6 of 10 Source Detection Scanner Label Link dynarch.com/jscal/#sec3 0% Virustotal Browse dynarch.com/jscal/#sec3 0% Avira URL Cloud safe viljamis.com/blog/2012/file-upload-support-on-mobile/ 0% Virustotal Browse viljamis.com/blog/2012/file-upload-support-on-mobile/ 0% Avira URL Cloud safe https://blueimp.net 0% URL Reputation safe https://blueimp.net 0% URL Reputation safe https://blueimp.net 0% URL Reputation safe https://blueimp.net 0% URL Reputation safe valve.github.io 0% Virustotal Browse valve.github.io 0% Avira URL Cloud safe https://cdn.dashjs.org/latest/dash.all.min.js 0% Virustotal Browse https://cdn.dashjs.org/latest/dash.all.min.js 0% Avira URL Cloud safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation j.hn/) phish_survey.js false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe bugs.jquery.com/ticket/11820 phish_survey.js false high https://github.com/blueimp/jQuery-File-Upload phish_survey.js false high https://github.com/szimek/signature_pad phish_survey.js false high www.highcharts.com phish_survey.js false high www.modernizr.com/) phish_survey.js false high https://opensource.org/licenses/MIT phish_survey.js false high jqueryui.com phish_survey.js false high https://github.com/harvesthq/chosen phish_survey.js false high https://bugzilla.mozilla.org/show_bug.cgi?id=781447 phish_survey.js false high https://github.com/thesmart phish_survey.js false high dynarch.com/jscal/#sec3 phish_survey.js false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://www.youtube.com/player_api phish_survey.js false high viljamis.com/blog/2012/file-upload-support-on-mobile/ phish_survey.js false 0%, Virustotal, Browse unknown Avira URL Cloud: safe benalman.com/about/license/ phish_survey.js false high phish_survey.js false high https://raw.github.com/jashkenas/underscore/master/LICENSE benalman.com/projects/jquery-throttle-debounce-plugin/ phish_survey.js false high https://blueimp.net phish_survey.js false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://github.com/jashkenas/underscore phish_survey.js false high https://raw.github.com/thesmart/jquery- phish_survey.js false high scrollspy/master/LICENSE code.highcharts.com/4.2.3/gfx/vml-radial-gradient.png phish_survey.js false high bugs.jquery.com/ticket/13335 phish_survey.js false high phish_survey.js false high https://cdnjs.cloudflare.com/ajax/libs/hls.js/0.7.11/hls.min.js https://img.youtube.com/vi/ phish_survey.js false high www.opensource.org/licenses/mit-license.php) phish_survey.js false high phish_survey.js false high https://github.com/harvesthq/chosen/blob/master/LICENSE.m d https://github.com/Valve/fingerprintjs phish_survey.js false high https://github.com/promises-aplus/promises-spec#the- phish_survey.js false high promise-resolution-procedure flesler.blogspot.com phish_survey.js false high
Copyright Joe Security LLC 2021 Page 7 of 10 Name Source Malicious Antivirus Detection Reputation blog.alexmaccaw.com/css-transitions phish_survey.js false high https://github.com/blueimp/jQuery-File- phish_survey.js false high Upload/wiki/Setup#content-type-negotiation valve.github.io wscript.exe, 00000000.00000003 false 0%, Virustotal, Browse unknown .194865310.00000178093E9000.00 Avira URL Cloud: safe 000004.00000001.sdmp, phish_su rvey.js https://cdnjs.cloudflare.com/ajax/libs/flv.js/1.3.2/flv.min.js phish_survey.js false high code.highcharts.com/modules/canvas-tools.js phish_survey.js false high github.com/garycourt/murmurhash-js phish_survey.js false high www.mediaelementjs.com/ phish_survey.js false high getharvest.com phish_survey.js false high https://cdn.dashjs.org/latest/dash.all.min.js phish_survey.js false 0%, Virustotal, Browse unknown Avira URL Cloud: safe
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 382893 Start date: 06.04.2021 Start time: 20:27:42 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 11s Hypervisor based Inspection enabled: false Report type: light Sample file name: phish_survey.js Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 40 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winJS@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .js Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtProtectVirtualMemory calls found.
Copyright Joe Security LLC 2021 Page 8 of 10 Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
No created / dropped files found
Static File Info
General File type: UTF-8 Unicode text, with very long lines Entropy (8bit): 4.2871525502228085 TrID: Java Script (8504/1) 100.00% File name: phish_survey.js File size: 1690220 MD5: b3c1f68ef7299a71e1c892ad6b5d6611 SHA1: b8e9103fffa864a4c0d6b3e469444b105dbd0de0 SHA256: 3dff3ec3f9cc6fd94646ae2a41d829c738acd4f9d2ba2689 68ae0cebfcf018b2 SHA512: c2c5e74aa6700efd4f3d14a49fd6865fe56ad1e1dd180b4 5a20774d0adafe1d32185675540b24239b36c80dfc56042 e6d90a6c59491d61b1a9cc19ff4acef980 SSDEEP: 49152:oI2Iie+evzWQfjGpldfrcKe7K1KaAZo2yqeMk:hfk File Content Preview: var surveyJQueryNoConflict = null;.if (window.$ && win dow.jQuery && window.$ == window.jQuery) {. survey JQueryNoConflict = window.$.noConflict();.}.if (window.j Query) {. surveyJQueryNoConflict = window.jQuery.n oConflict();.}./*! jQuery v1.12.2 | (c)
File Icon
Copyright Joe Security LLC 2021 Page 9 of 10 Icon Hash: e8d69ece968a9ec4
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: wscript.exe PID: 6168 Parent PID: 3388
General
Start time: 20:28:27 Start date: 06/04/2021 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\phish_survey.js' Imagebase: 0x7ff6d68b0000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Offset Length Completion Count Address Symbol
Disassembly
Code Analysis
Copyright Joe Security LLC 2021 Page 10 of 10