Automated Malware Analysis Report for My Presentation T4c.Js

Home , Clipboard (computing)

ID: 228134 Sample Name: my_presentation_t4c.js Cookbook: default.jbs Time: 00:39:45 Date: 07/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report my_presentation_t4c.js 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 System Summary: 7 Data Obfuscation: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Malware Configuration 9 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 10 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 System Summary: 10 Joe Sandbox View / Context 10 IPs 10 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Screenshots 11 Thumbnails 11 Startup 12 Created / dropped Files 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 13 General 13 File Icon 13 Network Behavior 13

Copyright Joe Security LLC 2020 Page 2 of 15 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: wscript.exe PID: 3024 Parent PID: 4068 14 General 14 File Activities 14 Analysis Process: regsvr32.exe PID: 4228 Parent PID: 3024 14 General 14 File Activities 14 File Read 14 Analysis Process: regsvr32.exe PID: 5092 Parent PID: 4228 14 General 14 Disassembly 15 Code Analysis 15

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 228134 Start date: 07.05.2020 Start time: 00:39:45 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 22s Hypervisor based Inspection enabled: false Report type: light Sample file name: my_presentation_t4c.js Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Without Instrumentation Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal84.evad.winJS@5/1@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 45.2% (good quality ratio 37.8%) Quality average: 62.8% Quality standard deviation: 32.7% HCA Information: Successful, ratio: 82% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Start process as user (medium integrity level) Found application associated with file extension: .js Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiPrvSE.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 84 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Classification Spiderchart

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Privilege Defense Credential Lateral Command Network Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Winlogon Process Masquerading 1 Credential System Time Application Clipboard Data Standard Eavesdrop on Accounts Management Helper DLL Injection 1 2 Dumping Discovery 1 Deployment Data 2 Encrypted 1 Cryptographic Insecure Instrumentation 1 Software Protocol 1 Network Communication Replication Scripting 2 Port Accessibility Process Network Process Remote Data from Exfiltration Fallback Exploit SS7 to Through Monitors Features Injection 1 2 Sniffing Discovery 1 Services Removable Over Other Channels Redirect Phone Removable Media Network Calls/SMS Media Medium

Copyright Joe Security LLC 2020 Page 6 of 15 Privilege Defense Credential Lateral Command Network Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects External Execution through Accessibility Path Scripting 2 Input Capture Account Windows Data from Automated Custom Exploit SS7 to Remote API 2 Features Interception Discovery 1 Remote Network Exfiltration Cryptographic Track Device Services Management Shared Protocol Location Drive Drive-by Exploitation for System DLL Search Obfuscated Files Credentials in System Logon Input Data Multiband SIM Card Compromise Client Firmware Order or Information 2 Files Owner/User Scripts Capture Encrypted Communication Swap Execution 1 Hijacking Discovery 1 Exploit Public- Command-Line Shortcut File System DLL Side- Account Security Shared Data Scheduled Standard Manipulate Facing Interface Modification Permissions Loading 1 Manipulation Software Webroot Staged Transfer Cryptographic Device Application Weakness Discovery 1 Protocol Communication

Spearphishing Graphical User Modify New Service DLL Search Brute Force File and Third-party Screen Data Commonly Jamming or Link Interface Existing Order Hijacking Directory Software Capture Transfer Used Port Denial of Service Discovery 2 Size Limits Service Spearphishing Scripting Path Scheduled Software Two-Factor System Pass the Email Exfiltration Uncommonly Rogue Wi-Fi Attachment Interception Task Packing Authentication Information Hash Collection Over Used Port Access Points Interception Discovery 3 4 Command and Control Channel

Signature Overview

• AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection

Click to jump to signature section

AV Detection:

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Machine Learning detection for dropped file

Spreading:

Contains functionality to enumerate / list files inside a directory

Networking:

Urls found in memory or binary data

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Contains functionality to read the clipboard data

System Summary:

Contains functionality to call native functions

Detected potential crypto function

Java / VBScript file with very long strings (likely obfuscated code)

Tries to load missing DLLs

Classification label

Creates temporary files

Reads ini files

Reads software policies

Spawns processes

Uses an in-process (OLE) Automation server

Submission file is bigger than most known malware samples

Data Obfuscation:

Contains functionality to dynamically determine API calls

Uses code obfuscation techniques (call, push, ret)

Persistence and Installation Behavior:

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain checking for process token information

Contains functionality to enumerate / list files inside a directory

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to register its own exception handler

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Creates a process in suspended mode (likely to inject code)

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Contains functionality to query CPU information (cpuid)

Queries the installation date of Windows

Contains functionality to query local / system time

Contains functionality to query the account / user name

Contains functionality to query windows version

Queries the cryptographic machine GUID

No configs have been found

Behavior Graph

Hide Legend Behavior Graph Legend: ID: 228134 Sample: my_presentation_t4c.js Process Startdate: 07/05/2020 Signature Architecture: WINDOWS Score: 84 Created File DNS/IP Info

Antivirus detection Multi AV Scanner detection Sigma detected: BlueMashroom Is Dropped 2 other signatures started for dropped file for dropped file DLL Load Is Windows Process

Number of created Registry Values

wscript.exe Number of created Files

Visual Basic 2 Delphi

dropped Java

C:\Users\user\AppData\Local\Temp\UJtYZ.txt, PE32 .Net C# or VB.NET C, C++ or other language started Is malicious

Benign windows process drops PE files Internet

regsvr32.exe

started

regsvr32.exe

Writes or reads registry keys via WMI

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link my_presentation_t4c.js 2% Virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\UJtYZ.txt 100% Avira HEUR/AGEN.1021385 C:\Users\user\AppData\Local\Temp\UJtYZ.txt 100% Joe Sandbox ML C:\Users\user\AppData\Local\Temp\UJtYZ.txt 26% Virustotal Browse Copyright Joe Security LLC 2020 Page 9 of 15 Source Detection Scanner Label Link

Unpacked PE Files

Source Detection Scanner Label Link Download 4.2.regsvr32.exe.10000000.4.unpack 100% Avira HEUR/AGEN.1021385 Download File

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link crl.sectigo.com/COMODOTimeStampingCA_2.crl0r 1% Virustotal Browse crl.sectigo.com/COMODOTimeStampingCA_2.crl0r 0% URL Reputation safe ocsp.sectigo.com0 0% URL Reputation safe https://sectigo.com/CPS0B 0% Virustotal Browse https://sectigo.com/CPS0B 0% URL Reputation safe crt.sectigo.com/COMODOTimeStampingCA_2.crt0# 0% Virustotal Browse crt.sectigo.com/COMODOTimeStampingCA_2.crt0# 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

System Summary:

Sigma detected: BlueMashroom DLL Load

Sigma detected: Regsvr32 Anomaly

Joe Sandbox View / Context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 wscript.exe (PID: 3024 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_t4c.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) regsvr32.exe (PID: 4228 cmdline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\UJtYZ.txt MD5: D78B75FC68247E8A63ACBA846182740E) regsvr32.exe (PID: 5092 cmdline: -s C:\Users\user\AppData\Local\Temp\\UJtYZ.txt MD5: 426E7499F6A7346F0410DEAD0805586B) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Temp\UJtYZ.txt

Process: C:\Windows\System32\wscript.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 516784 Entropy (8bit): 5.209872918351338 Encrypted: false MD5: 04DD59D32F5F4731BD95F18EDAF3DE0E SHA1: 78253DFC114344456D5386137E7120DAD7F353AC SHA-256: F5E3D93D788B5D40AB2570EFA7A0968FE418086641B7138899D4868D573DEE81 SHA-512: B2D40368CA38D3B2FD2B1114591DF9F9667090FF35A70B7EF7F32167B2AC8D9E9AB77ACEAC46FB4F95A39242C4186887FA25B0603EDB70877A1BCDAB2A2BC67 A Malicious: true Antivirus: Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 26%, Browse Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...z..^...... !...2.(...... (...... @...... W...... P...... T...... x...... text....'...... (...... `.rdata...*...@...,...,...... @[email protected]. ..h...X...... @....rsrc...... @[email protected]...... @..B......

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation crl.sectigo.com/COMODOTimeStampingCA_2.crl0r UJtYZ.txt.0.dr false 1%, Virustotal, Browse low URL Reputation: safe ocsp.sectigo.com0 UJtYZ.txt.0.dr false URL Reputation: safe unknown https://sectigo.com/CPS0B UJtYZ.txt.0.dr false 0%, Virustotal, Browse low URL Reputation: safe crt.sectigo.com/COMODOTimeStampingCA_2.crt0# UJtYZ.txt.0.dr false 0%, Virustotal, Browse low URL Reputation: safe

Contacted IPs

No contacted IP infos

General File type: ASCII text, with very long lines, with no line terminators Entropy (8bit): 3.641077725184084 TrID: File name: my_presentation_t4c.js File size: 3704140 MD5: 41f0a90ea0ea504797e3532855e0f84e SHA1: f1bfd6388010c52ffeb7ad715777d336606578f2 SHA256: f9618a3874287470fdf554b82d5466a6c2a39344ec24c0e b82ad810725954a8d SHA512: 50c5099240adbf4b1c4ccd4084ce17937ec7e64aa2cb4a 43fa1f674396660e803fcc8fe8dbab1e0f378e15cd932fb9 2bcded637fee1921fe627da8aebf24956e SSDEEP: 6144:N1X5oQqg6caeta3kGNuYVIPZrb7gqO/0+QMoxd Y7oLgPSXEgUb5QFCgbFwrp3c4W:SrQFh File Content Preview: ahewdl=216;;var vcvswqhl=470;;onv=220;;var eaval=36 0;;cfds=229;;var midfic=417;;ylad=218;;rhewdl=288;;flad =363;;var yfds=239;;sfds=376;;var wcvswqhl=436;;var p fwddvsae=323;;var nnv=350;;var klad=440;;lidivi=237;;x aval=396;;cfwddvsae=281;;qidfic=249;;pidiv

File Icon

Icon Hash: e8d69ece968a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• wscript.exe • regsvr32.exe • regsvr32.exe

Click to jump to process

Analysis Process: wscript.exe PID: 3024 Parent PID: 4068

General

Start time: 00:40:11 Start date: 07/05/2020 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Commandline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_t4c.js' Imagebase: 0x7ff770ff0000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Source File Path Offset Length Completion Count Address Symbol

Analysis Process: regsvr32.exe PID: 4228 Parent PID: 3024

General

Start time: 00:40:48 Start date: 07/05/2020 Path: C:\Windows\System32\regsvr32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\UJtYZ.txt Imagebase: 0x7ff61c550000 File size: 24064 bytes MD5 hash: D78B75FC68247E8A63ACBA846182740E Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

File Activities

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\UJtYZ.txt unknown 64 success or wait 1 7FF61C5510E3 ReadFile C:\Users\user\AppData\Local\Temp\UJtYZ.txt unknown 264 success or wait 1 7FF61C551125 ReadFile

Analysis Process: regsvr32.exe PID: 5092 Parent PID: 4228

General

Start time: 00:40:48 Copyright Joe Security LLC 2020 Page 14 of 15 Start date: 07/05/2020 Path: C:\Windows\SysWOW64\regsvr32.exe Wow64 process (32bit): true Commandline: -s C:\Users\user\AppData\Local\Temp\\UJtYZ.txt Imagebase: 0x170000 File size: 20992 bytes MD5 hash: 426E7499F6A7346F0410DEAD0805586B Has administrator privileges: false Programmed in: C, C++ or other language Reputation: moderate

Disassembly

Code Analysis