Automated Malware Analysis Report for Mkdir-P-Sync-Ex.Js

ID: 186805 Sample Name: mkdir-p-sync- ex.js Cookbook: default.jbs Time: 07:29:40 Date: 01/11/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report mkdir-p-sync-ex.js 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Mitre Att&ck Matrix 5 Signature Overview 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 Malware Analysis System Evasion: 6 Language, Device and Operating System Detection: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Sigma Overview 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Screenshots 8 Thumbnails 8 Startup 9 Created / dropped Files 9 Domains and IPs 9 Contacted Domains 9 Contacted IPs 10 Static File Info 10 General 10 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wscript.exe PID: 1192 Parent PID: 1176 10 General 10 File Activities 11 Disassembly 11 Code Analysis 11 JavaScript Code 11 Script: 11 Code 11 Copyright Joe Security LLC 2019 Page 2 of 11 Copyright Joe Security LLC 2019 Page 3 of 11 Analysis Report mkdir-p-sync-ex.js

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 186805 Start date: 01.11.2019 Start time: 07:29:40 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 51s Hypervisor based Inspection enabled: false Report type: light Sample file name: mkdir-p-sync-ex.js Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winJS@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .js Stop behavior analysis, all processes terminated

Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtProtectVirtualMemory calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 1 0 - 100 false

Confidence

Threshold 5 0 - 5 false

Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Mitre Att&ck Matrix

Copyright Joe Security LLC 2019 Page 5 of 11 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Scripting 2 Winlogon Port Monitors Scripting 2 Credential Query Application Data from Local Data Data Helper DLL Dumping Registry 1 Deployment System Compressed Obfuscation Software Replication Service Port Monitors Accessibility Obfuscated Files Network Application Remote Services Data from Exfiltration Over Fallback Through Execution Features or Information 1 Sniffing Window Removable Other Network Channels Removable Discovery Media Medium Media

Signature Overview

• System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection

Click to jump to signature section

System Summary:

Java / VBScript file with very long strings (likely obfuscated code)

Classification label

Reads software policies

Uses an in-process (OLE) Automation server

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Found WSH timer for Javascript or VBS script (likely evasive script)

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Behavior Graph

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 186805 Visual Basic Sample: mkdir-p-sync-ex.js Startdate: 01/11/2019 Delphi Architecture: WINDOWS Java Score: 1 .Net C# or VB.NET

C, C++ or other language

started Is malicious

Internet wscript.exe

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link mkdir-p-sync-ex.js 0% Virustotal Browse mkdir-p-sync-ex.js 0% Metadefender Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2019 Page 8 of 11 Startup

System is w10x64 wscript.exe (PID: 1192 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mkdir-p-sync-ex.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

No contacted domains info

No contacted IP infos

Static File Info

General File type: ASCII text, with CRLF line terminators Entropy (8bit): 4.837652228056559 TrID: File name: mkdir-p-sync-ex.js File size: 629 MD5: 59841a76a145854f9a39b13aaaa1dcee SHA1: 3b852a83060b9650eb70a1554be5f306637ea772 SHA256: 9fd1e7c4d9584b53aa2af4dfda27c2042e94d288c76ddf0 b0484cbb764698829 SHA512: c39fd4d332edd17aab288439e9862e821804a118c4d127 54345df86842a5ee39d85e4403571513da8fd65d16d2946 6d2493b5699fbee83103d45b71eda130596 SSDEEP: 12:jfJVocE+o7EyMlR7Y2ieg5k2RjOV4ViV4KmVv:lvEtE xOyQPRjO+Vi+Kkv File Content Preview: // require dependencies....'use strict';....var co = require(' co');..try {.. var mkdirParentsSync = require('../lib/mkdir- parents').sync;..} catch (err) {.. var mkdirParentsSync = require('mkdir-parents').sync;..}....var fs = require('fs');.... var dir =

File Icon

Icon Hash: e8d69ece968a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Analysis Process: wscript.exe PID: 1192 Parent PID: 1176

General

Start time: 07:30:45 Start date: 01/11/2019 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Copyright Joe Security LLC 2019 Page 10 of 11 Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mkdir-p-sync-ex.js' Imagebase: 0x7ff6c7af0000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Offset Length Completion Count Address Symbol

Disassembly

Code Analysis

JavaScript Code

Script:

Code 0 'use strict'; 1 var co = require ( 'co' ); 2 try 3 { 4 var mkdirParentsSync = require ( '../lib/mkdir-parents' ).sync; 5 } 6 catch ( err ) 7 { 8 var mkdirParentsSync = require ( 'mkdir-parents' ).sync; 9 } 10 var fs = require ( 'fs' ); 11 var dir = '/tmp/deep/dir'; 12 var mode = parseInt ( '0777', 8 ); 13 try 14 { 15 mkdirParentsSync ( dir, mode ); 16 console.log ( dir + ' created with perm 0' + mode.toString ( 8 ) ); 17 } 18 catch ( err ) 19 { 20 console.log ( dir + ' cant created with status ' + err ); 21 try 22 { 23 fs.rmdirSync ( '/tmp/deep/dir' ); 24 } 25 catch ( err ) 26 { 27 } 28 try 29 { 30 fs.rmdirSync ( '/tmp/deep' ); 31 } 32 catch ( err ) 33 { 34 } 35 }