ID: 186805 Sample Name: mkdir-p-sync- ex.js Cookbook: default.jbs Time: 07:29:40 Date: 01/11/2019 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report mkdir-p-sync-ex.js 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Mitre Att&ck Matrix 5 Signature Overview 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 Malware Analysis System Evasion: 6 Language, Device and Operating System Detection: 6 Behavior Graph 6 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Sigma Overview 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Screenshots 8 Thumbnails 8 Startup 9 Created / dropped Files 9 Domains and IPs 9 Contacted Domains 9 Contacted IPs 10 Static File Info 10 General 10 File Icon 10 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wscript.exe PID: 1192 Parent PID: 1176 10 General 10 File Activities 11 Disassembly 11 Code Analysis 11 JavaScript Code 11 Script: 11 Code 11 Copyright Joe Security LLC 2019 Page 2 of 11 Copyright Joe Security LLC 2019 Page 3 of 11 Analysis Report mkdir-p-sync-ex.js
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 186805 Start date: 01.11.2019 Start time: 07:29:40 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 1m 51s Hypervisor based Inspection enabled: false Report type: light Sample file name: mkdir-p-sync-ex.js Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winJS@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .js Stop behavior analysis, all processes terminated
Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtProtectVirtualMemory calls found.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 1 0 - 100 false
Confidence
Copyright Joe Security LLC 2019 Page 4 of 11 Strategy Score Range Further Analysis Required? Confidence
Threshold 5 0 - 5 false
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Mitre Att&ck Matrix
Copyright Joe Security LLC 2019 Page 5 of 11 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Scripting 2 Winlogon Port Monitors Scripting 2 Credential Query Application Data from Local Data Data Helper DLL Dumping Registry 1 Deployment System Compressed Obfuscation Software Replication Service Port Monitors Accessibility Obfuscated Files Network Application Remote Services Data from Exfiltration Over Fallback Through Execution Features or Information 1 Sniffing Window Removable Other Network Channels Removable Discovery Media Medium Media
Signature Overview
• System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Language, Device and Operating System Detection
Click to jump to signature section
System Summary:
Java / VBScript file with very long strings (likely obfuscated code)
Classification label
Reads software policies
Uses an in-process (OLE) Automation server
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Found WSH timer for Javascript or VBS script (likely evasive script)
Language, Device and Operating System Detection:
Queries the cryptographic machine GUID
Behavior Graph
Copyright Joe Security LLC 2019 Page 6 of 11 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 186805 Visual Basic Sample: mkdir-p-sync-ex.js Startdate: 01/11/2019 Delphi Architecture: WINDOWS Java Score: 1 .Net C# or VB.NET
C, C++ or other language
started Is malicious
Internet wscript.exe
Simulations
Behavior and APIs
No simulations
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link mkdir-p-sync-ex.js 0% Virustotal Browse mkdir-p-sync-ex.js 0% Metadefender Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2019 Page 7 of 11 No Antivirus matches
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2019 Page 8 of 11 Startup
System is w10x64 wscript.exe (PID: 1192 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mkdir-p-sync-ex.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cleanup
Created / dropped Files
No created / dropped files found
Domains and IPs
Contacted Domains
No contacted domains info
Copyright Joe Security LLC 2019 Page 9 of 11 Contacted IPs
No contacted IP infos
Static File Info
General File type: ASCII text, with CRLF line terminators Entropy (8bit): 4.837652228056559 TrID: File name: mkdir-p-sync-ex.js File size: 629 MD5: 59841a76a145854f9a39b13aaaa1dcee SHA1: 3b852a83060b9650eb70a1554be5f306637ea772 SHA256: 9fd1e7c4d9584b53aa2af4dfda27c2042e94d288c76ddf0 b0484cbb764698829 SHA512: c39fd4d332edd17aab288439e9862e821804a118c4d127 54345df86842a5ee39d85e4403571513da8fd65d16d2946 6d2493b5699fbee83103d45b71eda130596 SSDEEP: 12:jfJVocE+o7EyMlR7Y2ieg5k2RjOV4ViV4KmVv:lvEtE xOyQPRjO+Vi+Kkv File Content Preview: // require dependencies....'use strict';....var co = require(' co');..try {.. var mkdirParentsSync = require('../lib/mkdir- parents').sync;..} catch (err) {.. var mkdirParentsSync = require('mkdir-parents').sync;..}....var fs = require('fs');.... var dir =
File Icon
Icon Hash: e8d69ece968a9ec4
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: wscript.exe PID: 1192 Parent PID: 1176
General
Start time: 07:30:45 Start date: 01/11/2019 Path: C:\Windows\System32\wscript.exe Wow64 process (32bit): false Copyright Joe Security LLC 2019 Page 10 of 11 Commandline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\Desktop\mkdir-p-sync-ex.js' Imagebase: 0x7ff6c7af0000 File size: 163840 bytes MD5 hash: 9A68ADD12EB50DDE7586782C3EB9FF9C Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high
File Activities
Source File Path Offset Length Completion Count Address Symbol
Disassembly
Code Analysis
JavaScript Code
Script:
Code 0 'use strict'; 1 var co = require ( 'co' ); 2 try 3 { 4 var mkdirParentsSync = require ( '../lib/mkdir-parents' ).sync; 5 } 6 catch ( err ) 7 { 8 var mkdirParentsSync = require ( 'mkdir-parents' ).sync; 9 } 10 var fs = require ( 'fs' ); 11 var dir = '/tmp/deep/dir'; 12 var mode = parseInt ( '0777', 8 ); 13 try 14 { 15 mkdirParentsSync ( dir, mode ); 16 console.log ( dir + ' created with perm 0' + mode.toString ( 8 ) ); 17 } 18 catch ( err ) 19 { 20 console.log ( dir + ' cant created with status ' + err ); 21 try 22 { 23 fs.rmdirSync ( '/tmp/deep/dir' ); 24 } 25 catch ( err ) 26 { 27 } 28 try 29 { 30 fs.rmdirSync ( '/tmp/deep' ); 31 } 32 catch ( err ) 33 { 34 } 35 }
Copyright Joe Security LLC 2019 Page 11 of 11