ID: 382893 Sample Name: phish_survey.js Cookbook: default.jbs Time: 20:27:42 Date: 06/04/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report phish_survey.js 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 9 General 9 File Icon 9 Network Behavior 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: wscript.exe PID: 6168 Parent PID: 3388 10 General 10 File Activities 10 Disassembly 10 Code Analysis 10 Copyright Joe Security LLC 2021 Page 2 of 10 Analysis Report phish_survey.js Overview General Information Detection Signatures Classification Sample phish_survey.js Name: FFoouunndd WSSHH tttiiimeerrr fffoorrr JJaavvaassccrrriiippttt oorrr VV… Analysis ID: 382893 JFJaaovvuaan d/// VVWBBSSSHccr rritiipipmttt feffiiillrlee f owwrii ittJthha vveaerrsryyc rllloiopnntg go srs …V MD5: b3c1f68ef7299a7… PJParrrovogagrr ra/a mVB ddSooceersisp ntn ofoitltte ss hwhooitwhw vmeuurycc hhlo aanccgttt iiivsviii… SHA1: b8e9103fffa864a… Ransomware Program does not show much activi Miner Spreading SHA256: 3dff3ec3f9cc6fd9… mmaallliiiccciiioouusss Infos: malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious Most interesting Screenshot: cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 1 Range: 0 - 100 Whitelisted: false Confidence: 100% Startup System is w10x64 wscript.exe (PID: 6168 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\phish_survey.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview • Networking Copyright Joe Security LLC 2021 Page 3 of 10 • System Summary • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Scripting 2 Path Path Scripting 2 OS System Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Interception Interception Credential Information Services Local Over Other Obfuscation Insecure Track Device System Dumping Discovery 2 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Obfuscated LSASS Application Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Files or Memory Window Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Information 1 Discovery Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 10 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Behavior Graph Number of created Registry Values Number of created Files ID: 382893 Visual Basic Sample: phish_survey.js Startdate: 06/04/2021 Delphi Architecture: WINDOWS Java Score: 1 .Net C# or VB.NET C, C++ or other language started Is malicious Internet wscript.exe Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 10 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link phish_survey.js 0% Virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link j.hn/) 0% URL Reputation safe j.hn/) 0% URL Reputation safe j.hn/) 0% URL Reputation safe j.hn/) 0% URL Reputation safe Copyright Joe Security LLC 2021 Page 6 of 10 Source Detection Scanner Label Link dynarch.com/jscal/#sec3 0% Virustotal Browse dynarch.com/jscal/#sec3 0% Avira URL Cloud safe viljamis.com/blog/2012/file-upload-support-on-mobile/ 0% Virustotal Browse viljamis.com/blog/2012/file-upload-support-on-mobile/ 0% Avira URL Cloud safe https://blueimp.net 0% URL Reputation safe https://blueimp.net 0% URL Reputation safe https://blueimp.net 0% URL Reputation safe https://blueimp.net 0% URL Reputation safe valve.github.io 0% Virustotal Browse valve.github.io 0% Avira URL Cloud safe https://cdn.dashjs.org/latest/dash.all.min.js 0% Virustotal Browse https://cdn.dashjs.org/latest/dash.all.min.js 0% Avira URL Cloud safe Domains and IPs Contacted Domains No contacted domains info URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation j.hn/) phish_survey.js false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe bugs.jquery.com/ticket/11820 phish_survey.js false high https://github.com/blueimp/jQuery-File-Upload phish_survey.js false high https://github.com/szimek/signature_pad phish_survey.js false high www.highcharts.com phish_survey.js false high www.modernizr.com/) phish_survey.js false high https://opensource.org/licenses/MIT phish_survey.js false high jqueryui.com phish_survey.js false high https://github.com/harvesthq/chosen phish_survey.js false high https://bugzilla.mozilla.org/show_bug.cgi?id=781447 phish_survey.js false high https://github.com/thesmart phish_survey.js false high dynarch.com/jscal/#sec3 phish_survey.js false 0%, Virustotal, Browse unknown Avira URL Cloud: safe https://www.youtube.com/player_api phish_survey.js false high viljamis.com/blog/2012/file-upload-support-on-mobile/ phish_survey.js false 0%, Virustotal, Browse unknown Avira URL Cloud: safe benalman.com/about/license/ phish_survey.js false high phish_survey.js false high https://raw.github.com/jashkenas/underscore/master/LICENSE benalman.com/projects/jquery-throttle-debounce-plugin/ phish_survey.js false high https://blueimp.net phish_survey.js false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe https://github.com/jashkenas/underscore phish_survey.js false high https://raw.github.com/thesmart/jquery- phish_survey.js false high scrollspy/master/LICENSE code.highcharts.com/4.2.3/gfx/vml-radial-gradient.png phish_survey.js false high bugs.jquery.com/ticket/13335 phish_survey.js false high phish_survey.js false high https://cdnjs.cloudflare.com/ajax/libs/hls.js/0.7.11/hls.min.js https://img.youtube.com/vi/ phish_survey.js false high www.opensource.org/licenses/mit-license.php) phish_survey.js false high phish_survey.js false high https://github.com/harvesthq/chosen/blob/master/LICENSE.m d https://github.com/Valve/fingerprintjs phish_survey.js false high https://github.com/promises-aplus/promises-spec#the- phish_survey.js false high promise-resolution-procedure flesler.blogspot.com phish_survey.js false high Copyright Joe Security LLC 2021 Page 7 of 10 Name Source Malicious Antivirus Detection Reputation blog.alexmaccaw.com/css-transitions phish_survey.js false high https://github.com/blueimp/jQuery-File- phish_survey.js false high Upload/wiki/Setup#content-type-negotiation valve.github.io wscript.exe, 00000000.00000003 false 0%, Virustotal, Browse unknown .194865310.00000178093E9000.00 Avira URL Cloud: safe 000004.00000001.sdmp, phish_su rvey.js https://cdnjs.cloudflare.com/ajax/libs/flv.js/1.3.2/flv.min.js phish_survey.js false high code.highcharts.com/modules/canvas-tools.js phish_survey.js false high github.com/garycourt/murmurhash-js phish_survey.js false high www.mediaelementjs.com/ phish_survey.js false high getharvest.com phish_survey.js false high https://cdn.dashjs.org/latest/dash.all.min.js phish_survey.js false 0%, Virustotal, Browse unknown Avira URL Cloud: safe Contacted IPs No contacted IP infos General Information Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 382893 Start date: 06.04.2021 Start time: 20:27:42 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 7m 11s Hypervisor based Inspection enabled: false Report type: light Sample file name: phish_survey.js Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 40 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean1.winJS@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .js Warnings: Show All Exclude process from analysis