ID: 228134 Sample Name: my_presentation_t4c.js Cookbook: default.jbs Time: 00:39:45 Date: 07/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report my_presentation_t4c.js 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 AV Detection: 7 Spreading: 7 Networking: 7 Key, Mouse, Clipboard, Microphone and Screen Capturing: 7 System Summary: 7 Data Obfuscation: 8 Persistence and Installation Behavior: 8 Hooking and other Techniques for Hiding and Protection: 8 Malware Analysis System Evasion: 8 Anti Debugging: 8 HIPS / PFW / Operating System Protection Evasion: 8 Language, Device and Operating System Detection: 8 Malware Configuration 9 Behavior Graph 9 Simulations 9 Behavior and APIs 9 Antivirus, Machine Learning and Genetic Malware Detection 9 Initial Sample 9 Dropped Files 9 Unpacked PE Files 10 Domains 10 URLs 10 Yara Overview 10 Initial Sample 10 PCAP (Network Traffic) 10 Dropped Files 10 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 System Summary: 10 Joe Sandbox View / Context 10 IPs 10 Domains 11 ASN 11 JA3 Fingerprints 11 Dropped Files 11 Screenshots 11 Thumbnails 11 Startup 12 Created / dropped Files 12 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 13 General 13 File Icon 13 Network Behavior 13 Copyright Joe Security LLC 2020 Page 2 of 15 Code Manipulations 13 Statistics 13 Behavior 13 System Behavior 14 Analysis Process: wscript.exe PID: 3024 Parent PID: 4068 14 General 14 File Activities 14 Analysis Process: regsvr32.exe PID: 4228 Parent PID: 3024 14 General 14 File Activities 14 File Read 14 Analysis Process: regsvr32.exe PID: 5092 Parent PID: 4228 14 General 14 Disassembly 15 Code Analysis 15 Copyright Joe Security LLC 2020 Page 3 of 15 Analysis Report my_presentation_t4c.js Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 228134 Start date: 07.05.2020 Start time: 00:39:45 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 22s Hypervisor based Inspection enabled: false Report type: light Sample file name: my_presentation_t4c.js Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Without Instrumentation Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal84.evad.winJS@5/1@0/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 45.2% (good quality ratio 37.8%) Quality average: 62.8% Quality standard deviation: 32.7% HCA Information: Successful, ratio: 82% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Start process as user (medium integrity level) Found application associated with file extension: .js Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, WmiPrvSE.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Whitelisted Detection Copyright Joe Security LLC 2020 Page 4 of 15 Strategy Score Range Reporting Whitelisted Detection Threshold 84 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Spiderchart Copyright Joe Security LLC 2020 Page 5 of 15 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Mitre Att&ck Matrix Privilege Defense Credential Lateral Command Network Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Windows Winlogon Process Masquerading 1 Credential System Time Application Clipboard Data Standard Eavesdrop on Accounts Management Helper DLL Injection 1 2 Dumping Discovery 1 Deployment Data 2 Encrypted 1 Cryptographic Insecure Instrumentation 1 Software Protocol 1 Network Communication Replication Scripting 2 Port Accessibility Process Network Process Remote Data from Exfiltration Fallback Exploit SS7 to Through Monitors Features Injection 1 2 Sniffing Discovery 1 Services Removable Over Other Channels Redirect Phone Removable Media Network Calls/SMS Media Medium Copyright Joe Security LLC 2020 Page 6 of 15 Privilege Defense Credential Lateral Command Network Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects External Execution through Accessibility Path Scripting 2 Input Capture Account Windows Data from Automated Custom Exploit SS7 to Remote API 2 Features Interception Discovery 1 Remote Network Exfiltration Cryptographic Track Device Services Management Shared Protocol Location Drive Drive-by Exploitation for System DLL Search Obfuscated Files Credentials in System Logon Input Data Multiband SIM Card Compromise Client Firmware Order or Information 2 Files Owner/User Scripts Capture Encrypted Communication Swap Execution 1 Hijacking Discovery 1 Exploit Public- Command-Line Shortcut File System DLL Side- Account Security Shared Data Scheduled Standard Manipulate Facing Interface Modification Permissions Loading 1 Manipulation Software Webroot Staged Transfer Cryptographic Device Application Weakness Discovery 1 Protocol Communication Spearphishing Graphical User Modify New Service DLL Search Brute Force File and Third-party Screen Data Commonly Jamming or Link Interface Existing Order Hijacking Directory Software Capture Transfer Used Port Denial of Service Discovery 2 Size Limits Service Spearphishing Scripting Path Scheduled Software Two-Factor System Pass the Email Exfiltration Uncommonly Rogue Wi-Fi Attachment Interception Task Packing Authentication Information Hash Collection Over Used Port Access Points Interception Discovery 3 4 Command and Control Channel Signature Overview • AV Detection • Spreading • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Antivirus detection for dropped file Multi AV Scanner detection for dropped file Machine Learning detection for dropped file Spreading: Contains functionality to enumerate / list files inside a directory Networking: Urls found in memory or binary data Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality for read data from the clipboard Contains functionality to read the clipboard data System Summary: Copyright Joe Security LLC 2020 Page 7 of 15 Writes or reads registry keys via WMI Contains functionality to call native functions Detected potential crypto function Java / VBScript file with very long strings (likely obfuscated code) Tries to load missing DLLs Classification label Creates temporary files Reads ini files Reads software policies Spawns processes Uses an in-process (OLE) Automation server Submission file is bigger than most known malware samples Data Obfuscation: Contains functionality to dynamically determine API calls Uses code obfuscation techniques (call, push, ret) Persistence and Installation Behavior: Drops PE files Drops files with a non-matching file extension (content does not match file extension) Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Malware Analysis System Evasion: Found WSH timer for Javascript or VBS script (likely evasive script) Found evasive API chain checking for process token information Contains functionality to enumerate / list files inside a directory Anti Debugging: Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) Contains functionality to dynamically determine API calls Contains functionality to register its own exception handler HIPS / PFW / Operating System Protection Evasion: Benign windows process drops PE files Creates a process in suspended mode (likely to inject code) May try to detect the Windows Explorer process (often used for injection) Language, Device and Operating System Detection: Contains functionality locales information (e.g. system language) Contains functionality to query CPU information (cpuid) Queries the installation date of Windows Contains functionality to query local / system time Contains functionality to query the account / user name Contains functionality to query windows version Queries the cryptographic machine GUID Copyright Joe Security LLC 2020 Page 8 of 15 Malware Configuration No configs have been found Behavior