Play interactive tourEdit tour

Windows Analysis Report hotjar script.js

Overview

General Information

Sample Name:hotjar script.js
Analysis ID:475181
MD5:f92df74950979024996904423bce61cd
SHA1:8f5e3917e51d3bd9b0575ca6ef70f3fe79d2f520
SHA256:672525efe859722047a3914aaba25eae8fe7c9e6efcda5d275ed97415175552f
Infos:

Most interesting Screenshot:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential obfuscated javascript found
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Java / VBScript file with very long strings (likely obfuscated code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • wscript.exe (PID: 3120 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\hotjar script.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: wscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/DOM/MutationObserver
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpString found in binary or memory: https://help.hotjar.com/hc/en-us/articles/115011819488-How-to-Tag-your-Hotjar-Recordings
Source: wscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpString found in binary or memory: https://hotjar.com
Source: wscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpString found in binary or memory: https://identify.hotjar.com
Source: wscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpString found in binary or memory: https://surveystats.hotjar.io/hit
Source: wscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpString found in binary or memory: https://vc.hotjar.io/sessions
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpString found in binary or memory: https://www.hotjar.com/?utm_source=client&utm_medium=survey&utm_campaign=insights
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpString found in binary or memory: https://www.hotjar.com/feedback-surveys?utm_source=client&utm_medium=poll&utm_campaign=insights
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpString found in binary or memory: https://www.hotjar.com/incoming-feedback?utm_source=client&utm_medium=incoming_feedback&utm_campaign
Source: hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/de.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/el.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/es.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/fi.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/fr.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/it.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/nl.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/pl.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/pt.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/pt_br.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/ru.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/sq.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/sv.html
Source: wscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmp, hotjar script.jsString found in binary or memory: https://www.hotjarconsent.com/zh.html
Source: hotjar script.jsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: sus21.evad.winJS@1/0@0/0

Data Obfuscation:

barindex
Potential obfuscated javascript found
Source: hotjar script.jsInitial file: High amount of function use 797
Source: hotjar script.jsString : entropy: 5.66, length: 278, content: "\xe4\xb8\xba\xe4\xba\x2020\xe8\xbf\x90\xe8\x90\xa5\xe5\x2019\x0152\xe6\x201d\xb9\xe5\x2013\x201eHot
Source: hotjar script.jsString : entropy: 5.44, length: 230, content: "\xe5\xb0\x2021\xe6\x201a\xa8\xe7\x0161\x201e\xe6\x201e\x8f\xe8\xa6\x2039\xe5\x8f\x8d\xe6\x2021\x203
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting13Path InterceptionPath InterceptionScripting13OS Credential DumpingSystem Information Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData Encoding1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsObfuscated Files or Information1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 475181 Sample: hotjar script.js Startdate: 31/08/2021 Architecture: WINDOWS Score: 21 7 Potential obfuscated javascript found 2->7 5 wscript.exe 2->5         started        process3

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://www.hotjarconsent.com/de.html0%URL Reputationsafe
https://www.hotjarconsent.com/fi.html0%URL Reputationsafe
https://www.hotjarconsent.com/it.html0%URL Reputationsafe
https://www.hotjarconsent.com/sv.html0%URL Reputationsafe
https://www.hotjarconsent.com/el.html0%URL Reputationsafe
https://www.hotjarconsent.com/pl.html0%URL Reputationsafe
https://www.hotjarconsent.com/fr.html0%URL Reputationsafe
https://www.hotjarconsent.com/ru.html0%URL Reputationsafe
https://www.hotjarconsent.com0%URL Reputationsafe
https://www.hotjarconsent.com/nl.html0%URL Reputationsafe
https://www.hotjarconsent.com/es.html0%URL Reputationsafe
https://www.hotjarconsent.com/pt.html0%URL Reputationsafe
https://surveystats.hotjar.io/hit0%URL Reputationsafe
https://www.hotjarconsent.com/pt_br.html0%URL Reputationsafe
https://www.hotjarconsent.com/sq.html0%URL Reputationsafe
https://www.hotjarconsent.com/zh.html0%URL Reputationsafe
https://vc.hotjar.io/sessions0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://www.hotjarconsent.com/de.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
  • URL Reputation: safe
unknown
https://www.hotjarconsent.com/fi.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
  • URL Reputation: safe
unknown
https://www.hotjarconsent.com/it.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
  • URL Reputation: safe
unknown
https://www.hotjarconsent.com/sv.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
  • URL Reputation: safe
unknown
https://www.hotjar.com/?utm_source=client&utm_medium=survey&utm_campaign=insightswscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpfalse
    high
    https://identify.hotjar.comwscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpfalse
      high
      https://www.hotjarconsent.com/el.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
      • URL Reputation: safe
      unknown
      https://www.hotjarconsent.com/pl.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
      • URL Reputation: safe
      unknown
      https://www.hotjarconsent.com/fr.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
      • URL Reputation: safe
      unknown
      https://www.hotjarconsent.com/ru.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
      • URL Reputation: safe
      unknown
      https://www.hotjarconsent.comhotjar script.jsfalse
      • URL Reputation: safe
      unknown
      https://developer.mozilla.org/en-US/docs/DOM/MutationObserverwscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpfalse
        high
        https://hotjar.comwscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpfalse
          high
          https://www.hotjar.com/feedback-surveys?utm_source=client&utm_medium=poll&utm_campaign=insightswscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpfalse
            high
            https://www.hotjar.com/incoming-feedback?utm_source=client&utm_medium=incoming_feedback&utm_campaignwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpfalse
              high
              https://www.hotjarconsent.com/nl.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
              • URL Reputation: safe
              unknown
              https://www.hotjarconsent.com/es.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
              • URL Reputation: safe
              unknown
              https://www.hotjarconsent.com/pt.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
              • URL Reputation: safe
              unknown
              https://help.hotjar.com/hc/en-us/articles/115011819488-How-to-Tag-your-Hotjar-Recordingswscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmpfalse
                high
                https://surveystats.hotjar.io/hitwscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                https://www.hotjarconsent.com/pt_br.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
                • URL Reputation: safe
                unknown
                https://www.hotjarconsent.com/sq.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, hotjar script.jsfalse
                • URL Reputation: safe
                unknown
                https://www.hotjarconsent.com/zh.htmlwscript.exe, 00000001.00000003.659738495.0000023C0860B000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmp, hotjar script.jsfalse
                • URL Reputation: safe
                unknown
                https://vc.hotjar.io/sessionswscript.exe, 00000001.00000003.670520979.0000023C088F1000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                unknown
                No contacted IP infos

                General Information

                Joe Sandbox Version:33.0.0 White Diamond
                Analysis ID:475181
                Start date:31.08.2021
                Start time:17:23:42
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 2m 54s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:hotjar script.js
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • GSI enabled (Javascript)
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:SUS
                Classification:sus21.evad.winJS@1/0@0/0
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .js
                • Stop behavior analysis, all processes terminated
                Warnings:
                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/475181/sample/hotjar script.js
                No simulations
                No context
                No context
                No context
                No context
                No context
                No created / dropped files found

                Static File Info

                General

                File type:UTF-8 Unicode text, with very long lines, with no line terminators
                Entropy (8bit):5.748056142970434
                TrID:
                • Java Script (12010/1) 100.00%
                File name:hotjar script.js
                File size:238293
                MD5:f92df74950979024996904423bce61cd
                SHA1:8f5e3917e51d3bd9b0575ca6ef70f3fe79d2f520
                SHA256:672525efe859722047a3914aaba25eae8fe7c9e6efcda5d275ed97415175552f
                SHA512:5c9da5717710ef666f515983142e821dbee489636da15a59e7b2930edcdc515b30ced9c6371432da365b8ed30f1b4ae4049f065095ac98ed94cc69ed246dd6f9
                SSDEEP:6144:NEtMeDeHnE9uBl8rYDB6b2B5a3uEHJwQsU:FYuBl8rYDob2Bw3uEHJwtU
                File Content Preview:!function(e){var t={};function n(i){if(t[i])return t[i].exports;var r=t[i]={i:i,l:!1,exports:{}};return e[i].call(r.exports,r,r.exports,n),r.l=!0,r.exports}n.m=e,n.c=t,n.d=function(e,t,i){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:i})},n.r=fun

                File Icon

                Icon Hash:e8d69ece968a9ec4

                Network Behavior

                No network behavior found

                Code Manipulations

                Statistics

                CPU Usage

                0102030s020406080100

                Click to jump to process

                Memory Usage

                0102030s0.0051015MB

                Click to jump to process

                High Level Behavior Distribution

                • File
                • Registry

                Click to dive into process behavior distribution

                System Behavior

                Start time:17:24:34
                Start date:31/08/2021
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\hotjar script.js'
                Imagebase:0x7ff762a80000
                File size:163840 bytes
                MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis