Edit tour
Windows
Analysis Report
Usda_annual_lease_agreement_certification_statement (kg).js
Overview
General Information
| Sample Name: | Usda_annual_lease_agreement_certification_statement (kg).js |
| Analysis ID: | 705604 |
| MD5: | 7ab0eaa288875a90d0b36fa47b4ac84e |
| SHA1: | ecb6022cfd5007f1f8633f7c88700cdc8552f21e |
| SHA256: | 66840b6eb3f4f15d1c20657cbdc09e13baac8d0c75efc76f49ccc5b198d3c238 |
| Tags: | gootloaderjs |
 | |
Detection
| Score: | 22 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 80% |
Signatures
Found potential dummy code loops (likely to delay analysis)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage
Classification
- System is w10x64
wscript.exe (PID: 1032 cmdline: C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\Usda_ annual_lea se_agreeme nt_certifi cation_sta tement (kg ).js" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Snort rule has matched
- • Networking
- • System Summary
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • Language, Device and Operating System Detection
Click to jump to signature section
Show All Signature Results
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Initial sample: | ||
| Source: | Process Stats: | ||
| Source: | Key opened: | Jump to behavior | ||
| Source: | Classification label: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Process information set: | Jump to behavior | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Window found: | Jump to behavior | ||
Anti Debugging |   |
|---|
| Source: | Process Stats: | ||
| Source: | Thread injection, dropped files, key value created, disk infection and DNS query: | ||
| Source: | Key value queried: | Jump to behavior | ||
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | 2 Scripting | Path Interception | Path Interception | 11 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 Security Software Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 2 Scripting | LSASS Memory | 11 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
⊘No Antivirus matches
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Virustotal | Browse | ||
| 1% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe |
⊘No contacted domains info
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high |
⊘No contacted IP infos
| Joe Sandbox Version: | 36.0.0 Rainbow Opal |
| Analysis ID: | 705604 |
| Start date and time: | 2022-09-19 17:23:19 +02:00 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 6m 37s |
| Hypervisor based Inspection enabled: | false |
| Report type: | full |
| Sample file name: | Usda_annual_lease_agreement_certification_statement (kg).js |
| Cookbook file name: | default.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 22 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | SUS |
| Classification: | sus22.evad.winJS@1/0@0/0 |
| EGA Information: | Failed |
| HDC Information: | Failed |
| HCA Information: |
|
| Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, a udiodg.exe, BackgroundTransfer Host.exe, RuntimeBroker.exe, W MIADAP.exe, backgroundTaskHost .exe, conhost.exe, svchost.exe , wuapihost.exe - Excluded domains from analysis
(whitelisted): login.live.com , ctldl.windowsupdate.com, dis playcatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com. akamaized.net, arc.msn.com - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtAllocateVirtualMemor y calls found.
⊘No simulations
⊘No context
⊘No context
⊘No context
⊘No context
⊘No context
⊘No created / dropped files found
| File type: | |
| Entropy (8bit): | 4.641940484199891 |
| TrID: |
|
| File name: | Usda_annual_lease_agreement_certification_statement (kg).js |
| File size: | 495272 |
| MD5: | 7ab0eaa288875a90d0b36fa47b4ac84e |
| SHA1: | ecb6022cfd5007f1f8633f7c88700cdc8552f21e |
| SHA256: | 66840b6eb3f4f15d1c20657cbdc09e13baac8d0c75efc76f49ccc5b198d3c238 |
| SHA512: | c52b436543d6702619cacc671be8bbd0f176f376d089f934fe146a5ff5e14a28489cf067081f9e916e1d776f52f1625ffda67c27e356dde91e56cddca80a2c91 |
| SSDEEP: | 6144:nQSS9rula1l4khEfDJx67Diagmd4iLAmWq6qSF:ONhEfDJxIiagmd4iLAmWq63 |
| TLSH: | 20B4A40EABEB3326C51371799F5F9004A536840B661AEC1D7D4C93880F5863D9ABBFE4 |
| File Content Preview: | /*.Copyright (c) 2011 Sencha Inc. - Author: Nicolas Garcia Belmonte (http://philogb.github.com/)..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in |
 | |
| Icon Hash: | e8d69ece968a9ec4 |
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node⊘No network behavior found
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
| Target ID: | 0 |
| Start time: | 17:24:09 |
| Start date: | 19/09/2022 |
| Path: | C:\Windows\System32\wscript.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff705670000 |
| File size: | 163840 bytes |
| MD5 hash: | 9A68ADD12EB50DDE7586782C3EB9FF9C |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
⊘No disassembly
