Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
07.04 07:07
csrss.exe
07.04 07:07
loader.exe
07.04 07:07
38.exe
07.04 07:07
ABC.exe
07.04 07:07
injector.exe
07.04 02:07
claim-share
07.03 07:07
file_xgep41gp.dyp.txt.ps1
07.03 07:07
file_ahstznsa.ob0.txt.ps1
07.03 06:07
poop.exe
07.03 06:07
uho.uouo.uououo.doc

Latest News
07.04 08:07
Smashing Security podc...
07.04 07:07
ECMAScript 2024 JavaSc...
07.04 07:07
The AI Fix #5: An angr...
07.04 07:07
It’s Time For Lawmaker...
07.04 07:07
Securing Supply Chains...
07.04 07:07
Emulating the Sabotage...
07.04 07:07
Threat Hunting Worksho...
07.04 06:07
ワシントン州キング郡、AIを活用し薬物過剰摂...
07.04 05:07
CVE of the month, the ...
07.04 05:07
Data Breaches in June ...

Summary | ZeroBOX

afriq.js

ActiveXObject

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 28, 2023, 10:02 a.m.	Nov. 28, 2023, 10:04 a.m.

Size	37.7KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5	`0cd971ef91e57c0c285da2fe74c2d6ec`
SHA256	`f4dc8b79421aa0047b5475ff67f1e357f329bc19d9165d23d3aee4a49e96c87f`
CRC32	`EFE752C0`
ssdeep	`768:WRKaOa5av1L5CTW9CCzCt150LVwawtHVjR26TPMmrnIhOS2FGYYq0:WRKaOa5aviTWcrt0VwawFxR26TPPrnI7`
Yara	Javascript_ActiveXObject - Use ActiveXObject JavaScript

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\afriq.js
2560

Name	Response	Post-Analysis Lookup
paste.ee	A 104.21.84.67 A 172.67.187.200	104.21.84.67

IP Address	Status	Action
104.21.84.67	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 104.21.84.67:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 104.21.84.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 104.21.84.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=paste.ee	75:09:97:90:38:ad:dd:cc:0d:1b:d8:8b:02:ab:5d:a9:3b:7a:1f:1d

Performs some HTTP requests (1 event)

request

GET https://paste.ee/d/ly4Cq

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	ISB.Downloader!gen40
Kaspersky	HEUR:Trojan.Script.SAgent.gen
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
ZoneAlarm	HEUR:Trojan.Script.SAgent.gen
Rising	Trojan.Undefined!8.1327C (TOPIS:E0:27pLkxQ5kpB)

Wscript.exe initiated network communications indicative of a script based payload download (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: kgee< ¥Ë¡®òHÐAú Ù¾YBBáãm/5 ÀÀÀ À 28&ÿ paste.ee socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓÝ¬áèü/±RôOökX® X°¦ô©äPÿ>Z òü.Óè >h^0ÃcÆ·k^²§ÀCòK±ÊÅj5¼PÔGM«]sÿ¦´4¥âjr¦¸ï±° socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: À¦Cn¯Ïï§î'ýg9á*)O\vÎ$phÙèh÷Íºj;yq]Ì¯ùGd$ÏÅC~¡ÝWPJ1&ÑkÉ ¬(FÂ;Qãjÿàcøàj¼wÛTzä£òU;;n¿TÎfÝ2É éQw6q³Ø~?ä³ÞÔÄ§b<+Çá±Ö¦¸Þýå©@¿L#ä7ñãP»P2Çj ^ÑÿjÖf'«¾iNÿ¥^ socket: 600		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: kgee< ¥Ë¡®òHÐAú Ù¾YBBáãm/5 ÀÀÀ À 28&ÿ paste.ee socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓÝ¬áèü/±RôOökX® X°¦ô©äPÿ>Z òü.Óè >h^0ÃcÆ·k^²§ÀCòK±ÊÅj5¼PÔGM«]sÿ¦´4¥âjr¦¸ï±° socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: À¦Cn¯Ïï§î'ýg9á*)O\vÎ$phÙèh÷Íºj;yq]Ì¯ùGd$ÏÅC~¡ÝWPJ1&ÑkÉ ¬(FÂ;Qãjÿàcøàj¼wÛTzä£òU;;n¿TÎfÝ2É éQw6q³Ø~?ä³ÞÔÄ§b<+Çá±Ö¦¸Þýå©@¿L#ä7ñãP»P2Çj ^ÑÿjÖf'«¾iNÿ¥^ socket: 600		0	0