Favorites
Tools
Dr.Zero Chatbot
Notifications
Guide 2020-06-10
Version history 2020-06-10

latestReport
01.18 04:01
svc.exe
01.18 04:01
RemittanceForms.exe
01.18 04:01
Aristois-Free.jar
01.18 10:01
setup641.msi
01.18 10:01
Needle_Setup.exe
01.18 10:01
8734_5737.exe
01.18 10:01
CondoGenerator.exe
01.18 10:01
QGFQTHIU.exe
01.18 10:01
4909_7122.exe
01.18 10:01
Updater.exe

Latest News
01.19 12:01
시몬스 침대, 카카오톡 선물하기 통해 설...
01.19 12:01
Zero Trust and Entra I...
01.19 12:01
Stealth AirTag Broadca...
01.19 12:01
US TikTok Users Get No...
01.19 09:01
하이텍 그룹, 산업방송 채널i ‘히든 챔...
01.19 09:01
I3C Bit-banging Fun fo...
01.19 09:01
IT Sicherheitsnews tae...
01.19 09:01
IT Sicherheitsnews tae...
01.19 07:01
Star Blizzard: Russisc...
01.19 07:01
Ingenieur baut KI-Waff...

Summary | ZeroBOX

afriq.js

ActiveXObject

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 28, 2023, 10:02 a.m.	Nov. 28, 2023, 10:04 a.m.

Size	37.7KB
Type	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5	`0cd971ef91e57c0c285da2fe74c2d6ec`
SHA256	`f4dc8b79421aa0047b5475ff67f1e357f329bc19d9165d23d3aee4a49e96c87f`
CRC32	`EFE752C0`
ssdeep	`768:WRKaOa5av1L5CTW9CCzCt150LVwawtHVjR26TPMmrnIhOS2FGYYq0:WRKaOa5aviTWcrt0VwawFxR26TPPrnI7`
Yara	Javascript_ActiveXObject - Use ActiveXObject JavaScript

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\afriq.js
2560

Name	Response	Post-Analysis Lookup
paste.ee	A 104.21.84.67 A 172.67.187.200	104.21.84.67

IP Address	Status	Action
104.21.84.67	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49161 -> 104.21.84.67:443	2034978	ET POLICY Pastebin-style Service (paste .ee) in TLS SNI	Potential Corporate Privacy Violation
TCP 192.168.56.101:49161 -> 104.21.84.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 104.21.84.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=paste.ee	75:09:97:90:38:ad:dd:cc:0d:1b:d8:8b:02:ab:5d:a9:3b:7a:1f:1d

Performs some HTTP requests (1 event)

request

GET https://paste.ee/d/ly4Cq

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Symantec	ISB.Downloader!gen40
Kaspersky	HEUR:Trojan.Script.SAgent.gen
NANO-Antivirus	Trojan.Script.Heuristic-js.iacgm
ZoneAlarm	HEUR:Trojan.Script.SAgent.gen
Rising	Trojan.Undefined!8.1327C (TOPIS:E0:27pLkxQ5kpB)

Wscript.exe initiated network communications indicative of a script based payload download (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: kgee< ¥Ë¡®òHÐAú Ù¾YBBáãm/5 ÀÀÀ À 28&ÿ paste.ee socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓÝ¬áèü/±RôOökX® X°¦ô©äPÿ>Z òü.Óè >h^0ÃcÆ·k^²§ÀCòK±ÊÅj5¼PÔGM«]sÿ¦´4¥âjr¦¸ï±° socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: À¦Cn¯Ïï§î'ýg9á*)O\vÎ$phÙèh÷Íºj;yq]Ì¯ùGd$ÏÅC~¡ÝWPJ1&ÑkÉ ¬(FÂ;Qãjÿàcøàj¼wÛTzä£òU;;n¿TÎfÝ2É éQw6q³Ø~?ä³ÞÔÄ§b<+Çá±Ö¦¸Þýå©@¿L#ä7ñãP»P2Çj ^ÑÿjÖf'«¾iNÿ¥^ socket: 600		0	0

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (3 events)

Time & API	Arguments	Status	Return	Repeated
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: kgee< ¥Ë¡®òHÐAú Ù¾YBBáãm/5 ÀÀÀ À 28&ÿ paste.ee socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: FBA]Yý;ÍöxÂÒ¥ÙDÓÝ¬áèü/±RôOökX® X°¦ô©äPÿ>Z òü.Óè >h^0ÃcÆ·k^²§ÀCòK±ÊÅj5¼PÔGM«]sÿ¦´4¥âjr¦¸ï±° socket: 600		0	0
WSASend Nov. 28, 2023, 10:02 a.m.	buffer: À¦Cn¯Ïï§î'ýg9á*)O\vÎ$phÙèh÷Íºj;yq]Ì¯ùGd$ÏÅC~¡ÝWPJ1&ÑkÉ ¬(FÂ;Qãjÿàcøàj¼wÛTzä£òU;;n¿TÎfÝ2É éQw6q³Ø~?ä³ÞÔÄ§b<+Çá±Ö¦¸Þýå©@¿L#ä7ñãP»P2Çj ^ÑÿjÖf'«¾iNÿ¥^ socket: 600		0	0