popup

Report - ORDER.js

Malicious Library UPX ZIP Format DLL PE File PE32 OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.09.05 08:41 Machine s1_win7_x6402
Filename ORDER.js
Type ASCII text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
10.0
ZERO API file : clean
VT API (file) 28 detected (DownLoader45, GenericKD, gen12, Kryptik, iacgm, Obfuse, TOPIS, HfrZ6uiR1WH, ai score=86, Detected, Cflw, Etecer, b0qS40)
md5 70e483ab51c94cd2318fb5cb0de989fd
sha256 a0041aa69a92b8a85e020dcf6424960e466c4e2f315a556bed9e06d870dddf47
ssdeep 1536:j21Ax5SP/rgoMp633kUFPyHqVfxkCx1UE8o1TQ5CAiaRgd6W0NQHMpgac+0rOMzc:Uh+vek3mUQKN
imphash
impfuzzy
  Network IP location

Signature (19cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
danger The processes wscript.exe
warning File has been identified by 28 AntiVirus engines on VirusTotal as malicious
watch Communicates with host for which no DNS query was performed
watch Installs itself for autorun at Windows startup
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info One or more processes crashed
info Queries for the computername

Rules (7cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info zip_file_format ZIP file format binaries (download)

Network (10cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://str-master.pw/strigoi/server/ping.php?lid=khonsari
whois
DE DIGITALOCEAN-ASN 142.93.110.250 6509 mailcious
str-master.pw
whois
DE DIGITALOCEAN-ASN 142.93.110.250 mailcious
objects.githubusercontent.com
whois
US FASTLY 185.199.111.133 malware
github.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.200.245.247 mailcious
repo1.maven.org
whois
US FASTLY 199.232.196.209 clean
185.199.109.133
whois
US FASTLY 185.199.109.133 mailcious
142.93.110.250
whois
DE DIGITALOCEAN-ASN 142.93.110.250 mailcious
151.101.40.209
whois
US FASTLY 151.101.40.209 clean
20.200.245.247
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.200.245.247 malware
109.206.242.32
whois
Unknown 109.206.242.32 clean

Suricata ids

ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Vulnerable Java Version 1.8.x Detected
ET INFO HTTP Request to a *.pw domain

Similarity measure (PE file only) - Checking for service failure