ScreenShot
Created | 2023.09.05 08:41 | Machine | s1_win7_x6402 |
Filename | ORDER.js | ||
Type | ASCII text, with very long lines, with CRLF line terminators | ||
AI Score | Not founds | Behavior Score |
|
ZERO API | file : clean | ||
VT API (file) | 28 detected (DownLoader45, GenericKD, gen12, Kryptik, iacgm, Obfuse, TOPIS, HfrZ6uiR1WH, ai score=86, Detected, Cflw, Etecer, b0qS40) | ||
md5 | 70e483ab51c94cd2318fb5cb0de989fd | ||
sha256 | a0041aa69a92b8a85e020dcf6424960e466c4e2f315a556bed9e06d870dddf47 | ||
ssdeep | 1536:j21Ax5SP/rgoMp633kUFPyHqVfxkCx1UE8o1TQ5CAiaRgd6W0NQHMpgac+0rOMzc:Uh+vek3mUQKN | ||
imphash | |||
impfuzzy |
Network IP location
Signature (19cnts)
Level | Description |
---|---|
danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
danger | The processes wscript.exe |
warning | File has been identified by 28 AntiVirus engines on VirusTotal as malicious |
watch | Communicates with host for which no DNS query was performed |
watch | Installs itself for autorun at Windows startup |
watch | One or more non-whitelisted processes were created |
notice | Allocates read-write-execute memory (usually to unpack itself) |
notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
notice | Checks adapter addresses which can be used to detect virtual network interfaces |
notice | Creates a suspicious process |
notice | Creates executable files on the filesystem |
notice | Drops an executable to the user AppData folder |
notice | One or more potentially interesting buffers were extracted |
notice | Performs some HTTP requests |
notice | Resolves a suspicious Top Level Domain (TLD) |
notice | Uses Windows utilities for basic Windows functionality |
info | Checks amount of memory in system |
info | One or more processes crashed |
info | Queries for the computername |
Rules (7cnts)
Level | Name | Description | Collection |
---|---|---|---|
watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
watch | UPX_Zero | UPX packed file | binaries (download) |
info | IsDLL | (no description) | binaries (download) |
info | IsPE32 | (no description) | binaries (download) |
info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
info | PE_Header_Zero | PE File Signature | binaries (download) |
info | zip_file_format | ZIP file format | binaries (download) |
Network (10cnts) ?
Suricata ids
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY Vulnerable Java Version 1.8.x Detected
ET INFO HTTP Request to a *.pw domain
ET POLICY Vulnerable Java Version 1.8.x Detected
ET INFO HTTP Request to a *.pw domain