popup

Report - afriq.js

ActiveXObject
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.11.28 10:04 Machine s1_win7_x6401
Filename afriq.js
Type Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
AI Score Not founds Behavior Score
2.0
ZERO API file : clean
VT API (file) 5 detected (gen40, SAgent, iacgm, Undefined, TOPIS, 27pLkxQ5kpB)
md5 0cd971ef91e57c0c285da2fe74c2d6ec
sha256 f4dc8b79421aa0047b5475ff67f1e357f329bc19d9165d23d3aee4a49e96c87f
ssdeep 768:WRKaOa5av1L5CTW9CCzCt150LVwawtHVjR26TPMmrnIhOS2FGYYq0:WRKaOa5aviTWcrt0VwawFxR26TPPrnI7
imphash
impfuzzy
  Network IP location

Signature (4cnts)

Level Description
watch Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe
watch Wscript.exe initiated network communications indicative of a script based payload download
notice File has been identified by 5 AntiVirus engines on VirusTotal as malicious
notice Performs some HTTP requests

Rules (1cnts)

Level Name Description Collection
info Javascript_ActiveXObject Use ActiveXObject JavaScript binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://paste.ee/d/ly4Cq
whois
US CLOUDFLARENET 104.21.84.67 clean
paste.ee
whois
US CLOUDFLARENET 104.21.84.67 mailcious
104.21.84.67
whois
US CLOUDFLARENET 104.21.84.67 malware

Suricata ids

ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure