Author Topic: confirmation.js (Read 3123 times)

Be Secure · « **on:** February 18, 2017, 04:13:25 AM »

How avast missed that .js file?
Avast behavior shield failed to block it.
Is avast take AVG's JS emulator engine or not???
Send it to avast viruslab.
Virus Total-https://virustotal.com/en/file/3ba6df194923d25801728df6caf71650d4b6dfbacd7d243502c1d07927a2d089/analysis/1487387200/

TrueIndian · « **Reply #1 on:** February 18, 2017, 04:19:44 AM »

Did you actually test the behav. shield here because we have seen it in action against similar files.I found the URL the file came from.Reported to the analysts.

The file is a day old and lot of antiviruses don't see it.

Be Secure · « **Reply #2 on:** February 18, 2017, 04:23:32 AM »

Quote from: TrueIndian on February 18, 2017, 04:19:44 AM

Did you actually test the behav. shield here because we have seen it in action against similar files.I found the URL the file came from.Reported to the analysts.

Yes i do.

TrueIndian · « **Reply #3 on:** February 18, 2017, 04:24:28 AM »

Quote from: Be Secure on February 18, 2017, 04:23:32 AM

Yes i do.

No alerts from behav. shield once the sample was executed?

Be Secure · « **Reply #4 on:** February 18, 2017, 04:26:13 AM »

Quote from: TrueIndian on February 18, 2017, 04:24:28 AM

Quote from: Be Secure on February 18, 2017, 04:23:32 AM
Yes i do.

No alerts from behav. shield once the sample was executed?

Nothing.I set it to always ask.

TrueIndian · « **Reply #5 on:** February 18, 2017, 04:28:47 AM »

Strange! Should have been flagged as IDP.ALEXA

Be Secure · « **Reply #6 on:** February 18, 2017, 04:31:05 AM »

Quote from: TrueIndian on February 18, 2017, 04:28:47 AM

Strange! Should have been flagged as IDP.ALEXA

Let see answer from avast team.

TrueIndian · « **Reply #7 on:** February 18, 2017, 05:24:32 AM »

Quote from: ymchen on February 18, 2017, 05:22:05 AM

ran the js , nothing happen , im guess the download file link are dead.

read the payload analysis report , this js is connect to hxxp://nanobytes.org/vKbAdjOpTV.php?erGzWn','%aPpdata%KcG14.Exe

REDACTED · « **Reply #8 on:** February 18, 2017, 05:32:15 AM »

Quote from: TrueIndian on February 18, 2017, 05:24:32 AM

Quote from: ymchen on February 18, 2017, 05:22:05 AM
ran the js , nothing happen , im guess the download file link are dead.

read the payload analysis report , this js is connect to hxxp://nanobytes.org/vKbAdjOpTV.php?erGzWn','%aPpdata%KcG14.Exe

u can try again excute the js file , who know the download link will be online back

TrueIndian · « **Reply #9 on:** February 18, 2017, 05:40:36 AM »

yup but since it did nothing....there is nothing behav. shield could detect here

polonus · « **Reply #10 on:** February 18, 2017, 03:54:17 PM »

Hi True Indian and Be Secure,

Best analysis of this you can find here (2 days ago): https://www.hybrid-analysis.com/sample/3ba6df194923d25801728df6caf71650d4b6dfbacd7d243502c1d07927a2d089?environmentId=100
where it was being interrogated through script Heavy Anti-Evasion etc.

Whenever not a FP it comes as Ransomeware related.

polonus

Author Topic: confirmation.js (Read 3123 times)

Be Secure

confirmation.js

TrueIndian

Re: confirmation.js

Be Secure

Re: confirmation.js

TrueIndian

Re: confirmation.js

Be Secure

Re: confirmation.js

TrueIndian

Re: confirmation.js

Be Secure

Re: confirmation.js

TrueIndian

Re: confirmation.js

REDACTED

Re: confirmation.js

TrueIndian

Re: confirmation.js

polonus

Re: confirmation.js