Flagged: https://urlquery.net/report/0e56633b-dfe1-4cf8-95f8-a2b32be3ab4a
Re: fail and two warnings → https://asafaweb.com/Scan?Url=72b668.com
11 sources 4 sinks: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fjs.users.51.la%2F19099393.js
Re: https://sritest.io/#report/76d2b13d-cfb8-4844-89ad-bb6d2d73fba1
code error
info: [decodingLevel=0] found JavaScriptUnknown runtime error stack…
error: undefined variable Image
error: ./pre.js:249: TypeError: Image is not a constructor
info: [decodingLevel=1] found JavaScript
error: line:6: TypeError: Image is not a constructor
5 to flag: https://virustotal.com/#/url/051ff67a123863c3219ebfa4e04f506bc57ce82a30048f6539364edf215c6e23/detection
Dr.Web - malicious site
ParetoLogic - malware site
Fortinet - malware site according to: https://threatintelligenceplatform.com/report/js.users.51.la/b9Gs8yaFFV
Earlier analysis of such an -51.La j file:
Incident ResponseRisk Assessment
Fingerprint
Reads the active computer name
Reads the cryptographic machine GUID
Spreading
Opens the MountPointManager (often used to detect additional infection locations)
IndicatorsNot all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
Malicious Indicators 1
External Systems
Sample was identified as malicious by at least one Antivirus engine
details
1/53 Antivirus vendors marked sample as malicious (1% detection rate)
source
External System
relevance
8/10
Suspicious Indicators 5Environment Awareness
Reads the active computer name
details
“wscript.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME”; Key: “COMPUTERNAME”)
source
Registry Access
relevance
5/10
Reads the cryptographic machine GUID
details
“wscript.exe” (Path: “HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY”; Key: “MACHINEGUID”)
source
Registry Access
relevance
10/10
Unusual Characteristics
Found decoded Javascript strings
details
“a5657_times = " + a5657ot +”, “a5657_times”, “a5657ot”
source
String
relevance
10/10
Reads information about supported languages
details
“wscript.exe” (Path: “HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE”; Key: “00000409”)
source
Registry Access
relevance
3/10
Hiding 1 Suspicious Indicators
All indicators are available only in the private webservice or standalone version
Informative 4General
Parsed Javascript
details
Output: “document.write('<a href=“hxtp://www.51.la/?18625657” target=”_blank" title=“51.La 网站流量统计系统”><img alt=“-51.La 网站流量统计系统” src=“hxtp://icon.51.la/icon_0.gif” style=“border:none” /></a>\n’);
var a5657tf = “-51la”;
var a5657pu = “”;
var a5657pf = “-51la”;
var a5657su = window.location;
var a5657sf = document.referrer;
var a5657of = “”;
var a5657op = “”;
var a5657ops = 1;
var a5657ot = 1;
var a5657d = new Date();
var a5657color = “”;
if (navigator.appName == “Netscape”) {
a5657color = screen.pixelDepth;
} else {
a5657color = screen.colorDepth;
}
try {
a5657tf = top.document.referrer;
} catch (e) {}
try {
a5657pu = window.parent.location;
} catch (e) {}
try {
a5657pf = window.parent.document.referrer;
} catch (e) {}
try {
a5657ops = document.cookie.match(new RegExp(“(^| )a5657_pages=([^;])(;|$)“));
a5657ops = (a5657ops == null) ? 1 : (parseInt(unescape((a5657ops)[2])) + 1);
var a5657oe = new Date();
a5657oe.setTime(a5657oe.getTime() + 60 * 60 * 1000);
document.cookie = “a5657_pages=” + a5657ops + “;path=/;expires=” + a5657oe.toGMTString();
a5657ot = document.cookie.match(new RegExp(”(^| )a5657_times=([^;])(;|$)”));
if (a5657ot == null) {
a5657ot = 1;
} else {
a5657ot = parseInt(unescape((a5657ot)[2]));
a5657ot = (a5657ops == 1) ? (a5657ot + 1) : (a5657ot);
}
a5657oe.setTime(a5657oe.getTime() + 365 * 24 * 60 * 60 * 1000);
document.cookie = “a5657_times=” + a5657ot + “;path=/;expires=” + a5657oe.toGMTString();
} catch (e) {}
try {
if (document.cookie == “”) {
a5657ops = -1;
a5657ot = -1;
}
} catch (e) {}
a5657of = a5657sf;
if (a5657pf !== “-51la”) {
a5657of = a5657pf;
}
if (a5657tf !== “-51la”) {
a5657of = a5657tf;
}
a5657op = a5657pu;
try {
lainframe
} catch (e) {
a5657op = a5657su;
}
a5657src = ‘htxp://web.51.la:82/go.asp?svid=17&id=18625657&tpages=’ + a5657ops + ‘&ttimes=’ + a5657ot + ‘&tzone=’ + (0 - a5657d.getTimezoneOffset() / 60) + ‘&tcolor=’ + a5657color + ‘&sSize=’ + screen.width + ‘,’ + screen.height + ‘&referrer=’ + escape(a5657of) + ‘&vpage=’ + escape(a5657op) + ‘&vvtime=’ + a5657d.getTime();
setTimeout(‘a5657img = new Image;a5657img.src=a5657src;’, 0);"
source
Static Parser
relevance
5/10
Reads Windows Trust Settings
details
“wscript.exe” (Path: “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING”; Key: “STATE”)
source
Registry Access
relevance
5/10
Installation/Persistance
Touches files in the Windows directory
details
-“wscript.exe” touched file “%WINDIR%\System32\en-US\WScript.exe.mui”
-“wscript.exe” touched file “%WINDIR%\System32\WScript.exe”
-“wscript.exe” touched file “%WINDIR%\Globalization\Sorting\sortdefault.nls”
-“wscript.exe” touched file “%WINDIR%\system32\rsaenh.dll”
-“wscript.exe” touched file “%WINDIR%\System32\en-US\jscript.dll.mui”
-“wscript.exe” touched file “%WINDIR%\Fonts\staticcache.dat”
-“wscript.exe” touched file “%WINDIR%\system32\en-US\MSCTF.dll.mui”
source
API Call
relevance
7/10
Network Related
Found potential URL in binary/memory
details
Pattern match: “hxtp://www.51.la/?18625657” likewise …/?9099393.js
source
String
relevance
polonus (volunteer website security anlyst and website error-hunter)