simplicissimus 1 Posted January 16, 2020 Share Posted January 16, 2020 (edited) Hello, since yesterday I get a warning (JS/Packed.Agent.D) when I visit the website: hxxps://www.boerse-stuttgart.de/de-de/produkte/indizes/db2ke7-db-dax-indikation Quote <?xml version="1.0" encoding="utf-8" ?> <ESET> <LOG> <RECORD> <COLUMN NAME="Zeit">15.01.2020 22:55:07</COLUMN> <COLUMN NAME="Scanner">Echtzeit-Dateischutz</COLUMN> <COLUMN NAME="Objekttyp">Datei</COLUMN> <COLUMN NAME="Objekt">D:\Mozilla\Firefox\Profiles\xxxxxx.default\cache2\entries\55106E963414B545963703858BF6A8B91292E438</COLUMN> <COLUMN NAME="Erkennung">JS/Packed.Agent.D verdächtige Datei</COLUMN> <COLUMN NAME="Aktion">Gesäubert durch Löschen</COLUMN> <COLUMN NAME="Benutzer">xxxxxx</COLUMN> <COLUMN NAME="Information">Ereignis beim Erstellen einer neuen Datei durch die Anwendung: C:\Program Files\Mozilla Firefox\firefox.exe (3B75F26A7393E722D698450CCF03E673C3F8224F).</COLUMN> <COLUMN NAME="Hash">424AB718072E1CA14523563CB2EDFF658560E433</COLUMN> <COLUMN NAME="Zuerst hier gesehen">15.01.2020 22:55:06</COLUMN> </RECORD> </LOG> </ESET> Is this an false positive or has the page of this Stock exchange been hacked? Edited January 16, 2020 by simplicissimus Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted January 16, 2020 Most Valued Members Share Posted January 16, 2020 (edited) I prefer to keep it blocked until you get a reply from ESET Staff , but here what Packed Agent can do Trojan-Downloader:W32/Agent.D is typically found on certain malicious sites. When activated, it downloads an EXE file from a website and saves it into the root directory of the C drive. The downloaded file is then run. I've scanned the url in virustotal and I didn't receive anything , but I will see other websites Can you make the link you have posted from https to hxxps so it will be unclickable , so if it's really infected it won't infect someone who will click by mistake. Any.run and VirusTotal and Hybrid-Analysis has found nothing. But one test with Firefox in Any.run has some suspicious activity , it could be false positive :https://app.any.run/tasks/7f3b3ef4-9384-4276-8ed5-34412ff7875d/ Edited January 16, 2020 by Rami Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 16, 2020 Share Posted January 16, 2020 (edited) Quttera flags it as potentially suspicious: https://quttera.com/detailed_report/www.boerse-stuttgart.de Quote /assets/statics/chartiq.js?v=637110457080000000 Severity: Potentially Suspicious Reason: Detected procedure that is commonly used in suspicious activity. Details: Too low entropy detected in string [[' ())))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))']] of length 100 which may point to obfuscation or shellcode. Threat dump: View code Threat dump MD5: 674FEB7593D13ECD11CB235265E0DED3 File size[byte]: 1396190 File type: ASCII Page/File MD5: E3C2CFE36CFC9030463C0E546B7BADD2 Scan duration[sec]: 104.968 Since Eset detected a packed malicious JavaScript, it appears its detection is correct. Edited January 16, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted January 16, 2020 Most Valued Members Share Posted January 16, 2020 Also any.run detected malicious activity while using Firefox , but didn't when using Internet Explorer and Firefox that's why I got confused. Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 16, 2020 Share Posted January 16, 2020 29 minutes ago, Rami said: Also any.run detected malicious activity while using Firefox , but didn't when using Internet Explorer and Firefox that's why I got confused. Assuming you're running IE11 in AppContainer, it would block any thing from running outside of it. Also, IE11 has built-in protection against cross-scripting attacks. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted January 16, 2020 Most Valued Members Share Posted January 16, 2020 19 minutes ago, itman said: Assuming you're running IE11 in AppContainer, it would block any thing from running outside of it. Also, IE11 has built-in protection against cross-scripting attacks. Oh my old friend IE11 is doing good. Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 16, 2020 Share Posted January 16, 2020 18 minutes ago, Rami said: Oh my old friend IE11 is doing good. Not really. Microsoft considers it "abandonware" and is not really providing security enhancements to it anymore. It will patch known security vulnerabilities and that's about it. Ditto for third party sources that have also written it off. I fully expect MS to "pull the plug" on it in the near future since Win 7 is no longer supported. Definitely this will occur when Win 8.1 hits end of life. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted January 16, 2020 Most Valued Members Share Posted January 16, 2020 (edited) 1 minute ago, itman said: Not really. Microsoft considers it "abandonware" and is not really providing security enhancements to it anymore. It will patch known security vulnerabilities and that's about it. Ditto for third party sources that have also written it off. I fully expect MS to "pull the plug" on it in the near future since Win 7 is no longer supported. Definitely this will occur when Win 8.1 hits end of life. I still wonder why it's included instead of Edge with servers like 2019 and 2016 But IE is used for example with a software like FortiVPN Client, which will use and take settings from IE , I don't know why , but without it , the software will not work. I don't use IE since Windows XP days. Edited January 16, 2020 by Rami Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 16, 2020 Share Posted January 16, 2020 7 minutes ago, Rami said: I still wonder why it's included instead of Edge with servers like 2019 and 2016 But IE is used for example with a software like FortiVPN Client, which will use and take settings from IE , I don't know why , but without it , the software will not work. According to this: https://azurementor.wordpress.com/2019/03/21/how-to-fix-forticlient-vpn-connection-issue-on-windows-server-2019-azure-vm/ it is only used in VM environment. Link to comment Share on other sites More sharing options...
simplicissimus 1 Posted January 20, 2020 Author Share Posted January 20, 2020 Hello, after some research I have more and more the assumption that the responsible file (chartiq.js) is a false positive: hxxps://www.boerse-stuttgart.de/assets/statics/chartiq.js?v=637110457080000000 It would certainly be a good idea if someone from ESET could check this. Thanks in advance. Link to comment Share on other sites More sharing options...
itman 1,538 Posted January 20, 2020 Share Posted January 20, 2020 13 minutes ago, simplicissimus said: after some research I have more and more the assumption that the responsible file (chartiq.js) is a false positive: hxxps://www.boerse-stuttgart.de/assets/statics/chartiq.js?v=637110457080000000 Contact the web site owner and tell them to remove the obfuscated/suspect hidden code in the script. As it stands presently, Eset has no way of determining if what is hidden is malicious or not. Link to comment Share on other sites More sharing options...
Recommended Posts