Interlock ransomware linked loader (executes via node.exe downloaded nodeJS too instead of wscript) mentioned in Sekoia report. PCAP here 57eed5ac287a103b43007d27312fbdc6e70fe32b3e3dc3286847fdcf86330d33 | Triage. Looks to use various URLs, IPs and trycloudflare for this but appears to use HTTP for communication even to cloudflare rather than HTTPS (although no reason it couldn’t).
alert tcp $HOME_NET any → $EXTERNAL_NET $HTTP_PORTS (msg:“ET MALWARE JavaScript Loader Associated With Interlock Ransomware”; flow:established,to_server; content:“POST”; http_method; urilen:9; content:“/init1234”; http_uri; fast_pattern:only; content:!"User-Agent|3A|; http_header; content:!"Referer|3A|; http_header; content:“Content-Type|3A| application/octet-stream”; http_header; classtype:trojan-activity; reference:url,Interlock ransomware evolving under the radar - Sekoia.io Blog; sid:149050; rev:1;)