Category | Machine | Started | Completed |
---|---|---|---|
FILE | s1_win7_x6402 | July 7, 2021, 11:12 p.m. | July 7, 2021, 11:15 p.m. |
-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\InvoicePO-03092021.jar
912-
-
javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
1952-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\qktfimippt.txt"
1312-
cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
2472-
schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
300
-
-
java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt"
2220-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
876-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
236
-
-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
3024-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
2004
-
-
cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
2136-
WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
896
-
-
cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
2632-
WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
2604
-
-
-
-
-
-
Name | Response | Post-Analysis Lookup |
---|---|---|
repo1.maven.org |
CNAME
sonatype.map.fastly.net
|
199.232.196.209 |
edgedl.me.gvt1.com | 34.104.35.123 | |
str-master.pw | ||
github-releases.githubusercontent.com | 185.199.111.154 | |
github.com | 52.78.231.108 | |
ip-api.com | 208.95.112.1 |
Suricata Alerts
Suricata TLS
Flow | Issuer | Subject | Fingerprint |
---|---|---|---|
TLS 1.2 192.168.56.102:49166 151.101.40.209:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org | 74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd |
TLS 1.2 192.168.56.102:49165 52.78.231.108:443 |
C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1 | C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com | 84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7 |
TLS 1.2 192.168.56.102:49167 151.101.40.209:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org | 74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd |
TLS 1.2 192.168.56.102:49168 151.101.40.209:443 |
C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | C=US, ST=Maryland, L=Fulton, O=Sonatype, Inc, CN=repo1.maven.org | 74:54:1d:15:cf:77:9e:e8:00:c2:ea:0d:77:6e:d3:02:51:0f:15:dd |
TLS 1.2 192.168.56.102:49169 185.199.111.154:443 |
C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com | 70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7 |
TLS 1.2 192.168.56.102:49186 172.217.161.131:443 |
C=US, O=Google Trust Services, CN=GTS CA 1O1 | C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com | f6:fd:3d:f7:f5:a4:58:28:2f:0c:7e:7d:9d:80:25:2b:b6:a2:84:72 |
suspicious_features | POST method with no referer header | suspicious_request | POST https://update.googleapis.com/service/update2?cup2key=10:1185578559&cup2hreq=210abae0c0bf4c085ef3a032bf41ca5b683c508249b56d231bc6b32b3afcc509 |
request | GET http://ip-api.com/json/ |
request | HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome/ANHii5UY3d-4EiotgE5WL8M_91.0.4472.124/91.0.4472.124_chrome_installer.exe |
request | GET http://edgedl.me.gvt1.com/edgedl/release2/chrome/ANHii5UY3d-4EiotgE5WL8M_91.0.4472.124/91.0.4472.124_chrome_installer.exe |
request | POST https://update.googleapis.com/service/update2?cup2key=10:1185578559&cup2hreq=210abae0c0bf4c085ef3a032bf41ca5b683c508249b56d231bc6b32b3afcc509 |
request | POST https://update.googleapis.com/service/update2?cup2key=10:1185578559&cup2hreq=210abae0c0bf4c085ef3a032bf41ca5b683c508249b56d231bc6b32b3afcc509 |
domain | str-master.pw | description | Palau domain TLD |
domain | ip-api.com |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3759689004139445972.dll |
file | C:\Users\test22\bqqnjhotkk.js |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3187857898507258642.dll |
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt" |
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list |
cmdline | wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list |
cmdline | cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list" |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3187857898507258642.dll |
Cyren | JS/Agent.AUY |
Kaspersky | HEUR:Trojan.Java.Agent.gen |
NANO-Antivirus | Trojan.Script.Heuristic-js.iacgm |
McAfee-GW-Edition | BehavesLike.Downloader.cc |
Avira | EXP/JAVA.Banload.MRAF.Gen |
Cynet | Malicious (score: 99) |
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt" |
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" |
cmdline | cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list |
cmdline | wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list |
cmdline | wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list |
cmdline | cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list" |
wmi | SELECT VolumeSerialNumber FROM win32_logicaldisk |
host | 46.183.221.118 |
reg_key | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qktfimippt | reg_value | "C:\Users\test22\AppData\Roaming\qktfimippt.txt" | ||||||
reg_key | HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qktfimippt | reg_value | "C:\Users\test22\AppData\Roaming\qktfimippt.txt" | ||||||
file | C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qktfimippt.txt | ||||||||
file | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\qktfimippt.txt | ||||||||
cmdline | schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt" | ||||||||
cmdline | cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\qktfimippt.txt" |
wmi | SELECT Caption, OSArchitecture FROM win32_operatingsystem |
wmi | SELECT displayName FROM antivirusproduct |
wmi | SELECT VolumeSerialNumber FROM win32_logicaldisk |
wmi | SELECT Version FROM win32_operatingsystem |
file | C:\Users\test22\Documents\Outlook 파일\Outlook.pst |
parent_process | wscript.exe | martian_process | C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt" | ||||||
parent_process | wscript.exe | martian_process | "C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\qktfimippt.txt" |
file | C:\Windows\SysWOW64\wscript.exe |
file | C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3187857898507258642.dll |
file | C:\Users\test22\AppData\Local\Temp\jna--877171118\jna3759689004139445972.dll |