Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 14, 2021, 6 p.m.	Oct. 14, 2021, 6:02 p.m.

Size	4.3MB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: SumatraPDF (Wrapped using MSI Wrapper from exemsi.com), Author: Krzysztof Kowalczyk, Keywords: Installer, Comments: This installer database contains the logic and data required to install SumatraPDF (Wrapped using MSI Wrapper from exemsi.com)., Template: Intel;1033, Revision Number: {CF7B634F-4A07-4116-BEAB-AD2123F1C030}, Create Time/Date: Mon Aug 20 14:56:14 2012, Last Saved Time/Date: Mon Aug 20 14:56:14 2012, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 2
MD5	`2922d30afb359edde8083596e20601dc`
SHA256	`10b8de549614240e9f6bcdbd5ac7b9a407760d9a882c8bb6a3e2cb978f0aa916`
CRC32	`BC0BACEA`
ssdeep	`98304:P8dUwWyw2YMWN6CfiqdMH64Sz6QK7RpFz2Haq6EByA:0dUqwYWN16WOQK7lzLdKyA`
Yara	Malicious_Packer_Zero - Malicious Packer Generic_Malware_Zero - Generic Malware Microsoft_Office_File_Zero - Microsoft Office File OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\SI-3023-9552783693PDF.jar
2336
- java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\SI-3023-9552783693PDF.jar"
  2748
  - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
    2924
    - schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
      2424
  - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
    2060

Name	Response	Post-Analysis Lookup
kmt12.ddns.net	A 191.101.130.32	191.101.130.32
repo1.maven.org	CNAME sonatype.map.fastly.net A 151.101.24.209	199.232.196.209
str-master.pw	A 147.182.174.188	147.182.174.188
github.com	A 52.78.231.108	15.164.81.167
github-releases.githubusercontent.com	A 185.199.108.154 A 185.199.111.154 A 185.199.109.154 A 185.199.110.154	185.199.111.154

IP Address	Status	Action
147.182.174.188	Active	Moloch
151.101.24.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.111.154	Active	Moloch
191.101.130.32	Active	Moloch
52.78.231.108	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49169 -> 151.101.24.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.103:49167 -> 151.101.24.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.103:49171 -> 185.199.111.154:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.103:49166 -> 52.78.231.108:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.103:49168 -> 151.101.24.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
UDP 192.168.56.103:50665 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.103:53498 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.103:56357 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 147.182.174.188:80	2016777	ET INFO HTTP Request to a *.pw domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49169 151.101.24.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.103:49167 151.101.24.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.103:49171 185.199.111.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7
TLS 1.2 192.168.56.103:49166 52.78.231.108:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.103:49168 151.101.24.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 14, 2021, 6 p.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleA Oct. 14, 2021, 6 p.m.	buffer: ################################################ # # # ## # # ## ### ### ## ### # # # # # # # # # # # # # # # # ### # # ### # # # ## # # # # # ### ### # # # ### # # ### # # # # Obfuscation by Allatori Obfuscator v7.3 DEMO # # # # http://www.allatori.com # # # ################################################ console_handle: 0x00000007	1	1
WriteConsoleA Oct. 14, 2021, 6 p.m.	buffer: Starting Download console_handle: 0x00000007	1	1
WriteConsoleA Oct. 14, 2021, 6 p.m.	buffer: Waiting for dependency console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 14, 2021, 6 p.m.		1	1	0

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Oct. 14, 2021, 6 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2300202 registers.esp: 4257392 registers.edi: 1 registers.eax: 6 registers.ebp: 1946801344 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 14, 2021, 6 p.m.	stacktrace: 0x244d1a8 0x23044e0 0x23044e0 0x23044e0 0x23044e0 0x23044e0 0x2304854 0x2304854 0x2304854 0x244fa64 0x23044e0 0x23044e0 0x23044e0 0x244fa04 0x2304854 0x2304889 0x2300697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73e6af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x73f313ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73e6afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x73e6b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x73e6b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73e0f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x73e8dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x73e8e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73ed2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7413c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7413c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: 85 05 00 01 98 00 8b ca 89 7c 24 70 89 5c 24 74 exception.instruction: test eax, dword ptr [0x980100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2439e4d registers.esp: 371715136 registers.edi: 4106256191 registers.eax: 27 registers.ebp: 371715548 registers.edx: 2211358244 registers.ebx: 3964763920 registers.esi: 1879048192 registers.ecx: 1	1
__exception__ Oct. 14, 2021, 6 p.m.	stacktrace: 0x244d1a8 0x23044e0 0x23044e0 0x23044e0 0x23044e0 0x23044e0 0x2304854 0x2304854 0x2304854 0x244fa64 0x23044e0 0x23044e0 0x23044e0 0x244fa04 0x2304854 0x2304889 0x2300697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73e6af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x73f313ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73e6afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x73e6b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x73e6b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73e0f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x73e8dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x73e8e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73ed2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7413c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7413c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: 85 05 00 01 98 00 8b c3 8b de 89 bc 24 c8 00 00 exception.instruction: test eax, dword ptr [0x980100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x243a111 registers.esp: 371715136 registers.edi: 2404543057 registers.eax: 0 registers.ebp: 371715548 registers.edx: 736840101 registers.ebx: 656917403 registers.esi: 1599926272 registers.ecx: 75	1
__exception__ Oct. 14, 2021, 6 p.m.	stacktrace: 0x244d1a8 0x23044e0 0x23044e0 0x23044e0 0x23044e0 0x23044e0 0x2304854 0x2452e4c 0x23044e0 0x23044e0 0x23044e0 0x244fa04 0x2304854 0x2304889 0x2300697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73e6af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x73f313ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73e6afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x73e6b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x73e6b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73e0f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x73e8dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x73e8e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73ed2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x7413c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x7413c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: 85 05 00 01 98 00 8b 7c 24 2c 8b 54 24 18 83 f9 exception.instruction: test eax, dword ptr [0x980100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x24430d7 registers.esp: 371715296 registers.edi: 10358 registers.eax: 75482952 registers.ebp: 371715564 registers.edx: 75769704 registers.ebx: 14 registers.esi: 0 registers.ecx: 7	1
__exception__ Oct. 14, 2021, 6 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2410202 registers.esp: 9761488 registers.edi: 1 registers.eax: 6 registers.ebp: 1945883840 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 14, 2021, 6 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2330202 registers.esp: 33944304 registers.edi: 1 registers.eax: 6 registers.ebp: 1946145984 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

kmt12.ddns.net

Performs some HTTP requests (1 event)

request

GET http://str-master.pw/strigoi/server/ping.php?lid=khonsari

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

str-master.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 103 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02300000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02328000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02338000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02340000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02348000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02350000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02358000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02368000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02378000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02380000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02388000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02390000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02398000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02408000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02418000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02420000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02428000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02430000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02438000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02448000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02458000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02410000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02438000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02448000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02458000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02468000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02470000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02478000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4588229243047918032.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna829469030207045438.dll

Creates a suspicious process (2 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4588229243047918032.dll

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Cyren	Java/Kryptik.L.gen!Eldorado
Symantec	Trojan.Appjar!gen1
Avast	Java:Malware-gen [Trj]
Kaspersky	HEUR:Trojan.Java.Agent.gen
McAfee	RDN/MalGenrc
Fortinet	Java/GenericGB.29230!tr
AVG	Java:Malware-gen [Trj]

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 14, 2021, 6 p.m.	process_identifier: 2336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 14, 2021, 6 p.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SI-3023-9552783693PDF	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SI-3023-9552783693PDF	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SI-3023-9552783693PDF.jar
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SI-3023-9552783693PDF.jar
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar"

The process java.exe wrote an executable file to disk (6 events)

file	C:\Users\test22\SI-3023-9552783693PDF.jar
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4588229243047918032.dll
file	C:\Users\test22\AppData\Roaming\SI-3023-9552783693PDF.jar
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SI-3023-9552783693PDF.jar
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SI-3023-9552783693PDF.jar
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna829469030207045438.dll

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	191.101.130.32:1020
dead_host	191.101.130.32:1010

SI-3023-9552783693PDF.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All