popup

Report - InvoicePO-03092021.jar

NPKI OS Processor Check PE File DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.07 18:45 Machine s1_win7_x6402
Filename InvoicePO-03092021.jar
Type Zip archive data, at least v2.0 to extract
AI Score Not founds Behavior Score
9.6
ZERO API file : clean
VT API (file) 6 detected (Java, iacgm, Banload, MRAF, Malicious, score)
md5 88811d5b8004bca2c3166e3cedd10fe3
sha256 6a39055318c5ff39bb354e675325e0f929de46455a92117afba43b3824a4da9a
ssdeep 3072:lacjzJ3t108fD2yIYgyZVDP1CdbpL0XVN4vS74xHtrLRJo3a98MbrlbV:laWysD2yIYgofspLsN4vS7Qh3b1V
imphash
impfuzzy
  Network IP location

Signature (22cnts)

Level Description
danger The processes wscript.exe
watch Communicates with host for which no DNS query was performed
watch Executes one or more WMI queries
watch Installs itself for autorun at Windows startup
watch One or more non-whitelisted processes were created
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice File has been identified by 6 AntiVirus engines on VirusTotal as malicious
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Resolves a suspicious Top Level Domain (TLD)
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (5cnts)

Level Name Description Collection
danger NPKI_Zero File included NPKI binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1 clean
str-master.pw
whois
Unknown clean
github-releases.githubusercontent.com
whois
US FASTLY 185.199.108.154 clean
github.com
whois
KR AMAZON-02 15.164.81.167 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
repo1.maven.org
whois
US FASTLY 199.232.196.209 clean
151.101.196.209
whois
US FASTLY 151.101.196.209 clean
52.78.231.108
whois
KR AMAZON-02 52.78.231.108 malware
185.199.108.154
whois
US FASTLY 185.199.108.154 clean
46.183.221.118
whois
LV DataClub S.A. 46.183.221.118 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean

Suricata ids

ET JA3 Hash - Possible Malware - Java Based RAT
ET MALWARE STRRAT CnC Checkin
ET DNS Query to a *.pw domain - Likely Hostile
ET POLICY External IP Lookup ip-api.com

Similarity measure (PE file only) - Checking for service failure