popup

Report - AP Payout Report.jar

NPKI Malicious Packer Malicious Library OS Processor Check PE File DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.14 09:09 Machine s1_win7_x6403
Filename AP Payout Report.jar
Type Zip archive data, at least v2.0 to extract
AI Score Not founds Behavior Score
8.6
ZERO API file : clean
VT API (file) 4 detected (a variant of Java, Java, csrvpr, Artemis)
md5 277697dfa8824470aa492cdb6a4e9d5a
sha256 533df15d3c8d48a022a265bbec33197eb2b36f395d45d75ab3a6188a968b1904
ssdeep 3072:VHKdXxNp5rO4kDMYtoUx8ZwTApsuJd9ig1MT3q4yAhqlmAbEstyw673:VHKPNrrsDMYSUdUdzzMT3q5hlmmKj
imphash
impfuzzy
  Network IP location

Signature (22cnts)

Level Description
watch Executes one or more WMI queries
watch Harvests credentials from local email clients
watch Installs itself for autorun at Windows startup
watch The process java.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Connects to a Dynamic DNS Domain
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice Executes one or more WMI queries which can be used to identify virtual machines
notice File has been identified by 4 AntiVirus engines on VirusTotal as malicious
notice Looks up the external IP address
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Command line console output was observed
info One or more processes crashed
info Queries for the computername

Rules (7cnts)

Level Name Description Collection
danger NPKI_Zero File included NPKI binaries (download)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)

Network (11cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://ip-api.com/json/
whois
US TUT-AS 208.95.112.1 clean
github-releases.githubusercontent.com
whois
US FASTLY 185.199.108.154 clean
github.com
whois
KR AMAZON-02 15.164.81.167 mailcious
ip-api.com
whois
US TUT-AS 208.95.112.1 clean
stracc1.ddnsking.com
whois
CH Fink Telecom Services 79.134.225.104 mailcious
repo1.maven.org
whois
US FASTLY 199.232.196.209 clean
79.134.225.104
whois
CH Fink Telecom Services 79.134.225.104 mailcious
151.101.196.209
whois
US FASTLY 151.101.196.209 clean
52.78.231.108
whois
KR AMAZON-02 52.78.231.108 malware
185.199.111.154
whois
US FASTLY 185.199.111.154 clean
208.95.112.1
whois
US TUT-AS 208.95.112.1 clean

Suricata ids

ET JA3 Hash - Possible Malware - Java Based RAT
ET POLICY DNS Query to DynDNS Domain *.ddnsking .com
ET POLICY External IP Lookup ip-api.com
ET MALWARE STRRAT CnC Checkin

Similarity measure (PE file only) - Checking for service failure