popup

Report - ORDER-2320884.jar

Antivirus Malicious Library UPX MSOffice File ZIP Format PE32 PE File DLL OS Processor Check
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2023.12.14 10:16 Machine s1_win7_x6402
Filename ORDER-2320884.jar
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Software Update for Web Folders (English) 14, Author: Microsoft Corporation, Keywords: Installe
AI Score Not founds Behavior Score
7.6
ZERO API file : clean
VT API (file) 21 detected (JAVA, Strrat, GenericGBA, csrvpr, Siggen, Eldorado, many, Wacatac, Detected, AppendedJar, ai score=84, Etecer, bZ57dt, AZAV)
md5 c2cfe1bc4cc6ec14cd510cd4ac40d6f5
sha256 a4568e582c1aefd53d5e23a8cf09d5d7ed8af4af1ffebe75dbf8f743df5ad11b
ssdeep 6144:01kCix3B0FqADA5QDjkeVJDtgslBlYOz1hPkoVsdVhacijUU:06CkA05QDIeVttgOBRzLZydV7gz
imphash
impfuzzy
  Network IP location

Signature (16cnts)

Level Description
danger Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually)
warning File has been identified by 21 AntiVirus engines on VirusTotal as malicious
watch Installs itself for autorun at Windows startup
watch The process java.exe wrote an executable file to disk
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks adapter addresses which can be used to detect virtual network interfaces
notice Connects to a Dynamic DNS Domain
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Drops an executable to the user AppData folder
notice One or more potentially interesting buffers were extracted
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Command line console output was observed
info One or more processes crashed
info Queries for the computername

Rules (11cnts)

Level Name Description Collection
watch Antivirus Contains references to security software binaries (download)
watch Antivirus Contains references to security software binaries (upload)
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch UPX_Zero UPX packed file binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (download)
info Microsoft_Office_File_Zero Microsoft Office File binaries (upload)
info OS_Processor_Check_Zero OS Processor Check binaries (download)
info PE_Header_Zero PE File Signature binaries (download)
info zip_file_format ZIP file format binaries (download)

Network (8cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
objects.githubusercontent.com
whois
US FASTLY 185.199.108.133 malware
jinvestments.duckdns.org
whois
SG M247 Ltd 103.47.144.44 clean
github.com
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.200.245.247 mailcious
repo1.maven.org
whois
US FASTLY 199.232.196.209 clean
151.101.196.209
whois
US FASTLY 151.101.196.209 clean
185.199.109.133
whois
US FASTLY 185.199.109.133 mailcious
20.200.245.247
whois
US MICROSOFT-CORP-MSN-AS-BLOCK 20.200.245.247 malware
103.47.144.44
whois
SG M247 Ltd 103.47.144.44 clean

Suricata ids

ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain

Similarity measure (PE file only) - Checking for service failure