Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
payload.jar
|
Java archive data (JAR)
|
initial sample
|
||
|
C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\hsperfdata_user\1680
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06
|
data
|
dropped
|
||
|
C:\jar\META-INF\MANIFEST.MF
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\jar\Nlb4iMfF.class
|
compiled Java class data, version 51.0 (Java 1.7)
|
dropped
|
||
|
C:\jar\OVkDinfu.jpg
|
JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using
IJG JPEG v62), default quality", baseline, precision 8, 757x548, components 3
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
 |
|
|
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
|
java.exe -jar "C:\Users\user\Desktop\payload.jar" Nlb4iMfF
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
|
|
|
C:\Windows\System32\7za.exe
|
7za.exe x -y -oC:\jar "C:\Users\user\Desktop\payload.jar"
|
||
|
C:\Windows\SysWOW64\icacls.exe
|
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://crl.xrampsecurity.com/XGCA.crl
|
unknown
|
||
|
https://ocsp.quovadisoffshore.comC
|
unknown
|
||
|
http://crl.chambersign.org/chambersroot.crl0
|
unknown
|
||
|
https://repository.luxtrust.lu0
|
unknown
|
||
|
http://bugreport.sun.com/bugreport/
|
unknown
|
||
|
http://cps.chambersign.org/cps/chambersroot.html0
|
unknown
|
||
|
http://java.oracle.com/
|
unknown
|
||
|
http://null.oracle.com/
|
unknown
|
||
|
http://www.chambersign.org1
|
unknown
|
||
|
http://repository.swisssign.com/0
|
unknown
|
||
|
HTTP://WWW.CHAMBERSIGN.ORG
|
unknown
|
||
|
http://policy.camerfirma.com
|
unknown
|
||
|
https://ocsp.quovadisoffshore.com
|
unknown
|
||
|
http://crl.securetrust.com/STCA.crl0
|
unknown
|
||
|
http://www.quovadisglobal.com/cps
|
unknown
|
||
|
http://cps.chambersign.org/cps/chambersroot.html
|
unknown
|
||
|
http://crl.securetrust.com/STCA.crl
|
unknown
|
||
|
https://repository.luxtrust.lu
|
unknown
|
||
|
https://natebetter.com/read.wsf
|
unknown
|
||
|
http://www.quovadisglobal.com/cps0
|
unknown
|
||
|
http://null.oracle.com/B
|
unknown
|
||
|
http://crl.xrampsecurity.com/XGCA.crl0
|
unknown
|
||
|
http://www.quovadis.bm
|
unknown
|
||
|
http://www.quovadis.bm0
|
unknown
|
||
|
http://www.quovadisglobal.com/cpsK
|
unknown
|
||
|
https://ocsp.quovadisoffshore.com0
|
unknown
|
||
|
http://crl.chambersign.org/chambersroot.crl
|
unknown
|
||
|
http://repository.swisssign.com/
|
unknown
|
||
|
http://www.chambersign.org
|
unknown
|
||
|
http://policy.camerfirma.com0
|
unknown
|
There are 20 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
natebetter.com
|
51.222.248.174
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
51.222.248.174
|
natebetter.com
|
France
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
154DD000
|
unkown
|
page read and write
|
||
|
151A3000
|
heap
|
page read and write
|
||
|
1119000
|
heap
|
page read and write
|
||
|
9F50000
|
trusted library allocation
|
page read and write
|
||
|
29BA000
|
trusted library allocation
|
page execute and read and write
|
||
|
123E000
|
stack
|
page read and write
|
||
|
2F80000
|
heap
|
page read and write
|
||
|
4E08000
|
trusted library allocation
|
page read and write
|
||
|
1544E000
|
unkown
|
page read and write
|
||
|
3090000
|
trusted library allocation
|
page read and write
|
||
|
12A0000
|
heap
|
page read and write
|
||
|
15D40000
|
heap
|
page read and write
|
||
|
103A000
|
heap
|
page read and write
|
||
|
4EAB000
|
trusted library allocation
|
page read and write
|
||
|
153FD000
|
stack
|
page read and write
|
||
|
14A90000
|
trusted library allocation
|
page read and write
|
||
|
3009000
|
heap
|
page read and write
|
||
|
29BE000
|
trusted library allocation
|
page execute and read and write
|
||
|
9F64000
|
trusted library allocation
|
page read and write
|
||
|
29CB000
|
trusted library allocation
|
page execute and read and write
|
||
|
1440000
|
heap
|
page read and write
|
||
|
A106000
|
trusted library allocation
|
page read and write
|
||
|
102B000
|
heap
|
page read and write
|
||
|
E8E000
|
stack
|
page read and write
|
||
|
A0D0000
|
trusted library allocation
|
page read and write
|
||
|
1010000
|
unkown
|
page read and write
|
||
|
2EDF000
|
stack
|
page read and write
|
||
|
A188000
|
trusted library allocation
|
page read and write
|
||
|
4C9E000
|
trusted library allocation
|
page read and write
|
||
|
4C7C000
|
trusted library allocation
|
page read and write
|
||
|
A100000
|
trusted library allocation
|
page read and write
|
||
|
A0BD000
|
trusted library allocation
|
page read and write
|
||
|
29C2000
|
trusted library allocation
|
page execute and read and write
|
||
|
B3C000
|
stack
|
page read and write
|
||
|
12C0000
|
heap
|
page read and write
|
||
|
2F9F000
|
stack
|
page read and write
|
||
|
4E16000
|
trusted library allocation
|
page read and write
|
||
|
158FC000
|
trusted library allocation
|
page read and write
|
||
|
EC5000
|
heap
|
page read and write
|
||
|
1556E000
|
unkown
|
page read and write
|
||
|
15608000
|
heap
|
page read and write
|
||
|
2F5E000
|
stack
|
page read and write
|
||
|
EC0000
|
heap
|
page read and write
|
||
|
15198000
|
heap
|
page read and write
|
||
|
14A2B000
|
trusted library allocation
|
page read and write
|
||
|
9F95000
|
trusted library allocation
|
page read and write
|
||
|
A010000
|
trusted library allocation
|
page read and write
|
||
|
12B0000
|
trusted library allocation
|
page read and write
|
||
|
A279000
|
trusted library allocation
|
page read and write
|
||
|
1310000
|
heap
|
page read and write
|
||
|
14E2C000
|
trusted library allocation
|
page read and write
|
||
|
10D3000
|
heap
|
page read and write
|
||
|
2A24000
|
trusted library allocation
|
page execute and read and write
|
||
|
A000000
|
trusted library allocation
|
page read and write
|
||
|
312F000
|
stack
|
page read and write
|
||
|
A00A000
|
trusted library allocation
|
page read and write
|
||
|
163F000
|
stack
|
page read and write
|
||
|
108C000
|
stack
|
page read and write
|
||
|
15786000
|
heap
|
page read and write
|
||
|
A017000
|
trusted library allocation
|
page read and write
|
||
|
118D000
|
stack
|
page read and write
|
||
|
2F85000
|
heap
|
page read and write
|
||
|
1565A000
|
heap
|
page read and write
|
||
|
15600000
|
heap
|
page read and write
|
||
|
150AD000
|
stack
|
page read and write
|
||
|
1020000
|
heap
|
page read and write
|
||
|
2FF8000
|
heap
|
page read and write
|
||
|
A0F6000
|
trusted library allocation
|
page read and write
|
||
|
15800000
|
trusted library allocation
|
page read and write
|
||
|
FEE000
|
stack
|
page read and write
|
||
|
1551D000
|
stack
|
page read and write
|
||
|
1448000
|
heap
|
page read and write
|
||
|
A26C000
|
trusted library allocation
|
page read and write
|
||
|
16140000
|
trusted library allocation
|
page read and write
|
||
|
2FDE000
|
stack
|
page read and write
|
||
|
AEC000
|
stack
|
page read and write
|
||
|
13A0000
|
trusted library allocation
|
page read and write
|
||
|
2FF0000
|
heap
|
page read and write
|
||
|
4CE2000
|
trusted library allocation
|
page read and write
|
||
|
A024000
|
trusted library allocation
|
page read and write
|
||
|
E4F000
|
stack
|
page read and write
|
||
|
129E000
|
stack
|
page read and write
|
||
|
4CB1000
|
trusted library allocation
|
page read and write
|
||
|
A1A5000
|
trusted library allocation
|
page read and write
|
||
|
4980000
|
trusted library allocation
|
page read and write
|
||
|
2F10000
|
heap
|
page read and write
|
||
|
4A00000
|
trusted library allocation
|
page read and write
|
||
|
A10D000
|
trusted library allocation
|
page read and write
|
||
|
29D3000
|
trusted library allocation
|
page execute and read and write
|
||
|
2BBD000
|
stack
|
page read and write
|
||
|
4D93000
|
trusted library allocation
|
page read and write
|
||
|
A179000
|
trusted library allocation
|
page read and write
|
||
|
156D9000
|
heap
|
page read and write
|
||
|
12F0000
|
heap
|
page read and write
|
||
|
2980000
|
trusted library allocation
|
page execute and read and write
|
||
|
A0B0000
|
trusted library allocation
|
page read and write
|
||
|
14AF0000
|
trusted library allocation
|
page read and write
|
||
|
2F00000
|
heap
|
page read and write
|
||
|
157AD000
|
heap
|
page read and write
|
||
|
150FE000
|
unkown
|
page read and write
|
||
|
2A16000
|
trusted library allocation
|
page execute and read and write
|
||
|
2982000
|
trusted library allocation
|
page execute and read and write
|
||
|
2F90000
|
heap
|
page read and write
|
||
|
A118000
|
trusted library allocation
|
page read and write
|
||
|
15C40000
|
trusted library allocation
|
page read and write
|
||
|
11F0000
|
heap
|
page read and write
|
||
|
A0A0000
|
trusted library allocation
|
page read and write
|
||
|
BA0000
|
heap
|
page read and write
|
||
|
9F6A000
|
trusted library allocation
|
page read and write
|
||
|
BF0000
|
heap
|
page read and write
|
||
|
2E20000
|
heap
|
page read and write
|
||
|
3190000
|
heap
|
page read and write
|
||
|
2B7D000
|
stack
|
page read and write
|
||
|
15DA8000
|
heap
|
page read and write
|
||
|
BEE000
|
stack
|
page read and write
|
||
|
A271000
|
trusted library allocation
|
page read and write
|
||
|
A0EF000
|
trusted library allocation
|
page read and write
|
||
|
4CE8000
|
trusted library allocation
|
page read and write
|
||
|
14F52000
|
heap
|
page read and write
|
||
|
2A1D000
|
trusted library allocation
|
page execute and read and write
|
||
|
1240000
|
heap
|
page read and write
|
||
|
A185000
|
trusted library allocation
|
page read and write
|
||
|
9F9B000
|
trusted library allocation
|
page read and write
|
||
|
1548D000
|
stack
|
page read and write
|
||
|
1506E000
|
unkown
|
page read and write
|
||
|
1501D000
|
stack
|
page read and write
|
||
|
15130000
|
heap
|
page read and write
|
||
|
10D7000
|
heap
|
page read and write
|
||
|
1578F000
|
heap
|
page read and write
|
There are 119 hidden memdumps, click here to show them.