Analysis Report Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar

Overview

General Information

Sample Name: Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar
Analysis ID: 356987
MD5: 5435ec679cdd07fe6f4fc6f49a117ea8
SHA1: eab4494e7db4bcbebf9dc5c0197ce0081a6dda6e
SHA256: 5a962977909fafba0a1c202306068bd5f8297335b16989a07c1f119302155c84
Infos:

Most interesting Screenshot:

Detection

STRRAT
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected STRRAT
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys to launch java
Creates multiple autostart registry keys
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Allatori_JAR_Obfuscator
Contains capabilities to detect virtual machines
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.154:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49729 version: TLS 1.2

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\wscript.exe Jump to behavior

Networking:

barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Uses dynamic DNS services
Source: unknown DNS query: name: pluginserver.duckdns.org
Source: unknown DNS query: name: strizzz100.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49728 -> 107.175.144.243:4040
Source: global traffic TCP traffic: 192.168.2.3:49732 -> 23.239.31.129:54557
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View IP Address: 23.239.31.129 23.239.31.129
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: d2935c58fe676744fecc8614ee5356c7
Source: unknown DNS traffic detected: queries for: repo1.maven.org
Source: java.exe, 0000000D.00000002.252198805.0000000005052000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520685745.0000000009F96000.00000004.00000001.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt3
Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt;S
Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtA
Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtA0
Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtCp3
Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crts
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt3r3
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crlC5
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crlK
Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl
Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crlA0
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crlk
Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
Source: javaw.exe, 0000000B.00000002.241025352.000000000A317000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl
Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl;
Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlA
Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlk
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
Source: java.exe, 00000006.00000002.207053367.0000000004800000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238616990.0000000009FA2000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253246566.000000000A5A2000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520749260.0000000009FA0000.00000004.00000001.sdmp String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000010.00000002.515417464.0000000004BAB000.00000004.00000001.sdmp String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
Source: javaw.exe, 0000000B.00000003.228995438.00000000150EA000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.239181413.000000000A03C000.00000004.00000001.sdmp, java.exe, 0000000D.00000003.248758362.0000000015676000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253348649.000000000A630000.00000004.00000001.sdmp, java.exe, 00000010.00000003.277137784.0000000014FD2000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521112026.000000000A02F000.00000004.00000001.sdmp String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0F
Source: javaw.exe, 0000000B.00000002.241025352.000000000A317000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0K
Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0M
Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com3
Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com;
Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.comA0
Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.comC
Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.comK
Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.coms
Source: wscript.exe, 0000000A.00000003.214763026.0000000004F0D000.00000004.00000001.sdmp String found in binary or memory: http://ops.com.pa/jre7.zip
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp String found in binary or memory: http://str-master.pw
Source: java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmp String found in binary or memory: http://str-master.pw/strigoi/server/ping.php
Source: java.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp String found in binary or memory: http://str-master.pw/strigoi/server/ping.php?
Source: java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmp String found in binary or memory: http://str-master.pw/strigoi/server/ping.php?lid=
Source: java.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmp String found in binary or memory: http://str-master.pw/strigoi/server/ping.php?lid=RUGR-ATSN-D14P-VBXX-49LW
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: javaw.exe, 0000000B.00000002.242664932.000000001582F000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: javaw.exe, 0000000B.00000002.238594494.0000000009FA0000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253231810.000000000A5A0000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520726996.0000000009F9E000.00000004.00000001.sdmp String found in binary or memory: http://www.allatori.com
Source: javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: java.exe, 0000000D.00000003.248758362.0000000015676000.00000004.00000001.sdmp, java.exe, 00000010.00000003.277137784.0000000014FD2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.txt
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: javaw.exe, 0000000B.00000002.242664932.000000001582F000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 0000000B.00000002.238157882.0000000004EA7000.00000004.00000001.sdmp String found in binary or memory: https://api.github.com/_private/browser/errors
Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238157882.0000000004EA7000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.240964215.000000000A300000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmp String found in binary or memory: https://github-releases.githubusercontent.com/51361554/623ef000-9da4-11e9-9ea2-d90155318994?X-Amz-Al
Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmp String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238481797.0000000009F6E000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.237181358.0000000004A90000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmp String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS
Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS3
Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPSA
Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPSc
Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPSk
Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPSs
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.108.154:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49729 version: TLS 1.2

System Summary:

barindex
Yara signature match
Source: 00000006.00000002.207844794.0000000014D78000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000002.00000003.200309664.0000000002C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: Process Memory Space: 7za.exe PID: 384, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: C:\jar\keuqzwqbvn\resources\umxybpjabc, type: DROPPED Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: C:\Users\user\fukvowbkrs.js, type: DROPPED Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: classification engine Classification label: mal80.troj.expl.evad.winJAR@34/30@13/7
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe File created: C:\Users\user\fukvowbkrs.js Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_01
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\7za.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: javaw.exe String found in binary or memory: k.in-addr.arpa
Source: java.exe String found in binary or memory: J-addWaiter
Source: java.exe String found in binary or memory: k.in-addr.arpa
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
Source: unknown Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl >> C:\cmdlinestart.log 2>&1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl
Source: unknown Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\fukvowbkrs.js
Source: unknown Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
Source: unknown Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
Source: unknown Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
Source: unknown Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
Source: unknown Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
Source: unknown Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
Source: unknown Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
Source: unknown Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
Source: unknown Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\fukvowbkrs.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected Allatori_JAR_Obfuscator
Source: Yara match File source: 00000010.00000002.520726996.0000000009F9E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.352640886.000000000461D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.520047801.000000000A56A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.520214796.000000000A5A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.352612506.0000000004610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.238594494.0000000009FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.317682510.0000000004E1D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.253231810.000000000A5A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.238481797.0000000009F6E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.317809866.0000000004E65000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.520453366.0000000009F6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.352788509.0000000004665000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.317648149.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.253164708.000000000A56E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 720, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 4952, type: MEMORY
Source: Yara match File source: Process Memory Space: javaw.exe PID: 3164, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_0277B377 push 00000000h; mov dword ptr [esp], esp 6_2_0277B39D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_0277BB27 push 00000000h; mov dword ptr [esp], esp 6_2_0277BB4D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_0277B907 push 00000000h; mov dword ptr [esp], esp 6_2_0277B92D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_0277A1DB push ecx; ret 6_2_0277A1E5
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_0277A1CA push ecx; ret 6_2_0277A1DA
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_0277C437 push 00000000h; mov dword ptr [esp], esp 6_2_0277C45D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_02782D44 push eax; retf 6_2_02782D45
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_0281FFF0 pushad ; iretd 6_2_0281FFF1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_02817C51 push cs; retf 6_2_02817C71
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 11_3_150F0869 push ds; retf 11_3_150F086A
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 11_3_150F0869 push ds; retf 11_3_150F086A
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 11_3_150F0869 push ds; retf 11_3_150F086A
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 11_3_150F0869 push ds; retf 11_3_150F086A
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C721CD push esi; retf 13_3_15C721CE
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7C1D1 push esi; retf 13_3_15C7C1D2
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BFD0 push edi; retf 13_3_15C7BFE6
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BFE9 push esi; retf 13_3_15C7BFEA
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C73FF3 push eax; retf 13_3_15C73FFE
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C71BF9 push esi; retf 13_3_15C71C2A
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7C180 push edi; retf 13_3_15C7C196
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7C198 push edi; retf 13_3_15C7C1CE
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BDA5 pushad ; retf 0015h 13_3_15C7BDA6
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BDA1 push edx; retf 13_3_15C7BD96
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BDA9 push edx; retf 13_3_15C7BD96
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C72151 push ebp; retf 13_3_15C72152
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BD67 push edx; retf 13_3_15C7BD96
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BF61 push ebp; retf 13_3_15C7BF62
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C71B69 push edx; retf 13_3_15C71B6A
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C71507 push edx; retf 13_3_15C71512
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C7BD01 push ebx; retf 13_3_15C7BD02
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 13_3_15C71515 push esi; retf 13_3_15C71516

Persistence and Installation Behavior:

barindex
Exploit detected, runtime environment dropped PE file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: jna7235467147341798336.dll.13.dr Jump to dropped file
Drops PE files
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna8178706811767784369.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna6181350368483245817.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna7235467147341798336.dll Jump to dropped file

Boot Survival:

barindex
Creates autostart registry keys to launch java
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run plugins "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\plugins.jar" mp
Creates multiple autostart registry keys
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run plugins
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhz Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txt Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txt Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txt Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhz Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhz Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run plugins
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run plugins

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Uses cacls to modify the permissions of files
Source: unknown Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000006.00000002.206842992.0000000002675000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.236445612.0000000002870000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.251699367.0000000002DE0000.00000004.00000001.sdmp, java.exe, 00000010.00000002.512262138.0000000002730000.00000004.00000001.sdmp Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000006.00000002.206842992.0000000002675000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.236445612.0000000002870000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.251699367.0000000002DE0000.00000004.00000001.sdmp, java.exe, 00000010.00000002.512262138.0000000002730000.00000004.00000001.sdmp Binary or memory string: |[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: java.exe, 00000006.00000002.206791495.0000000000ADB000.00000004.00000020.sdmp, javaw.exe, 0000000B.00000002.236307282.0000000000F08000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\fukvowbkrs.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 6_2_02770380 cpuid 6_2_02770380
Queries the installed Java version
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected STRRAT
Source: Yara match File source: 00000018.00000002.521334832.000000000A810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.519763899.0000000004ECD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.517833863.000000000543D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.252958465.0000000005427000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.252569519.00000000051C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 720, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 4952, type: MEMORY

Remote Access Functionality:

barindex
Yara detected STRRAT
Source: Yara match File source: 00000018.00000002.521334832.000000000A810000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.519763899.0000000004ECD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.517833863.000000000543D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.252958465.0000000005427000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.252569519.00000000051C5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 720, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 4952, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356987 Sample: Covid19_Vacine_Investment_P... Startdate: 23/02/2021 Architecture: WINDOWS Score: 80 74 strizzz100.duckdns.org 2->74 89 Yara detected STRRAT 2->89 91 Connects to a pastebin service (likely for C&C) 2->91 93 Uses dynamic DNS services 2->93 95 3 other signatures 2->95 12 cmd.exe 2 2->12         started        14 cmd.exe 1 2->14         started        16 notepad.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 process5 20 java.exe 6 12->20         started        23 conhost.exe 12->23         started        25 java.exe 14->25         started        29 7za.exe 9 14->29         started        31 conhost.exe 14->31         started        dnsIp6 97 Exploit detected, runtime environment starts unknown processes 20->97 33 wscript.exe 2 20->33         started        35 icacls.exe 1 20->35         started        83 pluginserver.duckdns.org 23.239.31.129, 54557 LINODE-APLinodeLLCUS United States 25->83 85 str-master.pw 25->85 87 2 other IPs or domains 25->87 64 C:\Users\user\...\jna8178706811767784369.dll, PE32 25->64 dropped 99 Creates autostart registry keys to launch java 25->99 101 Creates multiple autostart registry keys 25->101 37 conhost.exe 25->37         started        file7 signatures8 process9 process10 39 javaw.exe 25 33->39         started        42 conhost.exe 35->42         started        dnsIp11 76 sonatype.map.fastly.net 199.232.192.209, 443, 49718, 49719 FASTLYUS United States 39->76 79 github.com 140.82.121.3, 443, 49721 GITHUBUS United States 39->79 81 3 other IPs or domains 39->81 44 java.exe 2 21 39->44         started        signatures12 103 Uses dynamic DNS services 76->103 process13 file14 66 C:\Users\user\AppData\...\vmlpusjwhz.txt, Zip 44->66 dropped 68 C:\Users\user\...\jna7235467147341798336.dll, PE32 44->68 dropped 105 Creates multiple autostart registry keys 44->105 48 java.exe 44->48         started        52 cmd.exe 44->52         started        54 conhost.exe 44->54         started        signatures15 process16 dnsIp17 70 strizzz100.duckdns.org 107.175.144.243, 1071, 4040 AS-COLOCROSSINGUS United States 48->70 72 str-master.pw 48->72 60 C:\Users\user\AppData\Roaming\plugins.jar, Zip 48->60 dropped 62 C:\Users\user\...\jna6181350368483245817.dll, PE32 48->62 dropped 56 conhost.exe 52->56         started        58 schtasks.exe 52->58         started        file18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.23.99.190
 unknown United States
13335 CLOUDFLARENETUS false
23.239.31.129
 unknown United States
63949 LINODE-APLinodeLLCUS true
199.232.192.209
 unknown United States
54113 FASTLYUS false
185.199.108.154
 unknown Netherlands
54113 FASTLYUS false
140.82.121.3
 unknown United States
36459 GITHUBUS false
107.175.144.243
 unknown United States
36352 AS-COLOCROSSINGUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
pluginserver.duckdns.org 23.239.31.129 true
sonatype.map.fastly.net 199.232.192.209 true
github.com 140.82.121.3 true
strizzz100.duckdns.org 107.175.144.243 true
github-releases.githubusercontent.com 185.199.108.154 true
pastebin.com 104.23.99.190 true
str-master.pw unknown unknown
repo1.maven.org unknown unknown
jbfrost.live unknown unknown