analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.thekeyfurniture.com/admin/view/Remittance.jar

Full analysis: https://app.any.run/tasks/a1f69d35-527f-4cd2-88e1-14e4ee9c7cf5
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: June 19, 2019, 15:27:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
qrat
Indicators:
MD5:

06086B6D897B980BDD011D9AD4A36218

SHA1:

E2AF423846943439B714A6703584A2A4EDB60EB5

SHA256:

1BA008138586BFBC97A2C3FA030EDADA97796FB33EDAAE385BD157847E4C0762

SSDEEP:

3:N1KJS4UOAyx1Liz+lZXAXn:Cc4XP1LiK/y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • javaw.exe (PID: 1640)

    • QRAT was detected

      • javaw.exe (PID: 1640)

  • SUSPICIOUS

    • Executes JAVA applets

      • iexplore.exe (PID: 284)

    • Creates files in the user directory

      • javaw.exe (PID: 1640)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 2956)

    • Application launched itself

      • iexplore.exe (PID: 284)

    • Creates files in the user directory

      • iexplore.exe (PID: 2956)

    • Changes internet zones settings

      • iexplore.exe (PID: 284)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 284)

    • Changes settings of System certificates

      • iexplore.exe (PID: 284)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 284)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe #QRAT javaw.exe

Process information

PID
CMD
Path
Indicators
Parent process
284"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:284 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1640"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHWFEJHO\Remittance[1].jar" C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
iexplore.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
Total events
864
Read events
761
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
122
Text files
34
Unknown types
10

Dropped files

PID
Process
Filename
Type
284iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
284iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:054084B66DD3AF323382362851B3D9D5
SHA256:4147FA71042CDB71B9DE5AD948CF78745129846B0AECE4D7445CA5B49523D8E4
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:5B62C13D97D3E9A8A72D46CA5136DCAB
SHA256:4F053C5055E702BB748E9931D4931CC3474C241F98C488FD3D9F49D2B0DDB238
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EHWFEJHO\Remittance[1].jarjava
MD5:09A2306F132902A89EE488EB7427983B
SHA256:9ACCB579478185BBA5F43C848B842EABF26FB6FF64EB1E95F6EEEF47C468BBFA
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WEWEIFSS\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WEWEIFSS\favcenter[1]image
MD5:25D76EE5FB5B890F2CC022D94A42FE19
SHA256:07D07A467E4988D3C377ACD6DC9E53ABCA6B64E8FBF70F6BE19D795A1619289B
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KVZCU0O8\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
284iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
49
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2956
iexplore.exe
GET
200
103.129.15.52:80
http://www.thekeyfurniture.com/admin/view/
unknown
unknown
284
iexplore.exe
GET
404
103.129.15.52:80
http://www.thekeyfurniture.com/favicon.ico
unknown
html
204 b
unknown
2956
iexplore.exe
GET
200
103.129.15.52:80
http://thekeyfurniture.com/admin/view/stylesheet/bootstrap.css
unknown
text
21.8 Kb
unknown
2956
iexplore.exe
GET
200
103.129.15.52:80
http://thekeyfurniture.com/admin/view/javascript/jquery/jquery-2.1.1.min.js
unknown
text
28.8 Kb
unknown
284
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2956
iexplore.exe
GET
200
103.129.15.52:80
http://www.thekeyfurniture.com/admin/
unknown
html
1.07 Kb
unknown
2956
iexplore.exe
GET
200
103.129.15.52:80
http://www.thekeyfurniture.com/admin/view/Remittance.jar
unknown
java
456 Kb
unknown
2956
iexplore.exe
GET
200
103.129.15.52:80
http://thekeyfurniture.com/admin/view/javascript/jquery/datetimepicker/bootstrap-datetimepicker.min.js
unknown
text
9.71 Kb
unknown
2956
iexplore.exe
GET
200
103.129.15.52:80
http://thekeyfurniture.com/admin/view/stylesheet/stylesheet.css
unknown
text
3.91 Kb
unknown
2956
iexplore.exe
GET
200
103.129.15.52:80
http://thekeyfurniture.com/admin/view/javascript/jquery/datetimepicker/moment/moment.min.js
unknown
text
16.6 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
284
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
284
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2956
iexplore.exe
103.129.15.52:80
www.thekeyfurniture.com
unknown
1640
javaw.exe
192.34.109.185:5002
Wowrack.com
US
malicious
284
iexplore.exe
103.129.15.52:80
www.thekeyfurniture.com
unknown
2956
iexplore.exe
172.217.21.202:80
fonts.googleapis.com
Google Inc.
US
whitelisted
2956
iexplore.exe
172.217.21.195:80
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
www.thekeyfurniture.com
  • 103.129.15.52
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
thekeyfurniture.com
  • 103.129.15.52
unknown
fonts.googleapis.com
  • 172.217.21.202
whitelisted
fonts.gstatic.com
  • 172.217.21.195
whitelisted

Threats

PID
Process
Class
Message
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRAT Checkin
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRAT Checkin
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRAT Checkin
1640
javaw.exe
A Network Trojan was detected
ET TROJAN Java/QRat Variant Checkin
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRAT Checkin
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRat.Java.RAT (command_start)
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRat.Java.RAT (state_alive)
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRAT Checkin
1640
javaw.exe
A Network Trojan was detected
ET TROJAN QRat.Java.RAT Checkin Response
1640
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRat.Java.RAT (command_start)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.thekeyfurniture.com/admin/view/Remittance.jar