analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

POS TRANSACTIONS.rar

Full analysis: https://app.any.run/tasks/aa9bea59-706b-4bc7-a131-fcda27644410
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 14:17:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
wshrat
strrat
rat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

0F707549B533620FE62924EB4C85C295

SHA1:

637A45AFF571E6A43A1B59E6436ACC5725C5B1F3

SHA256:

307F337CE37A115A84A7776E37FB17C54D6F666DA086AB78FB3B287E63B5E36A

SSDEEP:

3072:h7TR2eDpOYcDi+5bcdNhCr4AvaWJyX4RsMUJaz/2:v2eBcDiwY7rMaWJwqYJE/2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 2744)
      • WScript.exe (PID: 588)
      • java.exe (PID: 1692)
      • java.exe (PID: 2288)

    • Writes to a start menu file

      • WScript.exe (PID: 588)
      • java.exe (PID: 1692)

    • WSHRAT was detected

      • WScript.exe (PID: 588)

    • Connects to CnC server

      • WScript.exe (PID: 588)
      • java.exe (PID: 2288)

    • Loads dropped or rewritten executable

      • java.exe (PID: 1692)
      • java.exe (PID: 2980)

    • STRRAT was detected

      • java.exe (PID: 2288)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 2744)

    • Creates files in the user directory

      • WScript.exe (PID: 2744)
      • WScript.exe (PID: 588)
      • java.exe (PID: 1692)
      • javaw.exe (PID: 2828)
      • java.exe (PID: 2980)

    • Application launched itself

      • WScript.exe (PID: 2744)
      • java.exe (PID: 1692)
      • java.exe (PID: 2980)

    • Executes scripts

      • WScript.exe (PID: 2744)
      • WinRAR.exe (PID: 2448)

    • Executes JAVA applets

      • WScript.exe (PID: 2744)
      • cmd.exe (PID: 3184)
      • javaw.exe (PID: 2828)
      • java.exe (PID: 1692)
      • java.exe (PID: 2980)

    • Executable content was dropped or overwritten

      • java.exe (PID: 1692)
      • java.exe (PID: 2980)
      • java.exe (PID: 2288)

    • Reads Internet Cache Settings

      • WScript.exe (PID: 588)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
9
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe #WSHRAT wscript.exe cmd.exe no specs javaw.exe no specs javaw.exe java.exe java.exe #STRRAT java.exe

Process information

PID
CMD
Path
Indicators
Parent process
2448"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\POS TRANSACTIONS.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2744"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2448.32123\Password.vbs" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
588"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\HVslvVbUyp.vbs" C:\Windows\System32\WScript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3184"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txtC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1272"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version C:\Program Files\Java\jre1.8.0_92\bin\javaw.execmd.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2828"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
WScript.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
1692"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar "C:\Users\admin\ntfsmgr.jar"C:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2980"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar"C:\Program Files\Java\jre1.8.0_92\bin\java.exe
java.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
2288"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar "C:\Users\admin\AppData\Roaming\plugins.jar" mpC:\Program Files\Java\jre1.8.0_92\bin\java.exe
java.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
Total events
1 096
Read events
999
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
9
Text files
10
Unknown types
1

Dropped files

PID
Process
Filename
Type
2828javaw.exeC:\Users\admin\lib\jna-5.5.0.jard
MD5:
SHA256:
2828javaw.exeC:\Users\admin\lib\jna-platform-5.5.0.jard
MD5:
SHA256:
2828javaw.exeC:\Users\admin\lib\system-hook-3.5.jard
MD5:
SHA256:
2828javaw.exeC:\Users\admin\lib\sqlite-jdbc-3.14.2.1.jard
MD5:
SHA256:
1272javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:033B497A5E9CDE9D7091CE3DAE2F76A6
SHA256:A36CCFD9FDC4AE81F0238D7B0CDD21E658F0F4FE72B971D7C656BFD266C6F51B
2828javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:033B497A5E9CDE9D7091CE3DAE2F76A6
SHA256:A36CCFD9FDC4AE81F0238D7B0CDD21E658F0F4FE72B971D7C656BFD266C6F51B
2744WScript.exeC:\Users\admin\AppData\Roaming\HVslvVbUyp.vbstext
MD5:D769C94BE9B23794593EF1E3844F7779
SHA256:420BC79772CA0219E745C1FBCBB9F63063040098A9ECD95BED39014EAABDE255
588WScript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HVslvVbUyp.vbstext
MD5:D769C94BE9B23794593EF1E3844F7779
SHA256:420BC79772CA0219E745C1FBCBB9F63063040098A9ECD95BED39014EAABDE255
1692java.exeC:\Users\admin\AppData\Roaming\ntfsmgr.jarcompressed
MD5:0E8FC5379ECB582702C2D89AD1C6249E
SHA256:221CE9C6B561182EF3757F3B23C6AFDA83815361C45F832230E4EC1E562CFEE2
1692java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:53D0E63D20B6B8EAC35D4F64643B72DB
SHA256:1884E73A56F0EF596F9040A88484DF894B1ADBE5BE91F568E77CF916708CC79E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
73
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
588
WScript.exe
POST
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
malicious
588
WScript.exe
POST
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
malicious
588
WScript.exe
POST
200
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
text
12 b
malicious
588
WScript.exe
POST
200
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
text
12 b
malicious
2288
java.exe
GET
404
198.54.117.197:80
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
US
html
150 b
malicious
588
WScript.exe
POST
200
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
text
12 b
malicious
588
WScript.exe
POST
200
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
text
12 b
malicious
588
WScript.exe
POST
200
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
text
12 b
malicious
588
WScript.exe
POST
200
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
text
12 b
malicious
588
WScript.exe
POST
200
69.65.7.138:6677
http://gameserver-789.duia.ro:6677/is-ready
US
text
12 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2288
java.exe
198.54.117.197:80
jbfrost.live
Namecheap, Inc.
US
malicious
588
WScript.exe
69.65.7.138:6677
gameserver-789.duia.ro
GigeNET
US
malicious
2828
javaw.exe
199.232.192.209:443
repo1.maven.org
US
suspicious
2828
javaw.exe
52.216.113.91:443
github-production-release-asset-2e65be.s3.amazonaws.com
Amazon.com, Inc.
US
unknown
2828
javaw.exe
140.82.121.4:443
github.com
US
malicious
2288
java.exe
104.23.98.190:443
pastebin.com
Cloudflare Inc
US
malicious
2980
java.exe
79.134.225.70:47580
deaphnote.ddns.net
Andreas Fink trading as Fink Telecom Services
CH
malicious
2288
java.exe
23.239.31.129:54557
pluginserver.duckdns.org
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
gameserver-789.duia.ro
  • 69.65.7.138
unknown
repo1.maven.org
  • 199.232.192.209
  • 199.232.196.209
whitelisted
github.com
  • 140.82.121.4
shared
github-production-release-asset-2e65be.s3.amazonaws.com
  • 52.216.113.91
shared
str-master.pw
malicious
jbfrost.live
  • 198.54.117.197
  • 198.54.117.198
  • 198.54.117.199
  • 198.54.117.200
malicious
pastebin.com
  • 104.23.98.190
  • 104.23.99.190
shared
deaphnote.ddns.net
  • 79.134.225.70
unknown
pluginserver.duckdns.org
  • 23.239.31.129
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
588
WScript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
588
WScript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
588
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
588
WScript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
588
WScript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
588
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
588
WScript.exe
A Network Trojan was detected
ET TROJAN WSHRAT CnC Checkin
588
WScript.exe
A Network Trojan was detected
ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
588
WScript.exe
A Network Trojan was detected
MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
POS TRANSACTIONS.rar