File name: | POS TRANSACTIONS.rar |
Full analysis: | https://app.any.run/tasks/aa9bea59-706b-4bc7-a131-fcda27644410 |
Verdict: | Malicious activity |
Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
Analysis date: | September 30, 2020, 14:17:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 0F707549B533620FE62924EB4C85C295 |
SHA1: | 637A45AFF571E6A43A1B59E6436ACC5725C5B1F3 |
SHA256: | 307F337CE37A115A84A7776E37FB17C54D6F666DA086AB78FB3B287E63B5E36A |
SSDEEP: | 3072:h7TR2eDpOYcDi+5bcdNhCr4AvaWJyX4RsMUJaz/2:v2eBcDiwY7rMaWJwqYJE/2 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2448 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\POS TRANSACTIONS.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2744 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2448.32123\Password.vbs" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
588 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\HVslvVbUyp.vbs" | C:\Windows\System32\WScript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3184 | "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version 2> C:\Users\admin\AppData\Local\Temp\output.txt | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1272 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -version | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | cmd.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2828 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | WScript.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
1692 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar "C:\Users\admin\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2980 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar "C:\Users\admin\AppData\Roaming\ntfsmgr.jar" | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | java.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2288 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar "C:\Users\admin\AppData\Roaming\plugins.jar" mp | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | java.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2828 | javaw.exe | C:\Users\admin\lib\jna-5.5.0.jard | — | |
MD5:— | SHA256:— | |||
2828 | javaw.exe | C:\Users\admin\lib\jna-platform-5.5.0.jard | — | |
MD5:— | SHA256:— | |||
2828 | javaw.exe | C:\Users\admin\lib\system-hook-3.5.jard | — | |
MD5:— | SHA256:— | |||
2828 | javaw.exe | C:\Users\admin\lib\sqlite-jdbc-3.14.2.1.jard | — | |
MD5:— | SHA256:— | |||
1272 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:033B497A5E9CDE9D7091CE3DAE2F76A6 | SHA256:A36CCFD9FDC4AE81F0238D7B0CDD21E658F0F4FE72B971D7C656BFD266C6F51B | |||
2828 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:033B497A5E9CDE9D7091CE3DAE2F76A6 | SHA256:A36CCFD9FDC4AE81F0238D7B0CDD21E658F0F4FE72B971D7C656BFD266C6F51B | |||
2744 | WScript.exe | C:\Users\admin\AppData\Roaming\HVslvVbUyp.vbs | text | |
MD5:D769C94BE9B23794593EF1E3844F7779 | SHA256:420BC79772CA0219E745C1FBCBB9F63063040098A9ECD95BED39014EAABDE255 | |||
588 | WScript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HVslvVbUyp.vbs | text | |
MD5:D769C94BE9B23794593EF1E3844F7779 | SHA256:420BC79772CA0219E745C1FBCBB9F63063040098A9ECD95BED39014EAABDE255 | |||
1692 | java.exe | C:\Users\admin\AppData\Roaming\ntfsmgr.jar | compressed | |
MD5:0E8FC5379ECB582702C2D89AD1C6249E | SHA256:221CE9C6B561182EF3757F3B23C6AFDA83815361C45F832230E4EC1E562CFEE2 | |||
1692 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:53D0E63D20B6B8EAC35D4F64643B72DB | SHA256:1884E73A56F0EF596F9040A88484DF894B1ADBE5BE91F568E77CF916708CC79E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
588 | WScript.exe | POST | — | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | — | — | malicious |
588 | WScript.exe | POST | — | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | — | — | malicious |
588 | WScript.exe | POST | 200 | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | text | 12 b | malicious |
588 | WScript.exe | POST | 200 | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | text | 12 b | malicious |
2288 | java.exe | GET | 404 | 198.54.117.197:80 | http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5 | US | html | 150 b | malicious |
588 | WScript.exe | POST | 200 | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | text | 12 b | malicious |
588 | WScript.exe | POST | 200 | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | text | 12 b | malicious |
588 | WScript.exe | POST | 200 | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | text | 12 b | malicious |
588 | WScript.exe | POST | 200 | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | text | 12 b | malicious |
588 | WScript.exe | POST | 200 | 69.65.7.138:6677 | http://gameserver-789.duia.ro:6677/is-ready | US | text | 12 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2288 | java.exe | 198.54.117.197:80 | jbfrost.live | Namecheap, Inc. | US | malicious |
588 | WScript.exe | 69.65.7.138:6677 | gameserver-789.duia.ro | GigeNET | US | malicious |
2828 | javaw.exe | 199.232.192.209:443 | repo1.maven.org | — | US | suspicious |
2828 | javaw.exe | 52.216.113.91:443 | github-production-release-asset-2e65be.s3.amazonaws.com | Amazon.com, Inc. | US | unknown |
2828 | javaw.exe | 140.82.121.4:443 | github.com | — | US | malicious |
2288 | java.exe | 104.23.98.190:443 | pastebin.com | Cloudflare Inc | US | malicious |
2980 | java.exe | 79.134.225.70:47580 | deaphnote.ddns.net | Andreas Fink trading as Fink Telecom Services | CH | malicious |
2288 | java.exe | 23.239.31.129:54557 | pluginserver.duckdns.org | Linode, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
gameserver-789.duia.ro |
| unknown |
repo1.maven.org |
| whitelisted |
github.com |
| shared |
github-production-release-asset-2e65be.s3.amazonaws.com |
| shared |
str-master.pw |
| malicious |
jbfrost.live |
| malicious |
pastebin.com |
| shared |
deaphnote.ddns.net |
| unknown |
pluginserver.duckdns.org |
| unknown |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
588 | WScript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
588 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
588 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm |
588 | WScript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
588 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
588 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm |
588 | WScript.exe | A Network Trojan was detected | ET TROJAN WSHRAT CnC Checkin |
588 | WScript.exe | A Network Trojan was detected | ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm Checkin 1 |
588 | WScript.exe | A Network Trojan was detected | MALWARE [PTsecurity] KJw0rm/Dunihi.VBS.Worm |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |