download: | remittance_advice_20191404.jar |
Full analysis: | https://app.any.run/tasks/9871b120-3907-4b04-9d8f-8b378d3528fe |
Verdict: | Malicious activity |
Analysis date: | April 15, 2019, 07:30:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | AE72057FC68BEFA6BB1E9179A974E2E8 |
SHA1: | AF856CA5FD33A5E654872A6EEE9BA01001F26693 |
SHA256: | A48D23BD01607165B03E972725C911A9DB37124C0B1AF97697C0CF4DDCB30507 |
SSDEEP: | 3072:dbEnWUmuTBBN1cOOUs20ro064kRftTQxSg8o79WZU5z2zuEWRgABtUbiyPMidfUS:6IOcOE8xMSg9dzoWR/SkiJUOMp3lQ |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | META-INF/MANIFEST.MF |
---|---|
ZipUncompressedSize: | 56 |
ZipCompressedSize: | 58 |
ZipCRC: | 0xf5d282b0 |
ZipModifyDate: | 2019:04:14 21:10:14 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0808 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2356 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\remittance_advice_20191404.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | explorer.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
2904 | C:\Users\admin\AppData\Local\Temp\7z_11331754897057530301514617009913.exe x C:\Users\admin\AppData\Local\Temp\_1133099391854698080139060709317.tmp -oC:\Users\admin\AppData\Local\Temp -p"bbb6fec5ebef0d936db0b031b7ab19b6" -mmt -aoa -y | C:\Users\admin\AppData\Local\Temp\7z_11331754897057530301514617009913.exe | javaw.exe | |
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Standalone Console Exit code: 0 Version: 17.00 beta | ||||
2176 | C:\Users\admin\AppData\Local\Temp\qealler\python\python.exe C:\Users\admin\AppData\Local\Temp\qealler\qazaqne\main.py all | C:\Users\admin\AppData\Local\Temp\qealler\python\python.exe | — | javaw.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
4052 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 65.0.2 | ||||
3856 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.0.11882242\1901447722" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 1116 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 65.0.2 | ||||
3572 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.6.42742099\49765167" -childID 1 -isForBrowser -prefsHandle 1696 -prefMapHandle 792 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 1768 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2 | ||||
304 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.13.648372817\2047932424" -childID 2 -isForBrowser -prefsHandle 2544 -prefMapHandle 2548 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 2560 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2 | ||||
2816 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4052.20.1034260280\2096637558" -childID 3 -isForBrowser -prefsHandle 3408 -prefMapHandle 3324 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 4052 "\\.\pipe\gecko-crash-server-pipe.4052" 3280 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 65.0.2 | ||||
3136 | "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/0bb5a3d2-54e4-4f14-9ba4-d696bfcc3892/health/Firefox/65.0.2/release/20190225143501?v=4 C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\0bb5a3d2-54e4-4f14-9ba4-d696bfcc3892 | C:\Program Files\Mozilla Firefox\pingsender.exe | firefox.exe | |
User: admin Company: Mozilla Foundation Integrity Level: MEDIUM Exit code: 0 Version: 65.0.2 | ||||
776 | "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/226e7269-7609-4c2e-9194-4aba5d95d94c/main/Firefox/65.0.2/release/20190225143501?v=4 C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\226e7269-7609-4c2e-9194-4aba5d95d94c | C:\Program Files\Mozilla Firefox\pingsender.exe | firefox.exe | |
User: admin Company: Mozilla Foundation Integrity Level: MEDIUM Exit code: 0 Version: 65.0.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2904 | 7z_11331754897057530301514617009913.exe | C:\Users\admin\AppData\Local\Temp\qealler\python\Lib\atexit.pyc | pyc | |
MD5:CAE911E8D78BA1549CBB768EE5E14CF3 | SHA256:5751159915C8BEE646EFFFCDD901C33CE50FD873E267B43139D01083B81B9177 | |||
2356 | javaw.exe | C:\Users\admin\AppData\Local\Temp\7z_11331983994695424439697458640366.dll | executable | |
MD5:2B2EFB5868AF4C7B5A6B869B9750F98A | SHA256:A7AFD601C41DC6BB99F4197DB7165CE417606D22AD226102FBDEF8911121BA54 | |||
2904 | 7z_11331754897057530301514617009913.exe | C:\Users\admin\AppData\Local\Temp\qealler\python\Lib\codecs.pyc | pyc | |
MD5:F14AC9D275F386F72C6CB413EFB32980 | SHA256:B573FC673F220FE3B662CF1F5F8B6151A038B7862C72CEBBAE70CAC4E3CCD05A | |||
2904 | 7z_11331754897057530301514617009913.exe | C:\Users\admin\AppData\Local\Temp\qealler\python\DLLs\pyexpat.pyd | executable | |
MD5:940D1D3D3895AE007016D7887337035C | SHA256:4489813EF3F940BCE2E61C5273F15887C91BF1AC06B084DDEE77A00AF87D4A52 | |||
2904 | 7z_11331754897057530301514617009913.exe | C:\Users\admin\AppData\Local\Temp\qealler\python\Lib\argparse.pyc | pyc | |
MD5:2BE70A25952450815D77A31C09E07F24 | SHA256:10DF944EF5CF250A7D8AFB7BB3661F6772AC346413EB821C6FC4DB40BFE38B73 | |||
2356 | javaw.exe | C:\Users\admin\AppData\Local\Temp\7z_1133140586707333772714967105202.dll | executable | |
MD5:F67F96DB0D08042F46E6680C1BE31005 | SHA256:7702FD23EFDE79E4BCF5423630876A758F15FAA38E5DF0A4434A65507A8FC792 | |||
2904 | 7z_11331754897057530301514617009913.exe | C:\Users\admin\AppData\Local\Temp\qealler\python\DLLs\_elementtree.pyd | executable | |
MD5:F7C3200B4397F12B9542700B3726E492 | SHA256:8B8B28B5C7484546968A0D7D07B5FB29E7561CE7B24FCFABFD34445B5F71925D | |||
2356 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:6953A8AE364FA6D89A105E52EF730AF0 | SHA256:94DB235B412843045100B316D860019D2E02A737FE45E92BF4788E29D8ABFFA5 | |||
2904 | 7z_11331754897057530301514617009913.exe | C:\Users\admin\AppData\Local\Temp\qealler\python\DLLs\_ctypes.pyd | executable | |
MD5:F349E203AAFEE9AC4F6F96A41E5C1B25 | SHA256:F46948239F0C3B64C1E93E5E1E9ABA08B84B87181A685B873C79553382278F46 | |||
2904 | 7z_11331754897057530301514617009913.exe | C:\Users\admin\AppData\Local\Temp\qealler\python\Lib\abc.pyc | pyc | |
MD5:8E42F2E69AC98272A8FB4C6263EC38DB | SHA256:15591F8BCFC4E50E7DA8658CD5B83EB0881B32235E83CEE5197A0ECC446F16C8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4052 | firefox.exe | GET | 404 | 27.254.66.193:80 | http://skinnovatelab.com/favicon.ico | TH | html | 397 b | unknown |
2356 | javaw.exe | GET | 200 | 188.166.150.227:8104 | http://188.166.150.227:8104/lib/7z | GB | java | 576 Kb | suspicious |
3240 | chrome.exe | GET | 302 | 172.217.16.174:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 502 b | whitelisted |
2356 | javaw.exe | GET | 200 | 188.166.150.227:8929 | http://188.166.150.227:8929/lib/qealler | GB | compressed | 1.84 Mb | suspicious |
4052 | firefox.exe | GET | 200 | 27.254.66.193:80 | http://skinnovatelab.com/master/backup/upload/.thumbs/remittance_advice_20191404.jar | TH | java | 201 Kb | unknown |
4052 | firefox.exe | POST | 200 | 172.217.18.3:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
4052 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3240 | chrome.exe | GET | 200 | 217.146.165.206:80 | http://r3---sn-oun-1gie.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=136.0.0.156&mm=28&mn=sn-oun-1gie&ms=nvh&mt=1555312484&mv=u&pl=25&shardbypass=yes | CH | crx | 842 Kb | whitelisted |
2356 | javaw.exe | POST | 200 | 188.166.150.227:8084 | http://188.166.150.227:8084/qealler-reloaded/ping | GB | text | 108 b | suspicious |
4052 | firefox.exe | GET | 200 | 173.223.11.150:80 | http://detectportal.firefox.com/success.txt | NL | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4052 | firefox.exe | 172.217.18.3:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2356 | javaw.exe | 188.166.150.227:8104 | — | Digital Ocean, Inc. | GB | suspicious |
4052 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4052 | firefox.exe | 173.223.11.150:80 | detectportal.firefox.com | Akamai International B.V. | NL | whitelisted |
2356 | javaw.exe | 188.166.150.227:8084 | — | Digital Ocean, Inc. | GB | suspicious |
4052 | firefox.exe | 35.166.112.39:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
4052 | firefox.exe | 216.58.207.74:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
4052 | firefox.exe | 52.222.159.39:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
4052 | firefox.exe | 27.254.66.193:80 | skinnovatelab.com | CS LOXINFO Public Company Limited. | TH | unknown |
4052 | firefox.exe | 54.186.120.41:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
drcwo519tnci7.cloudfront.net |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2356 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |
2356 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Qealler.Java.Rat HTTP header |
4052 | firefox.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |