analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

_advice_20191504.jar

Full analysis: https://app.any.run/tasks/48c4ec40-fbe4-40e0-ba2f-8ad81b422148
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Analysis date: April 15, 2019, 07:36:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
qrat
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

D703AEA2EF26294E8B72708E2352F07D

SHA1:

0B1C075A8F57A3FA48E6C16B48B5D1FDC46E0E48

SHA256:

BC72349888A1AEE2B10741EA0F1C1494B88710642DA7E7485075258F461458D7

SSDEEP:

6144:Jn0nzBJydUqRJyZXjhbtA6Dfti23T+gvTeXsxNU:B2BqRJ2jhbDfIcVTIaNU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 404)
    • Connects to CnC server

      • java.exe (PID: 1520)
    • QRAT was detected

      • java.exe (PID: 1520)
    • Loads dropped or rewritten executable

      • python.exe (PID: 3492)
    • Application was dropped or rewritten from another process

      • python.exe (PID: 3492)
      • 7z_10842620807188444393095354490243.exe (PID: 2808)
  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 3012)
    • Application launched itself

      • javaw.exe (PID: 3012)
    • Executes JAVA applets

      • javaw.exe (PID: 3012)
      • javaw.exe (PID: 2880)
    • Uses REG.EXE to modify Windows registry

      • java.exe (PID: 1520)
    • Executable content was dropped or overwritten

      • javaw.exe (PID: 296)
      • 7z_10842620807188444393095354490243.exe (PID: 2808)
    • Loads Python modules

      • python.exe (PID: 3492)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • 7z_10842620807188444393095354490243.exe (PID: 2808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipFileName: META-INF/MANIFEST.MF
ZipUncompressedSize: 40
ZipCompressedSize: 42
ZipCRC: 0x2ed11cfb
ZipModifyDate: 2019:04:15 06:14:11
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start javaw.exe javaw.exe no specs javaw.exe #QRAT java.exe reg.exe 7z_10842620807188444393095354490243.exe python.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3012"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\_advice_20191504.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2880"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\asdqw148198239729315590002008.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exejavaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
296"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\asdqw30357520362819184131Q1.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
1520"C:\Program Files\Java\jre1.8.0_92\bin\java.exe" -jar C:\Users\admin\.8662562633053142852.jarC:\Program Files\Java\jre1.8.0_92\bin\java.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
404reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J165806be06f:U61646d696e_s /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe\" -jar \"C:\Users\admin\.8662562633053142852.jar\""C:\Windows\system32\reg.exe
java.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2808C:\Users\admin\AppData\Local\Temp\7z_10842620807188444393095354490243.exe x C:\Users\admin\AppData\Local\Temp\_10842108715642530453717082380864.tmp -oC:\Users\admin\AppData\Local\Temp -p"bbb6fec5ebef0d936db0b031b7ab19b6" -mmt -aoa -yC:\Users\admin\AppData\Local\Temp\7z_10842620807188444393095354490243.exe
javaw.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
17.00 beta
3492C:\Users\admin\AppData\Local\Temp\qealler\python\python.exe C:\Users\admin\AppData\Local\Temp\qealler\qazaqne\main.py allC:\Users\admin\AppData\Local\Temp\qealler\python\python.exejavaw.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
41
Read events
40
Write events
1
Delete events
0

Modification events

(PID) Process:(404) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:J165806be06f:U61646d696e_s
Value:
"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\.8662562633053142852.jar"
Executable files
31
Suspicious files
38
Text files
6
Unknown types
366

Dropped files

PID
Process
Filename
Type
1520java.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:8BB78854FA08057E985D7AC15E9CF31D
SHA256:E55AFB1BB9DEEA8FAA47F83DDE8C2B11A42D175FA337465364A6CEAAAEA99D3D
2880javaw.exeC:\Users\admin\.8662562633053142852.jarcompressed
MD5:5C112F2DEBC05E98F0FAD1C532099243
SHA256:506CBCCD89B5A4743B174EE8AB4CD46CE7CF84627006D5F44F89A17D3C28D63D
3012javaw.exeC:\Users\admin\AppData\Local\Temp\asdqw148198239729315590002008.jarcompressed
MD5:5C112F2DEBC05E98F0FAD1C532099243
SHA256:506CBCCD89B5A4743B174EE8AB4CD46CE7CF84627006D5F44F89A17D3C28D63D
296javaw.exeC:\Users\admin\AppData\Local\Temp\7z_10842298671796964144326791361711.dllexecutable
MD5:F67F96DB0D08042F46E6680C1BE31005
SHA256:7702FD23EFDE79E4BCF5423630876A758F15FAA38E5DF0A4434A65507A8FC792
296javaw.exeC:\Users\admin\577cd1d5\bda431f8\a90f3bcc\83e7cdf9binary
MD5:10CDC8275784B2CF5940EAEA67F407E1
SHA256:35EAF9432003F37D8EAA0EC780B91DFAB74F2697376B062861A6057781CBDA10
28087z_10842620807188444393095354490243.exeC:\Users\admin\AppData\Local\Temp\qealler\python\DLLs\_ctypes.pydexecutable
MD5:F349E203AAFEE9AC4F6F96A41E5C1B25
SHA256:F46948239F0C3B64C1E93E5E1E9ABA08B84B87181A685B873C79553382278F46
3012javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:B1942D4D3EB754F25EE2DD979978A1F0
SHA256:499F19A41D0576A727E3F45D048407F3486805985591079B20C97AC09D6C9B91
296javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:A2AFD7CDEE4D4B23051BD35AC9E490A6
SHA256:F2BD0EF1FD59E96D15CD22D731CAF57B5B118A2380022FD442E8787F28445D94
2880javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:A2AFD7CDEE4D4B23051BD35AC9E490A6
SHA256:F2BD0EF1FD59E96D15CD22D731CAF57B5B118A2380022FD442E8787F28445D94
296javaw.exeC:\Users\admin\AppData\Local\Temp\7z_10842869053464145519860834327482.dllexecutable
MD5:2B2EFB5868AF4C7B5A6B869B9750F98A
SHA256:A7AFD601C41DC6BB99F4197DB7165CE417606D22AD226102FBDEF8911121BA54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
296
javaw.exe
GET
200
188.166.150.227:8948
http://188.166.150.227:8948/lib/7z
GB
java
576 Kb
suspicious
296
javaw.exe
GET
200
188.166.150.227:8428
http://188.166.150.227:8428/lib/qealler
GB
compressed
1.84 Mb
suspicious
296
javaw.exe
POST
200
188.166.150.227:8906
http://188.166.150.227:8906/qealler-reloaded/ping
GB
text
108 b
suspicious
3012
javaw.exe
GET
200
151.101.120.209:80
http://central.maven.org/maven2/org/mozilla/rhino/1.7.7.2/rhino-1.7.7.2.jar
US
compressed
1.18 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
296
javaw.exe
188.166.150.227:8428
Digital Ocean, Inc.
GB
suspicious
296
javaw.exe
188.166.150.227:8906
Digital Ocean, Inc.
GB
suspicious
296
javaw.exe
188.166.150.227:8948
Digital Ocean, Inc.
GB
suspicious
1520
java.exe
179.43.156.194:2008
Private Layer INC
CH
malicious
3012
javaw.exe
151.101.120.209:80
central.maven.org
Fastly
US
suspicious

DNS requests

Domain
IP
Reputation
central.maven.org
  • 151.101.120.209
whitelisted

Threats

PID
Process
Class
Message
3012
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
296
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
1520
java.exe
A Network Trojan was detected
ET TROJAN Java/QRat Variant Checkin
1520
java.exe
A Network Trojan was detected
ET TROJAN QRat.Java.RAT Post-Checkin Request
1520
java.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRat.Java.RAT (command_start)
1520
java.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRat.Java.RAT (command_start)
1520
java.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRat.Java.RAT (command_start)
296
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] Qealler.Java.Rat HTTP header
1520
java.exe
A Network Trojan was detected
MALWARE [PTsecurity] QRat.Java.RAT (command_start)
1520
java.exe
A Network Trojan was detected
ET TROJAN [PTsecurity] QRat.Java.RAT (state_alive)
No debug info