Malware Uses JAR | VTI by Category
Try VMRay Analyzer
VTI Score 94 / 100 | |
| VTI Database Version | 2.3 |
| VTI Rule Match Count | 32 |
| VTI Rule Type | Default (PE, ...) |
 | Anti Analysis | |
| Dynamic API usage | |
Resolve more than 50 APIs. | ||
| Delay execution | |
One thread sleeps more than 5 minutes. | ||
| Browser | |
| Change security related browser settings | |
Disable signature check for executables downloaded by Microsoft Internet Explorer. | ||
| Injection | |
| Write into memory of an other process | |
"c:\windows\system32\regsvr32.exe" modifies memory of "c:\windows\explorer.exe" | ||
| Modify control flow of an other process | |
"c:\windows\system32\regsvr32.exe" creates thread in "c:\windows\explorer.exe" | ||
| Network | |
| Perform DNS request | |
Resolve "N3EErvtwsM". | ||
Resolve "adom2.com.br". | ||
Resolve "carvas32ltda.com". | ||
Resolve "carva32ssa.com". | ||
Resolve "bandeivacomercial.com". | ||
Resolve "bandeivacomercio.com". | ||
| Connect to remote host | |
Outgoing TCP connection to host "None:80". | ||
Outgoing TCP connection to host "187.191.100.112:80". | ||
| Download data | |
Url "http://None/nosoanfhtympkl50tre/ljk32g1.txt". | ||
Url "http://None/nosoanfhtympkl50tre/ljk32g2.txt". | ||
Url "http://None/nosoanfhtympkl50tre/ljk32g4.txt". | ||
Url "http://127.0.0.1/nosoanfhtympkl50tre/infx/s1/conta.php?chave=s3n4&url=N3EERVTWSM%20*%20%2032%20bits%20*%202626.5%20kb%20*%20%20*%20English%20(United%20States)". | ||
| Connect to HTTP server | |
Remote address "None". | ||
Remote address "127.0.0.1". | ||
| OS | |
| Modfiy system security configuration | |
Disable UAC notification. | ||
Disable Windows Security Center antivirus notification. | ||
Disable Windows Security Center warning about disabled system updates. | ||
| Disable crucial system service | |
Disable "Windows Defender Service" by ChangeServiceConfigW. | ||
| PE | |
| Drop PE file | |
Drop file "c:\users\public\n3eg\ljkg4". | ||
Drop file "c:\users\public\n3eg\ljkg2". | ||
| Persistence | |
| Install system startup script or application | |
Add "regsvr32.exe /s "C:\Users\Public\N3Eg\N3Eg2.51N3E" #96" to windows startup via registry. | ||
| Process | |
| Create process with hidden window | |
The process "regsvr32.exe \s \"C:\Users\Public\N3Eg\N3Eg2.51N3E\" #96" starts with hidden window. | ||
The process "cmd /k "C:\Users\Public\N3Eg\N3E.vbs"" starts with hidden window. | ||
The process "sc" starts with hidden window. | ||
The process "net" starts with hidden window. | ||
The process "cmd" starts with hidden window. | ||
| Allocate a page with write and execute permissions | |
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | ||
| - | Device | |
| - | File System | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Kernel | |
| - | Masquerade | |
| - | VBA Macro | |
| - | YARA | |
