Malware Uses JAR | VTI by Score
Try VMRay Analyzer
VTI Score 94 / 100 | |
| VTI Database Version | 2.3 |
| VTI Rule Match Count | 32 |
| VTI Rule Type | Default (PE, ...) |
 | Browser | Change security related browser settings | |
Disable signature check for executables downloaded by Microsoft Internet Explorer. | |||
| OS | Modfiy system security configuration | |
Disable UAC notification. | |||
Disable Windows Security Center antivirus notification. | |||
Disable Windows Security Center warning about disabled system updates. | |||
| OS | Disable crucial system service | |
Disable "Windows Defender Service" by ChangeServiceConfigW. | |||
| Injection | Write into memory of an other process | |
"c:\windows\system32\regsvr32.exe" modifies memory of "c:\windows\explorer.exe" | |||
| Injection | Modify control flow of an other process | |
"c:\windows\system32\regsvr32.exe" creates thread in "c:\windows\explorer.exe" | |||
| Network | Perform DNS request | |
Resolve "N3EErvtwsM". | |||
Resolve "adom2.com.br". | |||
Resolve "carvas32ltda.com". | |||
Resolve "carva32ssa.com". | |||
Resolve "bandeivacomercial.com". | |||
Resolve "bandeivacomercio.com". | |||
| Process | Create process with hidden window | |
The process "regsvr32.exe \s \"C:\Users\Public\N3Eg\N3Eg2.51N3E\" #96" starts with hidden window. | |||
The process "cmd /k "C:\Users\Public\N3Eg\N3E.vbs"" starts with hidden window. | |||
The process "sc" starts with hidden window. | |||
The process "net" starts with hidden window. | |||
The process "cmd" starts with hidden window. | |||
| Anti Analysis | Dynamic API usage | |
Resolve more than 50 APIs. | |||
| Process | Allocate a page with write and execute permissions | |
Allocate a page with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. | |||
| Anti Analysis | Delay execution | |
One thread sleeps more than 5 minutes. | |||
| Persistence | Install system startup script or application | |
Add "regsvr32.exe /s "C:\Users\Public\N3Eg\N3Eg2.51N3E" #96" to windows startup via registry. | |||
| Network | Connect to remote host | |
Outgoing TCP connection to host "None:80". | |||
Outgoing TCP connection to host "187.191.100.112:80". | |||
| Network | Download data | |
Url "http://None/nosoanfhtympkl50tre/ljk32g1.txt". | |||
Url "http://None/nosoanfhtympkl50tre/ljk32g2.txt". | |||
Url "http://None/nosoanfhtympkl50tre/ljk32g4.txt". | |||
Url "http://127.0.0.1/nosoanfhtympkl50tre/infx/s1/conta.php?chave=s3n4&url=N3EERVTWSM%20*%20%2032%20bits%20*%202626.5%20kb%20*%20%20*%20English%20(United%20States)". | |||
| Network | Connect to HTTP server | |
Remote address "None". | |||
Remote address "127.0.0.1". | |||
| PE | Drop PE file | |
Drop file "c:\users\public\n3eg\ljkg4". | |||
Drop file "c:\users\public\n3eg\ljkg2". | |||
