{ "id": "20997530-40b8-44d9-8d93-0515f4f1178b", "created_at": "2026-04-06T00:07:18.409277Z", "updated_at": "2026-04-10T13:12:25.960733Z", "deleted_at": null, "sha1_hash": "93c05de53617c3356e114ce14b003df7b41846b1", "title": "Malware-Traffic-Analysis.net - 2017-07-04 - Java-based RAT infection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3107611, "plain_text": "Malware-Traffic-Analysis.net - 2017-07-04 - Java-based RAT\r\ninfection\r\nArchived: 2026-04-05 16:41:27 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-07-04-Java-based-RAT-email-and-malware.zip   1.5 MB (1,506,906 bytes)\r\n2017-07-04-malspam-0433-UTC.eml   (946,555 bytes)\r\nINVOICE LIST.jar   (578,829 bytes)\r\n_0.325390945828089142947081810060995233.class   (247,088 bytes)\r\nEMAIL\r\nSCREENSHOT:\r\nhttp://malware-traffic-analysis.net/2017/07/04/index.html\r\nPage 1 of 5\n\nShown above:  Screenshot of the email.\r\nEMAIL HEADER INFO:\r\nReceived: from [162.144.89[.]147] ([162.144.89[.]147:36560] helo=server.joshmachines[.]com)\r\n        by [removed] (envelope-from \u003csales@foodtech[.]ae\u003e)\r\n        [removed]; Tue, 04 Jul 2017 01:42:30 -0400\r\nReceived: from [127.0.0.1] (port=45926 helo=harshangzaveri[.]com)\r\n        by server.joshmachines[.]com with esmtpa (Exim 4.89)\r\n        (envelope-from \u003csales@foodtech[.]ae\u003e)\r\n        id 1dSFWO-0008CV-Tu; Tue, 04 Jul 2017 04:33:09 +0000\r\nMIME-Version: 1.0\r\nDate: Tue, 04 Jul 2017 04:33:08 +0000\r\nFrom: Sales \u003csales@foodtech[.]ae\u003e\r\nTo: undisclosed-recipients:;\r\nSubject: Unpaid Invoice List\r\nReply-To: sales@foodtech[.]ae\r\nhttp://malware-traffic-analysis.net/2017/07/04/index.html\r\nPage 2 of 5\n\nMail-Reply-To: sales@foodtech[.]ae\r\nMessage-ID: \u003ca01dfe55b97e7efd3c75d28a9286ec40@foodtech[.]ae\u003e\r\nX-Sender: sales@foodtech[.]ae\r\nUser-Agent: Roundcube Webmail/1.2.4\r\nAttachment: INVOICE LIST.jar\r\nTRAFFIC\r\nShown above:  Traffic from an infection filtered in Wireshark.\r\nPOST-INFECTION TRAFFIC:\r\n191.101.22[.]49 port 3020 - attempted TCP connections, but RST from the server.\r\nFILE HASHES\r\nEMAIL ATTACHMENT:\r\nSHA256 hash:  9863c850c213dee716dc5954bb0f28a1c480cf0435e93110824cb083fd4bdda5\r\nFile name:  INVOICE LIST.jar\r\nFile size:  578,829 bytes\r\nARTIFACT FOUND IN USER'S APPDATA\\LOCAL\\TEMP DIRECTORY:\r\nSHA256 hash:  97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9\r\nFile name:  _0.325390945828089142947081810060995233.class\r\nFile size:  247,088 bytes\r\nIMAGES\r\nhttp://malware-traffic-analysis.net/2017/07/04/index.html\r\nPage 3 of 5\n\nShown above:  Contents of the email attachment.\r\nShown above:  Windows registry change to make the malware persistent after a reboot.\r\nhttp://malware-traffic-analysis.net/2017/07/04/index.html\r\nPage 4 of 5\n\nShown above:  Two .class files with the same file hash found in the user's AppData\\Local\\Temp directory after\r\nthis infection.\r\nClick here to return to the main page.\r\nSource: http://malware-traffic-analysis.net/2017/07/04/index.html\r\nhttp://malware-traffic-analysis.net/2017/07/04/index.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "http://malware-traffic-analysis.net/2017/07/04/index.html" ], "report_names": [ "index.html" ], "threat_actors": [], "ts_created_at": 1775434038, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/93c05de53617c3356e114ce14b003df7b41846b1.pdf", "text": "https://archive.orkl.eu/93c05de53617c3356e114ce14b003df7b41846b1.txt", "img": "https://archive.orkl.eu/93c05de53617c3356e114ce14b003df7b41846b1.jpg" } }