Report - www.java4less.com/barphp.zip

Report Overview

Submitted URL
www.java4less.com/barphp.zip
IP
212.224.76.71
ASN
#44066 firstcolo GmbH
Submitted
2024-04-20 08:42:03
Access
public
Website Title
about:privatebrowsing
Final URL
about:privatebrowsing
Tags
urlquery detections
No alerts detected

Detections

urlquery
0
Network Intrusion Detection
0
Threat Detection Systems
3

Domain Summary

Domain / FQDN	Rank	Registered	First Seen	Last Seen	Sent	Received	IP
classify-client.services.mozilla.com	3824	1994-10-18	2019-01-09	2024-04-19	357 B	344 B	34.98.75.36
www.java4less.com	unknown	2000-09-07	2012-06-26	2024-01-13	398 B	69 kB	212.224.76.71
normandy.cdn.mozilla.net	3562	1998-01-31	2017-01-30	2024-04-19	329 B	1.2 kB	35.201.103.21

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

No alerts detected

Threat Detection Systems

Public InfoSec YARA rules

No alerts detected

OpenPhish

No alerts detected

PhishTank

No alerts detected

mnemonic secure dns

No alerts detected

Quad9 DNS

No alerts detected

ThreatFox

No alerts detected

Files detected

URL
www.java4less.com/barphp.zip
IP
212.224.76.71
ASN
#44066 firstcolo GmbH

File type
Zip archive data, at least v2.0 to extract, compression method=deflate
Size
68 kB (68524 bytes)
Hash
d8c74150d3d6681f65f75406e62e4d2d
ec6827264a074bf4204293f72c82a19e3c715ece
8dd6c1fc21e00f2aa64cec8f30622bbb0e21a049e2aa64fccfc038ee999783dd

Archive (25)

Filename

Md5

File type

readme.html

3c8bf112673a39a86145e555d72a93be

HTML document, ASCII text, with CRLF line terminators

BarCode.php

197ea7f13b554d79cdde67452323ecb6

PHP script, ASCII text, with very long lines (22272), with CRLF line terminators

CODABAR_class.php

533019e8cbb9437591d1734fd7c7ff9f

PHP script, ASCII text, with very long lines (2560), with CRLF line terminators

CODE11_class.php

fbf54726f05b160d78632eb341d62bd4

PHP script, ASCII text, with very long lines (1884), with CRLF line terminators

CODE128_class.php

08c63426fccd59e36ce32705230a431f

PHP script, ASCII text, with very long lines (16540), with CRLF line terminators

CODE39_class.php

9b64e8de8bd733e20cc1e963b9f6a415

PHP script, ASCII text, with very long lines (3400), with CRLF line terminators

CODE39EXT_class.php

406fa7b7c36b1679e38a2ae231f78131

PHP script, ASCII text, with very long lines (2480), with CRLF line terminators

CODE93_class.php

6c5db1094906ad757a624d9c30b070a7

PHP script, ASCII text, with very long lines (2924), with CRLF line terminators

CODE93EXT_class.php

47266e7aaff37d902cfb6213dcae3cd0

PHP script, ASCII text, with very long lines (4956), with CRLF line terminators

codelock.php

efa8d72f6771a7719b90187454efa847

PHP script, ASCII text, with very long lines (15380), with CRLF line terminators

demo.php

1dd9bf740884e4141599440231edcb57

PHP script, ASCII text, with very long lines (18456), with CRLF line terminators

EAN.php

ca1e1690973ac63b22d76c38b529af48

PHP script, ASCII text, with very long lines (1152), with CRLF line terminators

EAN_UPC.php

ea8856f3f89a6ddb3d97555839bd6809

PHP script, ASCII text, with very long lines (12424), with CRLF line terminators

EAN128_class.php

72649215e67d25bfc41d70cc966a298f

PHP script, ASCII text, with very long lines (5812), with CRLF line terminators

EAN13_class.php

92702ec11a20775792cb4762705f2431

PHP script, ASCII text, with very long lines (2324), with CRLF line terminators

EAN8_class.php

883bcba3b7866d2c36c761352be45350

PHP script, ASCII text, with very long lines (1216), with CRLF line terminators

Graphics.php

42e309161c8900bdec19837c702ef513

PHP script, ASCII text, with very long lines (13208), with CRLF line terminators

IND25_class.php

661491062c4a3c2444f9a7f0e7b56e9b

PHP script, ASCII text, with very long lines (1576), with CRLF line terminators

INTERLEAVED25_class.php

d2721f1b457bef482aa895a785dafa0f

PHP script, ASCII text, with very long lines (1840), with CRLF line terminators

MAT25_class.php

4967f3eac80c463b952979c89cc3ee8a

PHP script, ASCII text, with very long lines (1404), with CRLF line terminators

MSI_class.php

28150c813adb04c2a1c5bead4188c498

PHP script, ASCII text, with very long lines (1984), with CRLF line terminators

POSTNET_class.php

bcc545496cf4d9d76ac1a55d64bbcc8e

PHP script, ASCII text, with very long lines (3860), with CRLF line terminators

SET25.php

dd24862c411384f5a39a6a3e64b086c6

PHP script, ASCII text, with very long lines (1324), with CRLF line terminators

UPCA_class.php

bcaafe38b535b413b4fd1a18d7ec39db

PHP script, ASCII text, with very long lines (1264), with CRLF line terminators

UPCE_class.php

e7733aba9449769cb86e8706f244fc79

PHP script, ASCII text, with very long lines (3744), with CRLF line terminators

Detections

Analyzer	Verdict	Alert
Public Nextron YARA rules	malware	php webshell containing base64 encoded payload
Public Nextron YARA rules	malware	PHP webshell which directly eval()s obfuscated string
Public Nextron YARA rules	malware	PHP webshell using some kind of eval with encoded blob to decode

JavaScript (0)

HTTP Transactions (3)

	URL	IP	Response	Size
	www.java4less.com/barphp.zip	212.224.76.71	200 OK	68 kB
URL User Request GET HTTP/1.1 www.java4less.com/barphp.zip IP 212.224.76.71:80 ASN #44066 firstcolo GmbH File type Zip archive data, at least v2.0 to extract, compression method=deflate Size 68 kB (68524 bytes) Hash d8c74150d3d6681f65f75406e62e4d2d ec6827264a074bf4204293f72c82a19e3c715ece 8dd6c1fc21e00f2aa64cec8f30622bbb0e21a049e2aa64fccfc038ee999783dd HTTP Headers `GET /barphp.zip HTTP/1.1 Host: www.java4less.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache` `HTTP/1.1 200 OK Date: Sat, 20 Apr 2024 08:41:38 GMT Server: Apache/2 Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Wed, 29 Sep 2010 19:56:25 GMT ETag: "10bac-4916b5b3b8c40" Accept-Ranges: bytes Content-Length: 68524 Keep-Alive: timeout=2, max=100 Content-Type: application/zip`

	normandy.cdn.mozilla.net/api/v1/	35.201.103.21		598 B
URL normandy.cdn.mozilla.net/api/v1/ IP 35.201.103.21:0 ASN #396982 GOOGLE-CLOUD-PLATFORM File type JSON text data Size 598 B (598 bytes) Hash 3076f9a5cb273105528b893ff7111e41 b8990c145fe71b9a2410eea41a60a712b43b82bf 69c578fb0c03a28141a975833f660f4571e7991dc28ae7f9cead37672ee2c9b3 HTTP Headers `GET /api/v1/ HTTP/1.1 Host: normandy.cdn.mozilla.net User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site` HTTP/2 200 OK server: nginx content-length: 598 allow: GET, HEAD, OPTIONS content-security-policy: default-src 'self' https://normandy.cdn.mozilla.net/; frame-src 'none'; base-uri 'none'; worker-src 'none'; block-all-mixed-content; object-src 'none'; form-action 'self'; report-uri /__cspreport__ x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block strict-transport-security: max-age=31536000 via: 1.1 google date: Fri, 19 Apr 2024 23:46:24 GMT cache-control: public, max-age=86400 content-type: application/json vary: Accept, Origin age: 32130 alt-svc: clear X-Firefox-Spdy: h2

	classify-client.services.mozilla.com/api/v1/classify_client/	34.98.75.36		64 B
URL classify-client.services.mozilla.com/api/v1/classify_client/ IP 34.98.75.36:0 ASN #396982 GOOGLE-CLOUD-PLATFORM File type JSON text data Size 64 B (64 bytes) Hash b9a81f92547951b76a5b55fe14f6258a 98046af225e78905ea67cd98a47ce45ed1f5f3a5 a495d75dd82105832c1023ff4a3b6921ac8e4399b052bea2f7c55020698965f6 HTTP Headers `GET /api/v1/classify_client/ HTTP/1.1 Host: classify-client.services.mozilla.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: cross-site` `HTTP/2 200 OK server: nginx date: Sat, 20 Apr 2024 08:41:55 GMT content-type: application/json content-length: 64 cache-control: max-age=0, no-cache, no-store, must-revalidate strict-transport-security: max-age=31536000 via: 1.1 google alt-svc: clear X-Firefox-Spdy: h2`

Report Overview

Submitted URL

IP

ASN

Submitted

Access

Website Title

Final URL

Tags

urlquery detections

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Domain Summary

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Threat Detection Systems

Public InfoSec YARA rules

OpenPhish

PhishTank

mnemonic secure dns

Quad9 DNS

ThreatFox

Files detected

URL

IP

ASN

File type

Size

Hash

Archive (25)

Detections

JavaScript (0)

HTTP Transactions (3)

URL User Request GET HTTP/1.1

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers

URL

IP

ASN

File type

Size

Hash

HTTP Headers