Windows Analysis Report
Telexcopy.pdf.jar

Overview

General Information

Sample name: Telexcopy.pdf.jar
Analysis ID: 1416890
MD5: 81e621517a407ae36da0a767b960c88c
SHA1: 421f3489d10b803e2dd64d0b47ce619da2da448a
SHA256: ca438598c383fab834c5e52369032e30c657f8f70cbb095f181ea7779d34bba1
Tags: jar
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected JARBomb
Exploit detected, runtime environment starts unknown processes
Uses an obfuscated file name to hide its real file extension (double extension)
Abnormal high CPU Usage
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Telexcopy.pdf.jar Virustotal: Detection: 15% Perma Link

Software Vulnerabilities
barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Process created: C:\Windows\System32\conhost.exe
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: mbycket45344.s3.eu-north-1.amazonaws.com
Source: Telexcopy.pdf.jar String found in binary or memory: https://branchlock.net
Source: 7za.exe, 00000000.00000002.6577553454.0000000003195000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://branchlock.net::
Source: 7za.exe, 00000000.00000002.6577276111.00000000014C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://branchlock.netL
Abnormal high CPU Usage
Source: C:\Windows\System32\7za.exe Process Stats: CPU usage > 49%
Tries to load missing DLLs
Source: C:\Windows\System32\7za.exe Section loaded: 7z.dll Jump to behavior
Source: classification engine Classification label: mal64.expl.evad.winJAR@4/1@1/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\7za.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Telexcopy.pdf.jar Virustotal: Detection: 15%
Source: unknown Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\Telexcopy.pdf.jar"
Source: C:\Windows\System32\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\Telexcopy.pdf.jar" services
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Code function: 23_2_0167126A push ebp; ret 23_2_0167126B
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Code function: 23_2_0167666A push ebp; ret 23_2_0167667B
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Code function: 23_2_01671032 push ebp; ret 23_2_01671043

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.jar Static PE information: Telexcopy.pdf.jar

Malware Analysis System Evasion
barindex
Yara detected JARBomb
Source: Yara match File source: Telexcopy.pdf.jar, type: SAMPLE
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe Queries volume information: unknown VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416890 Sample: Telexcopy.pdf.jar Startdate: 28/03/2024 Architecture: WINDOWS Score: 64 15 s3-r-w.eu-north-1.amazonaws.com 2->15 17 mbycket45344.s3.eu-north-1.amazonaws.com 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected JARBomb 2->21 23 Uses an obfuscated file name to hide its real file extension (double extension) 2->23 25 Exploit detected, runtime environment starts unknown processes 2->25 7 7za.exe 1002 2->7         started        9 java.exe 1 2->9         started        signatures3 process4 process5 11 conhost.exe 7->11         started        13 conhost.exe 9->13         started       
No contacted IP infos

Contacted Domains

Name IP Active
s3-r-w.eu-north-1.amazonaws.com 3.5.218.56 true
mbycket45344.s3.eu-north-1.amazonaws.com unknown unknown