Windows Analysis Report
payload.jar

Overview

General Information

Sample name:	payload.jar
Analysis ID:	1426955
MD5:	b504eb2fb8e625e6967e4bccad1088e8
SHA1:	9ca5a29c1f66de5367c30854adb9ed173d7a3fed
SHA256:	56c93c26d3305315c2c63442163c6f8d22a6c425013bfe9ee0007849a7f8426b
Tags:	jar
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Exploit detected, runtime environment starts unknown processes

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

2_2_02A2F818

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: natebetter.com

Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2052079059.00000000156D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificat
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/B
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsK
Source: Nlb4iMfF.class	String found in binary or memory: https://natebetter.com/read.wsf
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.comC
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: classification engine

Classification label: sus23.expl.winJAR@7/6@1/1

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\payload.jar"
Source: C:\Windows\System32\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\payload.jar" Nlb4iMfF
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Windows\System32\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A28EBB push es; retn 0001h	2_2_02A28FBF
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C240 push eax; ret	2_2_02A2C241
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C244 push eax; ret	2_2_02A2C245
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C248 push eax; ret	2_2_02A2C249
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C24C push eax; ret	2_2_02A2C24D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A311F2 push esp; ret	2_2_02A311F9
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C9D4 pushad ; retf	2_2_02A2C9D5
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C9DC pushad ; retf	2_2_02A2C9DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2E548 push es; retn 0024h	2_2_02A2E54B
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298D8F7 push 00000000h; mov dword ptr [esp], esp	2_2_0298D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298A21B push ecx; ret	2_2_0298A225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298A20A push ecx; ret	2_2_0298A21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298B3B7 push 00000000h; mov dword ptr [esp], esp	2_2_0298B3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298BB67 push 00000000h; mov dword ptr [esp], esp	2_2_0298BB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298D8E0 push 00000000h; mov dword ptr [esp], esp	2_2_0298D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298B947 push 00000000h; mov dword ptr [esp], esp	2_2_0298B96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298C477 push 00000000h; mov dword ptr [esp], esp	2_2_0298C49D

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 2_2_029803C0 cpuid

2_2_029803C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\1680 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.222.248.174	natebetter.com	France		16276	OVHFR	false

Contacted Domains

Name	IP	Active
natebetter.com	51.222.248.174	true

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp	ASCII text, with CRLF line terminators	B397C23C51D2AA27F46340275B6EC2D6	90E28A4492FA4267FAD4DBBFDEF6EB2E3BD05713	918B22202F100CDE90EFB12C2AE26F2977380295CB6F70CBA510D61A537D73C6
C:\Users\user\AppData\Local\Temp\hsperfdata_user\1680	data	519E0F2A4A634FDD769BE2251EFAE684	0EECCCA06899EC24142934F744F24767372418F9	F4B28167DB2840260B80037B57BDE867084D5B71E0A055E8F3BABC1EA5F141B6
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06	data	C8366AE350E7019AEFC9D1E6E6A498C6	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
C:\jar\META-INF\MANIFEST.MF	ASCII text, with CRLF line terminators	354076A3E6249E2A3B7523E3C3E97370	817B114FE1171AB3142F43C9A108DEDED3FAAFED	77ABAD2827F74F1BC97D92DF34D5A189E229678C45056C2A5FBD11FBB2A65640
C:\jar\Nlb4iMfF.class	compiled Java class data, version 51.0 (Java 1.7)	5FADFF0A39D2DBD58738E8BACB47DEBD	AC328F22594898B201E728B562434ACD1A13E7D2	3DD837A1C1381DBC96577AF0BF318C1905BE5072095AAC077D3623DC8F9078F5
C:\jar\OVkDinfu.jpg	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality", baseline, precision 8, 757x548, components 3	FDA58E9DB67D5543BE0119E87B8DF753	E7B049961906CC08D3FDD6CB69EF340AE16F64A3	8BF43AE1BB436A15B30640891EB9C099479BD1716DAEF7B9EBB2CA53600ABD71

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

2_2_02A2F818

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: natebetter.com

Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2052079059.00000000156D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificat
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/B
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsK
Source: Nlb4iMfF.class	String found in binary or memory: https://natebetter.com/read.wsf
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.comC
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: classification engine

Classification label: sus23.expl.winJAR@7/6@1/1

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\payload.jar"
Source: C:\Windows\System32\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\payload.jar" Nlb4iMfF
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Windows\System32\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A28EBB push es; retn 0001h	2_2_02A28FBF
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C240 push eax; ret	2_2_02A2C241
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C244 push eax; ret	2_2_02A2C245
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C248 push eax; ret	2_2_02A2C249
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C24C push eax; ret	2_2_02A2C24D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A311F2 push esp; ret	2_2_02A311F9
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C9D4 pushad ; retf	2_2_02A2C9D5
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C9DC pushad ; retf	2_2_02A2C9DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2E548 push es; retn 0024h	2_2_02A2E54B
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298D8F7 push 00000000h; mov dword ptr [esp], esp	2_2_0298D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298A21B push ecx; ret	2_2_0298A225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298A20A push ecx; ret	2_2_0298A21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298B3B7 push 00000000h; mov dword ptr [esp], esp	2_2_0298B3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298BB67 push 00000000h; mov dword ptr [esp], esp	2_2_0298BB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298D8E0 push 00000000h; mov dword ptr [esp], esp	2_2_0298D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298B947 push 00000000h; mov dword ptr [esp], esp	2_2_0298B96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298C477 push 00000000h; mov dword ptr [esp], esp	2_2_0298C49D

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 2_2_029803C0 cpuid

2_2_029803C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\1680 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1426955
Product:	CloudBasic
Start time:	19:55:32
Start date:	16.04.2024
Sample:	payload.jar
Cookbook:	defaultwindowsfilecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b504eb2fb8e625e6967e4bccad1088e8
SHA1:	9ca5a29c1f66de5367c30854adb9ed173d7a3fed
SHA256:	56c93c26d3305315c2c63442163c6f8d22a6c425013bfe9ee0007849a7f8426b
Filetype:	Java Archive (13504/1) 62.80%

Windows Analysis Report
payload.jar

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report payload.jar

Overview

General Information

Detection

Signatures

Classification

Signatures

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
payload.jar