Edit tour

Windows Analysis Report
payload.jar

Overview

General Information

Sample name:	payload.jar
Analysis ID:	1426955
MD5:	b504eb2fb8e625e6967e4bccad1088e8
SHA1:	9ca5a29c1f66de5367c30854adb9ed173d7a3fed
SHA256:	56c93c26d3305315c2c63442163c6f8d22a6c425013bfe9ee0007849a7f8426b
Tags:	jar
Infos:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Exploit detected, runtime environment starts unknown processes

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64

7za.exe (PID: 7152 cmdline: 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\payload.jar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

java.exe (PID: 1680 cmdline: java.exe -jar "C:\Users\user\Desktop\payload.jar" Nlb4iMfF MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 728 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

2_2_02A2F818

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: natebetter.com

Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2052079059.00000000156D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificat
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2050071594.000000000A00A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/B
Source: java.exe, 00000002.00000002.2050071594.000000000A000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2050071594.0000000009F6A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cpsK
Source: Nlb4iMfF.class	String found in binary or memory: https://natebetter.com/read.wsf
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.comC
Source: java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: classification engine

Classification label: sus23.expl.winJAR@7/6@1/1

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\payload.jar"
Source: C:\Windows\System32\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\payload.jar" Nlb4iMfF
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Windows\System32\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A28EBB push es; retn 0001h	2_2_02A28FBF
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C240 push eax; ret	2_2_02A2C241
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C244 push eax; ret	2_2_02A2C245
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C248 push eax; ret	2_2_02A2C249
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C24C push eax; ret	2_2_02A2C24D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A311F2 push esp; ret	2_2_02A311F9
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C9D4 pushad ; retf	2_2_02A2C9D5
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2C9DC pushad ; retf	2_2_02A2C9DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_02A2E548 push es; retn 0024h	2_2_02A2E54B
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298D8F7 push 00000000h; mov dword ptr [esp], esp	2_2_0298D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298A21B push ecx; ret	2_2_0298A225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298A20A push ecx; ret	2_2_0298A21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298B3B7 push 00000000h; mov dword ptr [esp], esp	2_2_0298B3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298BB67 push 00000000h; mov dword ptr [esp], esp	2_2_0298BB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298D8E0 push 00000000h; mov dword ptr [esp], esp	2_2_0298D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298B947 push 00000000h; mov dword ptr [esp], esp	2_2_0298B96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_0298C477 push 00000000h; mov dword ptr [esp], esp	2_2_0298C49D

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.1988353492.0000000014F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.2048902418.000000000102B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 2_2_029803C0 cpuid

2_2_029803C0

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\1680 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Exploitation for Client Execution	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	1 Services File Permissions Weakness	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
payload.jar	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.xrampsecurity.com/XGCA.crl	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
https://repository.luxtrust.lu0	0%	URL Reputation	safe
http://bugreport.sun.com/bugreport/	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://www.quovadis.bm	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
natebetter.com	51.222.248.174	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ocsp.quovadisoffshore.comC	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://repository.luxtrust.lu0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://java.oracle.com/	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.0000000009F9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false		high
HTTP://WWW.CHAMBERSIGN.ORG	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://policy.camerfirma.com	java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps	java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://repository.luxtrust.lu	java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	false		high
https://natebetter.com/read.wsf	Nlb4iMfF.class	false		unknown
http://www.quovadisglobal.com/cps0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/B	java.exe, 00000002.00000002.2052079059.000000001565A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadis.bm	java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadisglobal.com/cpsK	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/	java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A118000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	java.exe, 00000002.00000002.2049416918.0000000004A00000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://policy.camerfirma.com0	java.exe, 00000002.00000002.2049416918.0000000004EAB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2050071594.000000000A1A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.222.248.174	natebetter.com	France		16276	OVHFR	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1426955
Start date and time:	2024-04-16 19:55:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Tracing
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	payload.jar
Detection:	SUS
Classification:	sus23.expl.winJAR@7/6@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 72% Number of executed functions: 15 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .jar Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target java.exe, PID 1680 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: payload.jar

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	http://www.makefun.online	Get hash	malicious	Captcha Phish	Browse	51.222.39.186
	SecuriteInfo.com.Python.Stealer.1447.10844.3562.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	51.178.66.33
	NEW-ORDER_pdf.exe	Get hash	malicious	FormBook	Browse	94.23.162.163
	994LJMbRxE.elf	Get hash	malicious	Mirai	Browse	142.44.208.94
	fK5W9PpT6b.elf	Get hash	malicious	Mirai	Browse	91.121.106.143
	https://www.goodnewsliverpool.co.uk/?ads_click=1&data=10345-9192-0-3318-1&nonce=b019a2f042&redir=%68%74%74%70%25%33%41aiitpune.com%2Fjs%2Ftjux%2F%2Fc2J5cm5lQGpwYy5xbGQuZWR1LmF1&$	Get hash	malicious	HTMLPhisher	Browse	51.161.109.46
	FRS291.js	Get hash	malicious	Unknown	Browse	142.4.223.103
	FRS3587.js	Get hash	malicious	RHADAMANTHYS	Browse	142.4.223.103
	alhadani Aprilorders140424.scr.exe	Get hash	malicious	FormBook	Browse	94.23.162.163
	narud#U017ebenicu 0BH2024.exe	Get hash	malicious	FormBook	Browse	213.186.33.5

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.897085150625375
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4US8USh:oJ5b8N
MD5:	B397C23C51D2AA27F46340275B6EC2D6
SHA1:	90E28A4492FA4267FAD4DBBFDEF6EB2E3BD05713
SHA-256:	918B22202F100CDE90EFB12C2AE26F2977380295CB6F70CBA510D61A537D73C6
SHA-512:	3B27230786CF0EE1E6A173ECF104D261934DA69F9F70769C3DE312C3F834BFE01BCEAF114F0A45FE3CA3514390DFC0817DA629C704221B56204FD6354ADD9387
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1713290178407..

C:\Users\user\AppData\Local\Temp\hsperfdata_user\1680

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2817198006953576
Encrypted:	false
SSDEEP:	96:O/cr8DJ8GacRBLV8f2l6mMEwnUokfm87JCx+HG1bowvx/D:O/t8GxV8f2l6Ook+gy+HGd/
MD5:	519E0F2A4A634FDD769BE2251EFAE684
SHA1:	0EECCCA06899EC24142934F744F24767372418F9
SHA-256:	F4B28167DB2840260B80037B57BDE867084D5B71E0A055E8F3BABC1EA5F141B6
SHA-512:	85D492CF902F3266A97E6A87F05FBFC02BC52B547A1BBE006D8FC33D2C801DE169DBB55E9DE15015F24072957A1AC6DD14563AD7A4B9967392839D5066260635
Malicious:	false
Reputation:	low
Preview:	.........8.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................J2SE.

C:\jar\META-INF\MANIFEST.MF

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.854516284350725
Encrypted:	false
SSDEEP:	3:ZLCAWIzBEb2bFDUG8UM4XEegmMgX84oa:1KItG2b5NFM4XEewuoa
MD5:	354076A3E6249E2A3B7523E3C3E97370
SHA1:	817B114FE1171AB3142F43C9A108DEDED3FAAFED
SHA-256:	77ABAD2827F74F1BC97D92DF34D5A189E229678C45056C2A5FBD11FBB2A65640
SHA-512:	35FD19ECFF95F8B4A1155A434B8C139A961AC7E629802EEF4D89C4C806F00F11CD61A561EC257B52C72FE543ABED109F373F453651823B528AF770DD3266EB02
Malicious:	false
Reputation:	low
Preview:	Manifest-Version: 1.0..Main-Class: Nlb4iMfF..Created-By: 17.0.6 (Oracle Corporation)....

C:\jar\Nlb4iMfF.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 51.0 (Java 1.7)
Category:	dropped
Size (bytes):	1817
Entropy (8bit):	5.597291217257244
Encrypted:	false
SSDEEP:	48:t+YyFlqi4/1F7LBUISC2GKZG5EO2Ala6a5:tSFl6/PiHOPw
MD5:	5FADFF0A39D2DBD58738E8BACB47DEBD
SHA1:	AC328F22594898B201E728B562434ACD1A13E7D2
SHA-256:	3DD837A1C1381DBC96577AF0BF318C1905BE5072095AAC077D3623DC8F9078F5
SHA-512:	FDF3C23CAB7AE4CE888BD49D7399B732C58272C110FCC5F35FB5897589B9C402F661B13D63B3F46E13C6E2D510D751E253C49FDB32F98281B422D02BC6725D09
Malicious:	false
Reputation:	low
Preview:	.......3....$.:..;..<..=....>....?..#.@.......'...A.B..C.D..E..C.F..G....H..I..J.K..L..M.N..O....>....P..Q.R..S..T....:....U..V....W....>..X.Y....Z....[..X.[..\..]...<init>...()V...Code...LineNumberTable...main...([Ljava/lang/String;)V...StackMapTable..^.._..G..I...downloadFile..'(Ljava/lang/String;Ljava/lang/String;)V..O..`..a..S..b...Exceptions...SourceFile...Nlb4iMfF.java..%.&...https://natebetter.com/read.wsf...C:/downloads/...java/io/File..%.c..d.e..0.1..f..g.h..i..j.k...wscript C:\downloads\index.wsf..l.m...java/io/IOException..n.&...java/lang/Exception..o..p.q...Error!..r..s.c...java/net/URL..t.u..`..v.w...java/io/FileOutputStream...java/lang/StringBuilder..x.y...index.wsf..z.{..a..\|.}..~......&...Nlb4iMfF...java/lang/Object...[Ljava/lang/String;...java/lang/String...java/net/URLConnection...java/io/InputStream...[B...(Ljava/lang/String;)V...mkdirs...()Z...java/lang/Thread...sleep...(J)V...java/lang/Runtime...getRuntime...()Ljava/lang/Runtime;...exec..'(Ljava/lang/String;)Ljava/

C:\jar\OVkDinfu.jpg

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality", baseline, precision 8, 757x548, components 3
Category:	dropped
Size (bytes):	32912
Entropy (8bit):	7.732403798721504
Encrypted:	false
SSDEEP:	768:LucerhAp0xP4UtpNwHZ0ssA0Gn28kXybQWhVFYe:ScYAmP475L0s2hybQWhbYe
MD5:	FDA58E9DB67D5543BE0119E87B8DF753
SHA1:	E7B049961906CC08D3FDD6CB69EF340AE16F64A3
SHA-256:	8BF43AE1BB436A15B30640891EB9C099479BD1716DAEF7B9EBB2CA53600ABD71
SHA-512:	E743EC3EF8F31E4EACC1134E8068DCC9501E07A006BC3D194BBBEDAA376B65AD08713479DB77A4050D7FDA3CC1CF9C1076A727C66FBEBCD95A67F668328E5357
Malicious:	false
Reputation:	low
Preview:	......JFIF.............>CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222......$...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@..Q@...5....Y_...........9..O.].e."]J.L..B..q.iC.l.3.)].....E.S.QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE.

Static File Info

General

File type:	Java archive data (JAR)
Entropy (8bit):	7.986290648395257
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	payload.jar
File size:	29'421 bytes
MD5:	b504eb2fb8e625e6967e4bccad1088e8
SHA1:	9ca5a29c1f66de5367c30854adb9ed173d7a3fed
SHA256:	56c93c26d3305315c2c63442163c6f8d22a6c425013bfe9ee0007849a7f8426b
SHA512:	c1ec4d9659f1ebc8f7fec8f85f527262856ae5eca5a9e35514b7f16ece703e19e3cdf8fae3830732fe2bfb3fef56fabc6f36487170220af3b96df7c662d64e5e
SSDEEP:	768:I+DjklfoxTKo7eI18lhVzEGtD7JkLg7/swgUCQy6xGHr:I4qo4ZE8VKL8m9QZUHr
TLSH:	B5D2E1AAC61D6054DF0165B175C7BE74A09458872DAABB06F6127E9183C0E0CAFEFD4C
File Content Preview:	PK........F..X................META-INF/......PK..............PK........F..X................META-INF/MANIFEST.MF.M..LK-...K-....R0.3...M...u.I,..R..I2..Ms..r.JM,IM.u..3.3.3S../JL.IUp./*./J,.........PK..hg..X...X...PK........G..X................Nlb4iMfF.c

File Icon


Icon Hash:	d08c8e8ea2868a54

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 19:56:23.478868961 CEST	49704	443	192.168.2.5	51.222.248.174
Apr 16, 2024 19:56:23.478914022 CEST	443	49704	51.222.248.174	192.168.2.5
Apr 16, 2024 19:56:23.479104996 CEST	49704	443	192.168.2.5	51.222.248.174
Apr 16, 2024 19:56:23.582091093 CEST	49704	443	192.168.2.5	51.222.248.174
Apr 16, 2024 19:56:23.582113981 CEST	443	49704	51.222.248.174	192.168.2.5
Apr 16, 2024 19:56:23.871829033 CEST	443	49704	51.222.248.174	192.168.2.5
Apr 16, 2024 19:56:23.871931076 CEST	49704	443	192.168.2.5	51.222.248.174
Apr 16, 2024 19:56:23.905312061 CEST	49704	443	192.168.2.5	51.222.248.174
Apr 16, 2024 19:56:23.905339956 CEST	443	49704	51.222.248.174	192.168.2.5
Apr 16, 2024 19:56:23.998075008 CEST	49704	443	192.168.2.5	51.222.248.174
Apr 16, 2024 19:56:23.998075008 CEST	49704	443	192.168.2.5	51.222.248.174
Apr 16, 2024 19:56:23.998100996 CEST	443	49704	51.222.248.174	192.168.2.5
Apr 16, 2024 19:56:23.998688936 CEST	443	49704	51.222.248.174	192.168.2.5
Apr 16, 2024 19:56:23.998747110 CEST	49704	443	192.168.2.5	51.222.248.174

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 19:56:23.203906059 CEST	63580	53	192.168.2.5	1.1.1.1
Apr 16, 2024 19:56:23.475128889 CEST	53	63580	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 16, 2024 19:56:23.203906059 CEST	192.168.2.5	1.1.1.1	0x66a1	Standard query (0)	natebetter.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 16, 2024 19:56:23.475128889 CEST	1.1.1.1	192.168.2.5	0x66a1	No error (0)	natebetter.com		51.222.248.174	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	19:56:16
Start date:	16/04/2024
Path:	C:\Windows\System32\7za.exe
Wow64 process (32bit):	true
Commandline:	7za.exe x -y -oC:\jar "C:\Users\user\Desktop\payload.jar"
Imagebase:	0xdb0000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	19:56:16
Start date:	16/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:56:16
Start date:	16/04/2024
Path:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Wow64 process (32bit):	true
Commandline:	java.exe -jar "C:\Users\user\Desktop\payload.jar" Nlb4iMfF
Imagebase:	0x2e0000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:56:16
Start date:	16/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:56:18
Start date:	16/04/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x370000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:56:18
Start date:	16/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 0298D8F7 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1114f90dbe9668a7ead48db7a1cf6c6d74698b9944466e86e1db017a2ae7eee1
Instruction ID: 71e38ec21c610452f167ee222caf6cd48026af86573b580c562b687c26cfa1a6
Opcode Fuzzy Hash: 1114f90dbe9668a7ead48db7a1cf6c6d74698b9944466e86e1db017a2ae7eee1
Instruction Fuzzy Hash: 8FA1DE71A00601DFDB18EF24C494BA9FBB5FF49314F18859DD9194B382C735A885CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0298D8E0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90f0f6b1623c439f7daeb08977a5361aaedbb4dd8faa69b3014fd3ff5f7535f
Instruction ID: 28d1a4c9ca7b454c61aedbf5806368a38f5266aa2d5891d0128544553ed65481
Opcode Fuzzy Hash: e90f0f6b1623c439f7daeb08977a5361aaedbb4dd8faa69b3014fd3ff5f7535f
Instruction Fuzzy Hash: 5861BB71600601EFDB18EF24C494BAAFBB5FF89714F18819DD91A8B381C775A881CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02980672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2980000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07491d1d20466ad6d15a69243afdeeed2927bf91cf29928cafb61b1a86bfeff
Instruction ID: 5e0cbe95100cb3ba19fac0c1302e2c5289f5af949dc01e89f3534870f6ac1f88
Opcode Fuzzy Hash: a07491d1d20466ad6d15a69243afdeeed2927bf91cf29928cafb61b1a86bfeff
Instruction Fuzzy Hash: B7115BB6D0122ADFCF24EF48C9855ADB7B4FB99314B1A4625DC65A3341D3346924CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02980722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2980000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 147621e592e1713c3d05ce599f860ea38171e1b93d3dea370ffd7bfdb876c00a
Instruction ID: 7381d2125ffe5d84aad9ee611992246634567a76059415ad090b828d205a4ed0
Opcode Fuzzy Hash: 147621e592e1713c3d05ce599f860ea38171e1b93d3dea370ffd7bfdb876c00a
Instruction Fuzzy Hash: 26F01576C00229DB8F14EF48C8400ADB7B1FB08328B1E8496DC2877241D332AD66CF85

Uniqueness

Uniqueness Score: -1.00%

Function 02994CCD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c8f3f267489c5d04025b47ebb533cb2eedc372b808b498fef1c009aeb853351
Instruction ID: 81951a1d5d0c65d8e6d4d13951fa9551a09eafa2a93c3006c16968fbf2418483
Opcode Fuzzy Hash: 6c8f3f267489c5d04025b47ebb533cb2eedc372b808b498fef1c009aeb853351
Instruction Fuzzy Hash: B6F0DFB5900A06EBEB15CF61C0047EAF7B8FB88704F04420AD42C53310C379B429CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02994B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22573b8eaa4acb7b7b9d48cebdf7c9484bd91c2298d4e3c8f23a7bf819d79824
Instruction ID: 81647d95c1089aaebc976a19f7395a35b773a32b3b1440271d21172579abb0bf
Opcode Fuzzy Hash: 22573b8eaa4acb7b7b9d48cebdf7c9484bd91c2298d4e3c8f23a7bf819d79824
Instruction Fuzzy Hash: 9FF07FB5900A06EBDB158F61C0047DAFBB4BB88718F14421AD82C57350D778B46A8BC0

Uniqueness

Uniqueness Score: -1.00%

Function 02995346 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2616f5511faa1cce1abaa991a35a5ae7687edf37ede6aeb78c160a397032a12a
Instruction ID: 628dcd332414a9a320c6018d9214a7d4777d654bbb617cd317b37881b0a83a5d
Opcode Fuzzy Hash: 2616f5511faa1cce1abaa991a35a5ae7687edf37ede6aeb78c160a397032a12a
Instruction Fuzzy Hash: DFF09BB6A00A06EBDB25CF61C1047DAFBB4BB48714F15421AC42D67350C778B46ACFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0298EC1C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 852c25f89542f78e965c8f957b4a9a47fdd90dcb7309290763a34c8d58514be0
Instruction ID: 7a0deac60de26236d2473340e5657ada572494a753a27a5d142ad4d16f53b0b7
Opcode Fuzzy Hash: 852c25f89542f78e965c8f957b4a9a47fdd90dcb7309290763a34c8d58514be0
Instruction Fuzzy Hash: 4DF09BB6A00A06EBDB29CF61C0047DAFBB4BB88718F14421AD42C67750D778B46ACFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0298DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10758b060fdaaed48170641e0e4cba02af666a183398077a31c39fa3f247031a
Instruction ID: dfe7a426652cc140cbadc19253e98ed6dae9fb0c0f4b5a48e2af3a22e6c2bd19
Opcode Fuzzy Hash: 10758b060fdaaed48170641e0e4cba02af666a183398077a31c39fa3f247031a
Instruction Fuzzy Hash: DEF0C2B6D00A0AABDB248F61C0047DAFBB4BB44714F18421AC42C63310D378B469CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 029949AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe62eb19c3738025ff1ee2bb28fd10bd83c8cd0ddee25b5b3a2c7859cdb0ae6
Instruction ID: 4826791404bce212f6c6b9dd754cfc08de1a7e3dab8caa9831e21e292a8d1df3
Opcode Fuzzy Hash: fbe62eb19c3738025ff1ee2bb28fd10bd83c8cd0ddee25b5b3a2c7859cdb0ae6
Instruction Fuzzy Hash: AFF0CAB6D00A06ABDB24CFA1C0047CAFBB8BB88714F18421AC42C67320D378B469CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0298DE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48665816eddd738d2d1fe771b3be148366105a2f16d8704601c584fa4598e7d3
Instruction ID: 6eacedf9a047268033f3c38d83e4f4dfa505bbe0b3fb94f7b7d3d27f2152dec9
Opcode Fuzzy Hash: 48665816eddd738d2d1fe771b3be148366105a2f16d8704601c584fa4598e7d3
Instruction Fuzzy Hash: B0F0CAB6D00A06ABDB248F61C0047CAFBB8BB88714F19421AC42C63720C778B469CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0298B407 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91854fc10731f7d68e0c81a85bc654440815b11fb980833acc42680e4d55689
Instruction ID: 0eb0c10fff2b67eeaca8cf96c1eaf720c92bc36de09df3e104427e406609bf5f
Opcode Fuzzy Hash: c91854fc10731f7d68e0c81a85bc654440815b11fb980833acc42680e4d55689
Instruction Fuzzy Hash: 4DF0CAB6D00A06ABDB248FA1C0047CAFBB8BB88714F19421AC42C63760D778B469CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02993C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dccad99da36c891d681f86b1701df3e5c5b7d2beacb23ce3f7f5afd6d5f9cc7
Instruction ID: fe0d47203b843c0cc5a42c4558f5b98ecab3952f4e8b630a23b175e030c9f340
Opcode Fuzzy Hash: 3dccad99da36c891d681f86b1701df3e5c5b7d2beacb23ce3f7f5afd6d5f9cc7
Instruction Fuzzy Hash: BFF0C2B6D00A0AABDB248FA1C0047CAFBB4BB84714F14421AC42C67320D378B469CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 029945E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2be4e4fb87aea0d4355c5013309101c7ad56563899a2019dc03cff805edc58
Instruction ID: 43509db34e61d79514a92a8084136bdc93bb2780e1eb7055a6b9e6fcd1890376
Opcode Fuzzy Hash: cd2be4e4fb87aea0d4355c5013309101c7ad56563899a2019dc03cff805edc58
Instruction Fuzzy Hash: B8F0C2B6D00A0AABDB248F61C0047CAFBB4BB44714F18421AC52C63310D378B469CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 02994EF4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002982000.00000040.00000800.00020000.00000000.sdmp, Offset: 02982000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2982000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3a870577674b4243fea74c3e7040256c29f3ed182fedd01e7424ee3bf02404
Instruction ID: 092bbf67f077dc059f66358ab26958878799653f2b581f57466812289600833a
Opcode Fuzzy Hash: 8a3a870577674b4243fea74c3e7040256c29f3ed182fedd01e7424ee3bf02404
Instruction Fuzzy Hash: ADF052B5D00A1AABDB24CF61C10479AF7B4BB54B14F15421AC52C67750D778B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A2F818 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002A24000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A24000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a24000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f9b20a87e7501489ac9735c7e7f4c5744fb5f09c3161e517a498fcad1f28d2
Instruction ID: aae765e810e924f6e6142b26db84634cacf701d1e6b13137a524cf8e3f3197da
Opcode Fuzzy Hash: 00f9b20a87e7501489ac9735c7e7f4c5744fb5f09c3161e517a498fcad1f28d2
Instruction Fuzzy Hash: 0F516071A043218FC710DF2CD58062AF7F1BF89318F298A5DE899A7755DB31E84ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 029803C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2049113458.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2980000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: 0a0070e4de14f31fcea06d08ff0fb31d0a3f70cd33b7811bdb0dfd545cf4b9d8
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 9721F4BA5442568FDB358F188C403D9B7A5EB09314F21482EDECDA7710E2306A898B50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report payload.jar

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\hsperfdata_user\1680

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\jar\META-INF\MANIFEST.MF

C:\jar\Nlb4iMfF.class

C:\jar\OVkDinfu.jpg

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: 7za.exePID: 7152, Parent PID: 1028

General

Chronological Activities

Windows Analysis Report
payload.jar