Loading ...

Play interactive tourEdit tour

Analysis Report Application_coronavirus_Covid-19.jnlp

Overview

General Information

Sample Name:Application_coronavirus_Covid-19.jnlp
MD5:46263ee62ee39f7f63987584045948a3
SHA1:61355582635d84baf58691751d26c9847e879b96
SHA256:14f00867a79bfbbf9e1fad85c2aa807ed5364a077157381d3795623013b22bc4

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Creates a process in suspended mode (likely to inject code)
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • jp2launcher.exe (PID: 5560 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exe' -securejws 'C:\Users\user\Desktop\Application_coronavirus_Covid-19.jnlp' MD5: 908192717C683BBFB55424DDB8458444)
    • javaws.exe (PID: 5644 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exe' 'C:\Users\user\Desktop\Application_coronavirus_Covid-19.jnlp' MD5: 34C46074336667B95E31DDDD5A946B0C)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://covidbase.infoGoogle Safe Browsing: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: https://covidbase.infoVirustotal: Detection: 10%Perma Link

Source: Application_coronavirus_Covid-19.jnlpString found in binary or memory: https://covidbase.info
Source: Application_coronavirus_Covid-19.jnlpString found in binary or memory: https://mapcovid.info

Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exeSection loaded: sfc.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal56.winJNLP@3/0@0/0
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exe' -securejws 'C:\Users\user\Desktop\Application_coronavirus_Covid-19.jnlp'
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exe' 'C:\Users\user\Desktop\Application_coronavirus_Covid-19.jnlp'
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exe' 'C:\Users\user\Desktop\Application_coronavirus_Covid-19.jnlp'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\MSVCR100.dllJump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exeProcess information queried: ProcessInformationJump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\jp2launcher.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\javaws.exe' 'C:\Users\user\Desktop\Application_coronavirus_Covid-19.jnlp'Jump to behavior
Source: jp2launcher.exe, 00000000.00000002.1640724370.0000000000CD0000.00000002.00000001.sdmp, javaws.exe, 00000002.00000002.1641123447.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: jp2launcher.exe, 00000000.00000002.1640724370.0000000000CD0000.00000002.00000001.sdmp, javaws.exe, 00000002.00000002.1641123447.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: jp2launcher.exe, 00000000.00000002.1640724370.0000000000CD0000.00000002.00000001.sdmp, javaws.exe, 00000002.00000002.1641123447.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progman
Source: jp2launcher.exe, 00000000.00000002.1640724370.0000000000CD0000.00000002.00000001.sdmp, javaws.exe, 00000002.00000002.1641123447.0000000000D00000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection12Process Injection12Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDLL Side-Loading1Network SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.