Analysis Report javac.exe

Overview

General Information

Sample Name: javac.exe
Analysis ID: 324352
MD5: bbf20caee8bfce48f883a65b779dec71
SHA1: 71a8569ce4577016e1bc78eb27daab94ba6d9ce3
SHA256: 03100a76bca9d9ac984cccdf0cf7eef82bb2f1d20751538addc4405e35de4c00

Most interesting Screenshot:

Detection

Xmrig
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Machine Learning detection for sample
Potential time zone aware malware
Contains functionality to dynamically determine API calls
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: javac.exe Virustotal: Detection: 57% Perma Link
Source: javac.exe Metadefender: Detection: 16% Perma Link
Source: javac.exe ReversingLabs: Detection: 65%
Machine Learning detection for sample
Source: javac.exe Joe Sandbox ML: detected

Bitcoin Miner:

barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: javac.exe PID: 6636, type: MEMORY
Source: Yara match File source: 0.2.javac.exe.7ff755a50000.0.unpack, type: UNPACKEDPE
Found strings related to Crypto-Mining
Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp String found in binary or memory: stratum+tcp://
Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp String found in binary or memory: cryptonight/0
Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp String found in binary or memory: stratum+tcp://
Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: javac.exe, 00000000.00000002.203688180.0000018E0D84B000.00000004.00000020.sdmp, javac.exe, 00000000.00000002.203707251.0000018E0D86D000.00000004.00000020.sdmp, ConDrv.0.dr String found in binary or memory: https://xmrig.com/wizard
Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp String found in binary or memory: https://xmrig.com/wizardSIGTERM

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.javac.exe.7ff755a50000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
PE file contains strange resources
Source: javac.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: javac.exe, 00000000.00000000.202225027.00007FF7561CB000.00000008.00020000.sdmp Binary or memory string: OriginalFilenamexmrig.exe0 vs javac.exe
Source: javac.exe Binary or memory string: OriginalFilenamexmrig.exe0 vs javac.exe
Yara signature match
Source: 0.2.javac.exe.7ff755a50000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: classification engine Classification label: mal84.evad.mine.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Users\user\Desktop\javac.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: javac.exe Virustotal: Detection: 57%
Source: javac.exe Metadefender: Detection: 16%
Source: javac.exe ReversingLabs: Detection: 65%
Source: javac.exe String found in binary or memory: set-addPolicy
Source: javac.exe String found in binary or memory: id-cmc-addExtensions
Source: unknown Process created: C:\Users\user\Desktop\javac.exe 'C:\Users\user\Desktop\javac.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: javac.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: javac.exe Static file information: File size 1778688 > 1048576
Source: javac.exe Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x187800
Source: javac.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\javac.exe Code function: 0_2_00007FF7561CA330 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00007FF7561CA330
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: icon1488.png

Malware Analysis System Evasion:

barindex
Potential time zone aware malware
Source: C:\Users\user\Desktop\javac.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\javac.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\javac.exe Code function: 0_2_00007FF7561CA330 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00007FF7561CA330
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 324352 Sample: javac.exe Startdate: 29/11/2020 Architecture: WINDOWS Score: 84 11 Malicious sample detected (through community Yara rule) 2->11 13 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 3 other signatures 2->17 6 javac.exe 1 2->6         started        process3 signatures4 19 Potential time zone aware malware 6->19 9 conhost.exe 6->9         started        process5
No contacted IP infos