Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report javac.exe

Overview

General Information

Sample Name:javac.exe
Analysis ID:324352
MD5:bbf20caee8bfce48f883a65b779dec71
SHA1:71a8569ce4577016e1bc78eb27daab94ba6d9ce3
SHA256:03100a76bca9d9ac984cccdf0cf7eef82bb2f1d20751538addc4405e35de4c00

Most interesting Screenshot:

Detection

Xmrig
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Machine Learning detection for sample
Potential time zone aware malware
Contains functionality to dynamically determine API calls
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Startup

  • System is w10x64
  • javac.exe (PID: 6636 cmdline: 'C:\Users\user\Desktop\javac.exe' MD5: BBF20CAEE8BFCE48F883A65B779DEC71)
    • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
    Process Memory Space: javac.exe PID: 6636JoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.javac.exe.7ff755a50000.0.unpackMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
      • 0x37ee80:$x1: donate.ssl.xmrig.com
      • 0x37f2f1:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
      • 0x379ec8:$s1: [%s] login error code: %d
      0.2.javac.exe.7ff755a50000.0.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: javac.exeVirustotal: Detection: 57%Perma Link
        Source: javac.exeMetadefender: Detection: 16%Perma Link
        Source: javac.exeReversingLabs: Detection: 65%
        Machine Learning detection for sampleShow sources
        Source: javac.exeJoe Sandbox ML: detected

        Bitcoin Miner:

        barindex
        Yara detected Xmrig cryptocurrency minerShow sources
        Source: Yara matchFile source: 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: javac.exe PID: 6636, type: MEMORY
        Source: Yara matchFile source: 0.2.javac.exe.7ff755a50000.0.unpack, type: UNPACKEDPE
        Found strings related to Crypto-MiningShow sources
        Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpString found in binary or memory: stratum+tcp://
        Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpString found in binary or memory: cryptonight/0
        Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpString found in binary or memory: stratum+tcp://
        Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpString found in binary or memory: -o, --url=URL URL of mining server
        Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
        Source: javac.exe, 00000000.00000002.203688180.0000018E0D84B000.00000004.00000020.sdmp, javac.exe, 00000000.00000002.203707251.0000018E0D86D000.00000004.00000020.sdmp, ConDrv.0.drString found in binary or memory: https://xmrig.com/wizard
        Source: javac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpString found in binary or memory: https://xmrig.com/wizardSIGTERM

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0.2.javac.exe.7ff755a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
        Source: javac.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: javac.exe, 00000000.00000000.202225027.00007FF7561CB000.00000008.00020000.sdmpBinary or memory string: OriginalFilenamexmrig.exe0 vs javac.exe
        Source: javac.exeBinary or memory string: OriginalFilenamexmrig.exe0 vs javac.exe
        Source: 0.2.javac.exe.7ff755a50000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
        Source: classification engineClassification label: mal84.evad.mine.winEXE@2/1@0/0
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
        Source: C:\Users\user\Desktop\javac.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: javac.exeVirustotal: Detection: 57%
        Source: javac.exeMetadefender: Detection: 16%
        Source: javac.exeReversingLabs: Detection: 65%
        Source: javac.exeString found in binary or memory: set-addPolicy
        Source: javac.exeString found in binary or memory: id-cmc-addExtensions
        Source: unknownProcess created: C:\Users\user\Desktop\javac.exe 'C:\Users\user\Desktop\javac.exe'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: javac.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: javac.exeStatic file information: File size 1778688 > 1048576
        Source: javac.exeStatic PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x187800
        Source: javac.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: C:\Users\user\Desktop\javac.exeCode function: 0_2_00007FF7561CA330 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00007FF7561CA330
        Source: initial sampleStatic PE information: section name: UPX0
        Source: initial sampleStatic PE information: section name: UPX1

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
        Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon1488.png

        Malware Analysis System Evasion:

        barindex
        Potential time zone aware malwareShow sources
        Source: C:\Users\user\Desktop\javac.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\javac.exeAPI call chain: ExitProcess graph end nodegraph_0-91
        Source: C:\Users\user\Desktop\javac.exeCode function: 0_2_00007FF7561CA330 LoadLibraryA,GetProcAddressForCaller,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00007FF7561CA330
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        javac.exe58%VirustotalBrowse
        javac.exe22%MetadefenderBrowse
        javac.exe66%ReversingLabsWin64.Trojan.CoinMiner
        javac.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://xmrig.com/wizardSIGTERM0%Avira URL Cloudsafe
        https://xmrig.com/wizard0%VirustotalBrowse
        https://xmrig.com/wizard0%Avira URL Cloudsafe
        https://xmrig.com/docs/algorithms0%VirustotalBrowse
        https://xmrig.com/docs/algorithms0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://xmrig.com/wizardSIGTERMjavac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://xmrig.com/wizardjavac.exe, 00000000.00000002.203688180.0000018E0D84B000.00000004.00000020.sdmp, javac.exe, 00000000.00000002.203707251.0000018E0D86D000.00000004.00000020.sdmp, ConDrv.0.drfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://xmrig.com/docs/algorithmsjavac.exe, 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox Version:31.0.0 Red Diamond
        Analysis ID:324352
        Start date:29.11.2020
        Start time:13:49:28
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 2m 11s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:javac.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:2
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal84.evad.mine.winEXE@2/1@0/0
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 100% (good quality ratio 25%)
        • Quality average: 14.5%
        • Quality standard deviation: 25.1%
        HCA Information:Failed
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        \Device\ConDrv
        Process:C:\Users\user\Desktop\javac.exe
        File Type:ASCII text, with CRLF, CR line terminators
        Category:dropped
        Size (bytes):168
        Entropy (8bit):5.252968524433859
        Encrypted:false
        SSDEEP:3:oVXVpxFBoXbTTOWXp5vGKLQCSKzcovo9VpxFBoW+pEJAFd8CQIMQDKeBJrXMXMIY:o9GnCWXpFG25zZvy4g6QIR/BJrXMnGTJ
        MD5:D581D2AA3DBA6FBE81A0145388397820
        SHA1:EE1778795109B01B46622B8E75E6A5C634B9F464
        SHA-256:A964F0660EA9448E758EBA4592569ACF43BADCF9E03FCD52FFE11CA41E4F138E
        SHA-512:EAD5E6CC543F284A0FF4297D9221A180718E2C37EE47E093D500EE7F373DC53E878CFCBFF6C5F4C64018EB96232A0453D0BC437EEAD839B3A41ACA776212D1B0
        Malicious:false
        Reputation:low
        Preview: [2020-11-29 13:50:15.943] unable to open "C:\Users\user\Desktop\config.json"....[2020-11-29 13:50:15.946] no valid configuration found, try https://xmrig.com/wizard...

        Static File Info

        General

        File type:PE32+ executable (console) x86-64, for MS Windows
        Entropy (8bit):7.822537418293464
        TrID:
        • Win64 Executable Console (202006/5) 81.26%
        • UPX compressed Win32 Executable (30571/9) 12.30%
        • Win64 Executable (generic) (12005/4) 4.83%
        • Generic Win/DOS Executable (2004/3) 0.81%
        • DOS Executable Generic (2002/1) 0.81%
        File name:javac.exe
        File size:1778688
        MD5:bbf20caee8bfce48f883a65b779dec71
        SHA1:71a8569ce4577016e1bc78eb27daab94ba6d9ce3
        SHA256:03100a76bca9d9ac984cccdf0cf7eef82bb2f1d20751538addc4405e35de4c00
        SHA512:6dc63993fb76fd526a86dd3d20516ab0f403d53e05057857ae9c93ff6c3320439becb40b3245e31c566d762df1a02e3fce515a1d813699b8338a3e7884a16d3d
        SSDEEP:24576:F0TMMpBJ1SFrJx/XIiJJVBfe0hsCI6ZEdNnsnCAjgysZyyIvbHY5V018c:FyMwBJcfTJznsCdErnFAjjyIvbHT8
        File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............g...g...g.......g.......g......9g..m....g.......g.......g......gg..0....g.......g...g...f..v....e..0...%g..0....g..0....g.

        File Icon

        Icon Hash:1080888c8c828010

        Static PE Info

        General

        Entrypoint:0x14077a2b0
        Entrypoint Section:UPX1
        Digitally signed:false
        Imagebase:0x140000000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Time Stamp:0x5ED9180E [Thu Jun 4 15:49:34 2020 UTC]
        TLS Callbacks:0x4077a561, 0x1
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:49f1a89d440efc2bee91781377805550

        Entrypoint Preview

        Instruction
        push ebx
        push esi
        push edi
        push ebp
        dec eax
        lea esi, dword ptr [FFE78D45h]
        dec eax
        lea edi, dword ptr [esi-005F2000h]
        dec eax
        lea eax, dword ptr [edi+00683648h]
        push dword ptr [eax]
        mov dword ptr [eax], D412B057h
        push eax
        push edi
        xor ebx, ebx
        xor ecx, ecx
        dec eax
        or ebp, FFFFFFFFh
        call 00007FF5508FB795h
        add ebx, ebx
        je 00007FF5508FB744h
        rep ret
        mov ebx, dword ptr [esi]
        dec eax
        sub esi, FFFFFFFCh
        adc ebx, ebx
        mov dl, byte ptr [esi]
        rep ret
        dec eax
        lea eax, dword ptr [edi+ebp]
        cmp ecx, 05h
        mov dl, byte ptr [eax]
        jbe 00007FF5508FB763h
        dec eax
        cmp ebp, FFFFFFFCh
        jnbe 00007FF5508FB75Dh
        sub ecx, 04h
        mov edx, dword ptr [eax]
        dec eax
        add eax, 04h
        sub ecx, 04h
        mov dword ptr [edi], edx
        dec eax
        lea edi, dword ptr [edi+04h]
        jnc 00007FF5508FB731h
        add ecx, 04h
        mov dl, byte ptr [eax]
        je 00007FF5508FB752h
        dec eax
        inc eax
        mov byte ptr [edi], dl
        sub ecx, 01h
        mov dl, byte ptr [eax]
        dec eax
        lea edi, dword ptr [edi+01h]
        jne 00007FF5508FB732h
        rep ret
        cld
        inc ecx
        pop ebx
        jmp 00007FF5508FB74Ah
        dec eax
        inc esi
        mov byte ptr [edi], dl
        dec eax
        inc edi
        mov dl, byte ptr [esi]
        add ebx, ebx
        jne 00007FF5508FB74Ch
        mov ebx, dword ptr [esi]
        dec eax
        sub esi, FFFFFFFCh
        adc ebx, ebx
        mov dl, byte ptr [esi]
        jc 00007FF5508FB728h
        lea eax, dword ptr [ecx+01h]
        jmp 00007FF5508FB749h
        dec eax
        inc ecx
        call ebx
        adc eax, eax
        inc ecx
        call ebx
        adc eax, eax
        add ebx, ebx
        jne 00007FF5508FB74Ch
        mov ebx, dword ptr [esi]
        dec eax
        sub esi, FFFFFFFCh
        adc ebx, ebx
        mov dl, byte ptr [esi]
        jnc 00007FF5508FB726h
        sub eax, 03h
        jc 00007FF5508FB75Bh
        shl eax, 08h

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x7a536c0x2e0.rsrc
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x77b0000x2a36c.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x71a0000x1e558UPX1
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a564c0x20.rsrc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x77a5880x28UPX1
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x77a5e80x130UPX1
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        UPX00x10000x5f20000x0unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
        UPX10x5f30000x1880000x187800False0.982420627794data7.93362082097IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .rsrc0x77b0000x2b0000x2a800False0.144870174632data4.51391620298IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0x77b2b40x242ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
        RT_ICON0x77d6e80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
        RT_ICON0x78df140x94a8dataEnglishUnited States
        RT_ICON0x7973c00x5488dataEnglishUnited States
        RT_ICON0x79c84c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967183EnglishUnited States
        RT_ICON0x7a0a780x25a8dataEnglishUnited States
        RT_ICON0x7a30240x10a8dataEnglishUnited States
        RT_ICON0x7a40d00x988dataEnglishUnited States
        RT_ICON0x7a4a5c0x468GLS_BINARY_LSB_FIRSTEnglishUnited States
        RT_GROUP_ICON0x7a4ec80x84dataEnglishUnited States
        RT_VERSION0x7a4f500x298dataEnglishUnited States
        RT_MANIFEST0x7a51ec0x17dXML 1.0 document textEnglishUnited States

        Imports

        DLLImport
        ADVAPI32.dllLsaClose
        bcrypt.dllBCryptGenRandom
        CRYPT32.dllCertOpenStore
        IPHLPAPI.DLLGetAdaptersAddresses
        KERNEL32.DLLLoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
        PSAPI.DLLGetProcessMemoryInfo
        SHELL32.dllSHGetSpecialFolderPathA
        USER32.dllShowWindow
        USERENV.dllGetUserProfileDirectoryW
        WS2_32.dllsend

        Version Infos

        DescriptionData
        LegalCopyrightCopyright (C) 2016-2020 microsoft.com
        FileVersion5.10.0
        CompanyNamewww.microsoft.com
        ProductNamesvchost
        ProductVersion5.10.0
        FileDescriptionsvchost
        OriginalFilenamexmrig.exe
        Translation0x0000 0x04b0

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        Behavior

        Click to jump to process

        System Behavior

        Analysis Process: javac.exe PID: 6636 Parent PID: 5744

        General

        Start time:13:50:15
        Start date:29/11/2020
        Path:C:\Users\user\Desktop\javac.exe
        Wow64 process (32bit):false
        Commandline:'C:\Users\user\Desktop\javac.exe'
        Imagebase:0x7ff755a50000
        File size:1778688 bytes
        MD5 hash:BBF20CAEE8BFCE48F883A65B779DEC71
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp, Author: Joe Security
        Reputation:low

        Chronological Activities

        Analysis Process: conhost.exe PID: 6644 Parent PID: 6636

        General

        Start time:13:50:15
        Start date:29/11/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6b2800000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Chronological Activities

        Disassembly

        Code Analysis

        Reset < >

          Analysis Process: javac.exe PID: 6636 Parent PID: 5744 javac.exeCOMMON

          Execution Graph

          Execution Coverage:56.2%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:87.5%
          Total number of Nodes:8
          Total number of Limit Nodes:1

          Graph

          Callgraph

          • Executed
          • Not Executed
          • Opacity -> Relevance
          • Disassembly available
          callgraph 0 Function_00007FF7561CA330 2 Function_00007FF7561CA561 0->2 3 Function_00007FF7561CA2F2 0->3 1 Function_00007FF7561CA2B0 1->0

          Executed Functions

          Function 00007FF7561CA330, Relevance: 6.2, APIs: 4, Instructions: 209memorylibraryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 7ff7561ca330-7ff7561ca333 1 7ff7561ca33d-7ff7561ca341 0->1 2 7ff7561ca343-7ff7561ca34b 1->2 3 7ff7561ca34d 1->3 2->3 4 7ff7561ca335-7ff7561ca33a 3->4 5 7ff7561ca34f-7ff7561ca352 3->5 4->1 6 7ff7561ca35b-7ff7561ca362 5->6 8 7ff7561ca364-7ff7561ca36c 6->8 9 7ff7561ca36e 6->9 8->9 10 7ff7561ca354-7ff7561ca359 9->10 11 7ff7561ca370-7ff7561ca373 9->11 10->6 12 7ff7561ca375-7ff7561ca383 11->12 13 7ff7561ca38e-7ff7561ca390 11->13 17 7ff7561ca385-7ff7561ca38a 12->17 18 7ff7561ca3dd-7ff7561ca3fc 12->18 14 7ff7561ca392-7ff7561ca398 13->14 15 7ff7561ca39a 13->15 14->15 19 7ff7561ca3c4-7ff7561ca3c7 15->19 21 7ff7561ca39c-7ff7561ca3a0 15->21 17->19 20 7ff7561ca38c 17->20 22 7ff7561ca42d-7ff7561ca430 18->22 31 7ff7561ca3c9-7ff7561ca3d8 call 7ff7561ca2f2 19->31 20->21 23 7ff7561ca3a2-7ff7561ca3a8 21->23 24 7ff7561ca3aa 21->24 25 7ff7561ca435-7ff7561ca43b 22->25 26 7ff7561ca432-7ff7561ca433 22->26 23->24 24->19 28 7ff7561ca3ac-7ff7561ca3b3 24->28 27 7ff7561ca442-7ff7561ca446 25->27 30 7ff7561ca414-7ff7561ca418 26->30 32 7ff7561ca49e-7ff7561ca4a6 27->32 33 7ff7561ca448-7ff7561ca460 LoadLibraryA 27->33 45 7ff7561ca3b5-7ff7561ca3bb 28->45 46 7ff7561ca3bd 28->46 34 7ff7561ca3fe-7ff7561ca401 30->34 35 7ff7561ca41a-7ff7561ca41d 30->35 31->1 40 7ff7561ca4aa-7ff7561ca4b3 32->40 37 7ff7561ca462-7ff7561ca469 33->37 34->25 38 7ff7561ca403 34->38 35->25 41 7ff7561ca41f-7ff7561ca423 35->41 37->27 43 7ff7561ca46b 37->43 44 7ff7561ca404-7ff7561ca408 38->44 47 7ff7561ca4b5-7ff7561ca4b7 40->47 48 7ff7561ca4e2-7ff7561ca542 VirtualProtect * 2 call 7ff7561ca561 40->48 41->44 49 7ff7561ca425-7ff7561ca42c 41->49 51 7ff7561ca46d-7ff7561ca475 43->51 52 7ff7561ca477-7ff7561ca47f 43->52 44->30 53 7ff7561ca40a-7ff7561ca40c 44->53 45->46 46->28 54 7ff7561ca3bf-7ff7561ca3c2 46->54 55 7ff7561ca4b9-7ff7561ca4c8 47->55 56 7ff7561ca4ca-7ff7561ca4d8 47->56 57 7ff7561ca547-7ff7561ca54c 48->57 49->22 58 7ff7561ca481-7ff7561ca48d GetProcAddressForCaller 51->58 52->58 53->30 59 7ff7561ca40e-7ff7561ca412 53->59 54->31 55->40 56->55 60 7ff7561ca4da-7ff7561ca4e0 56->60 61 7ff7561ca551-7ff7561ca556 57->61 62 7ff7561ca48f-7ff7561ca496 58->62 63 7ff7561ca498 ExitProcess 58->63 59->30 59->35 60->55 61->61 64 7ff7561ca558 61->64 62->37
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.204391070.00007FF7561C4000.00000040.00020000.sdmp, Offset: 00007FF755A50000, based on PE: true
          • Associated: 00000000.00000002.203723249.00007FF755A50000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.203735977.00007FF755A51000.00000040.00020000.sdmp Download File
          • Associated: 00000000.00000002.204294090.00007FF755E01000.00000040.00020000.sdmp Download File
          • Associated: 00000000.00000002.204347839.00007FF7560D3000.00000040.00020000.sdmp Download File
          • Associated: 00000000.00000002.204361683.00007FF756169000.00000040.00020000.sdmp Download File
          • Associated: 00000000.00000002.204399936.00007FF7561CB000.00000004.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_7ff755a50000_javac.jbxd
          Yara matches
          Similarity
          • API ID: ProtectVirtual$AddressCallerLibraryLoadProc
          • String ID:
          • API String ID: 1941872368-0
          • Opcode ID: 997fbb60492c79a980544ea157afba3b62fbea148e883885f81262678e6985c6
          • Instruction ID: c508f0d37db0a8613264e88226d2394c78a2d8412fc64ddf708087385d8e0fe5
          • Opcode Fuzzy Hash: 997fbb60492c79a980544ea157afba3b62fbea148e883885f81262678e6985c6
          • Instruction Fuzzy Hash: 2B610722F6915245FF23ABA4BC982BEE6519B117B4F8C4331C7BD463C5EE5CA8568330
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions