Analysis Report UAE Contract Supply.jar

Overview

General Information

Sample Name:	UAE Contract Supply.jar
Analysis ID:	358324
MD5:	d23d186daf02db3cecee462c5b1fe15c
SHA1:	1b2054ff2c9a3ff13920f07905b7e313a75b77dc
SHA256:	459787308dd55a6822b80ee2fd9d4add4e44602f783e8c984697a8918839ff22
Tags:	jar
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Exploit detected, runtime environment dropped PE file

Exploit detected, runtime environment starts unknown processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\mx8043.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Source: UAE Contract Supply.jar	Virustotal: Detection: 19%			Perma Link
Source: UAE Contract Supply.jar	ReversingLabs: Detection: 32%

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.java.exe.4d604e4.0.unpack

Avira: Label: TR/Dropper.Gen

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Software Vulnerabilities:

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Process created: C:\Users\user\mx8043.exe

Jump to behavior

Source: java.exe, 00000002.00000002.249049473.000000000A1C6000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlK#O
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl3
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlC/O
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.249073461.000000000A1D6000.00000004.00000001.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000003.239994256.0000000015109000.00000004.00000001.sdmp, java.exe, 00000002.00000002.252839548.0000000015712000.00000004.00000001.sdmp, java.exe, 00000002.00000002.249357252.000000000A3B4000.00000004.00000001.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com3
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com3LT
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.comk
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/#
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/CJT
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/S$Q
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/kKT
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/s
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps3
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Abnormal high CPU Usage

Source: C:\Users\user\mx8043.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\mx8043.exe	Code function: 5_2_00401348	5_2_00401348
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0040D3A3	5_2_0040D3A3
Source: C:\Users\user\mx8043.exe	Code function: 5_2_00401384	5_2_00401384

PE file contains strange resources

Source: mx8043.exe.2.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Yara signature match

Source: 00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp, type: MEMORY

Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.expl.evad.winJAR@9/3@0/0

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4012:120:WilError_01

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: C:\Users\user\mx8043.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UAE Contract Supply.jar	Virustotal: Detection: 19%
Source: UAE Contract Supply.jar	ReversingLabs: Detection: 32%

Source: java.exe	String found in binary or memory: %z.in-addr.arpa
Source: java.exe	String found in binary or memory: sun/launcher/

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'
Source: unknown	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe	Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: mx8043.exe PID: 6240, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: mx8043.exe PID: 6240, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_1520B68C push eax; ret	2_3_1520B68D
Source: C:\Users\user\mx8043.exe	Code function: 5_2_004075CB push esi; ret	5_2_004075D3
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0040A9A9 push 3846BF64h; retf	5_2_0040A9AF
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02196C5A push esp; retf	5_2_02196C5B

Persistence and Installation Behavior:

Exploit detected, runtime environment dropped PE file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: mx8043.exe.2.dr

Jump to dropped file

Drops PE files

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Uses cacls to modify the permissions of files

Source: unknown

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\mx8043.exe

Code function: 5_2_0219186D

5_2_0219186D

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\mx8043.exe

RDTSC instruction interceptor: First address: 00000000021956EB second address: 00000000021956EB instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: mx8043.exe, 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: mx8043.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\mx8043.exe	RDTSC instruction interceptor: First address: 00000000021956EB second address: 00000000021956EB instructions:
Source: C:\Users\user\mx8043.exe	RDTSC instruction interceptor: First address: 00000000021953F5 second address: 00000000021953F5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE2F4D10D8Ch 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ax, cx 0x00000020 cmp ch, ah 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007FE2F4D10D41h 0x00000033 cmp edi, 62D4476Ah 0x00000039 call 00007FE2F4D10DAEh 0x0000003e call 00007FE2F4D10D9Ch 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\mx8043.exe

Code function: 5_2_02191E08 rdtsc

5_2_02191E08

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: mx8043.exe, 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000002.246340230.0000000002970000.00000004.00000001.sdmp	Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.246340230.0000000002970000.00000004.00000001.sdmp	Binary or memory string: \|[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mx8043.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\mx8043.exe

Code function: 5_2_02191E08 rdtsc

5_2_02191E08

Contains functionality to read the PEB

Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195A2E mov eax, dword ptr fs:[00000030h]	5_2_02195A2E
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195A4C mov eax, dword ptr fs:[00000030h]	5_2_02195A4C
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191FF6 mov eax, dword ptr fs:[00000030h]	5_2_02191FF6
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02192054 mov eax, dword ptr fs:[00000030h]	5_2_02192054
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0219186D mov eax, dword ptr fs:[00000030h]	5_2_0219186D
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02194CD7 mov eax, dword ptr fs:[00000030h]	5_2_02194CD7
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195106 mov eax, dword ptr fs:[00000030h]	5_2_02195106
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02192D66 mov eax, dword ptr fs:[00000030h]	5_2_02192D66
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191DB8 mov eax, dword ptr fs:[00000030h]	5_2_02191DB8
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191DB6 mov eax, dword ptr fs:[00000030h]	5_2_02191DB6

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe	Jump to behavior

Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\mx8043.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Source: UAE Contract Supply.jar	Virustotal: Detection: 19%			Perma Link
Source: UAE Contract Supply.jar	ReversingLabs: Detection: 32%

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.java.exe.4d604e4.0.unpack

Avira: Label: TR/Dropper.Gen

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Software Vulnerabilities:

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Process created: C:\Users\user\mx8043.exe

Jump to behavior

Source: java.exe, 00000002.00000002.249049473.000000000A1C6000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlK#O
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl3
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlC/O
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.249073461.000000000A1D6000.00000004.00000001.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000003.239994256.0000000015109000.00000004.00000001.sdmp, java.exe, 00000002.00000002.252839548.0000000015712000.00000004.00000001.sdmp, java.exe, 00000002.00000002.249357252.000000000A3B4000.00000004.00000001.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com3
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com3LT
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.comk
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/#
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/CJT
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/S$Q
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/kKT
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/s
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps3
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Abnormal high CPU Usage

Source: C:\Users\user\mx8043.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\mx8043.exe	Code function: 5_2_00401348	5_2_00401348
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0040D3A3	5_2_0040D3A3
Source: C:\Users\user\mx8043.exe	Code function: 5_2_00401384	5_2_00401384

PE file contains strange resources

Source: mx8043.exe.2.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Yara signature match

Source: 00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp, type: MEMORY

Source: classification engine

Classification label: mal100.troj.expl.evad.winJAR@9/3@0/0

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4012:120:WilError_01

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: C:\Users\user\mx8043.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UAE Contract Supply.jar	Virustotal: Detection: 19%
Source: UAE Contract Supply.jar	ReversingLabs: Detection: 32%

Source: java.exe	String found in binary or memory: %z.in-addr.arpa
Source: java.exe	String found in binary or memory: sun/launcher/

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'
Source: unknown	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe	Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: mx8043.exe PID: 6240, type: MEMORY

Yara detected VB6 Downloader Generic

Source: Yara match

File source: Process Memory Space: mx8043.exe PID: 6240, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_1520B68C push eax; ret	2_3_1520B68D
Source: C:\Users\user\mx8043.exe	Code function: 5_2_004075CB push esi; ret	5_2_004075D3
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0040A9A9 push 3846BF64h; retf	5_2_0040A9AF
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02196C5A push esp; retf	5_2_02196C5B

Persistence and Installation Behavior:

Exploit detected, runtime environment dropped PE file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: mx8043.exe.2.dr

Jump to dropped file

Drops PE files

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Uses cacls to modify the permissions of files

Source: unknown

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\mx8043.exe

Code function: 5_2_0219186D

5_2_0219186D

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\mx8043.exe

RDTSC instruction interceptor: First address: 00000000021956EB second address: 00000000021956EB instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: mx8043.exe, 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: mx8043.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\mx8043.exe	RDTSC instruction interceptor: First address: 00000000021956EB second address: 00000000021956EB instructions:
Source: C:\Users\user\mx8043.exe	RDTSC instruction interceptor: First address: 00000000021953F5 second address: 00000000021953F5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE2F4D10D8Ch 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ax, cx 0x00000020 cmp ch, ah 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007FE2F4D10D41h 0x00000033 cmp edi, 62D4476Ah 0x00000039 call 00007FE2F4D10DAEh 0x0000003e call 00007FE2F4D10D9Ch 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\mx8043.exe

Code function: 5_2_02191E08 rdtsc

5_2_02191E08

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: mx8043.exe, 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000002.246340230.0000000002970000.00000004.00000001.sdmp	Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.246340230.0000000002970000.00000004.00000001.sdmp	Binary or memory string: \|[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mx8043.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\mx8043.exe

Code function: 5_2_02191E08 rdtsc

5_2_02191E08

Contains functionality to read the PEB

Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195A2E mov eax, dword ptr fs:[00000030h]	5_2_02195A2E
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195A4C mov eax, dword ptr fs:[00000030h]	5_2_02195A4C
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191FF6 mov eax, dword ptr fs:[00000030h]	5_2_02191FF6
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02192054 mov eax, dword ptr fs:[00000030h]	5_2_02192054
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0219186D mov eax, dword ptr fs:[00000030h]	5_2_0219186D
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02194CD7 mov eax, dword ptr fs:[00000030h]	5_2_02194CD7
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195106 mov eax, dword ptr fs:[00000030h]	5_2_02195106
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02192D66 mov eax, dword ptr fs:[00000030h]	5_2_02192D66
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191DB8 mov eax, dword ptr fs:[00000030h]	5_2_02191DB8
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191DB6 mov eax, dword ptr fs:[00000030h]	5_2_02191DB6

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe	Jump to behavior

Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

ID:	358324
Product:	CloudBasic
Start time:	12:13:35
Start date:	25.02.2021
Sample:	UAE Contract Supply.jar
Cookbook:	defaultwindowsfilecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d23d186daf02db3cecee462c5b1fe15c
SHA1:	1b2054ff2c9a3ff13920f07905b7e313a75b77dc
SHA256:	459787308dd55a6822b80ee2fd9d4add4e44602f783e8c984697a8918839ff22
Filetype:	Java Archive (13504/1) 62.80%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp	ASCII text, with CRLF line terminators	9B416AAFCA54628313A96E06881D3711	238B699D6C8B2FBB15B558A28EBAE1B83B192A0C	ACE4B289380CAB58D2A29A98EE8032AD628F1004C493E269FCDA38AF115CC62C
C:\Users\user\LT2pdIK.png	PNG image data, 190 x 216, 8-bit/color RGBA, non-interlaced	79E0DAD14E7C20A777E72FC023B59252	50F959BAB2FF58E44DBA17EF85375EC7EBD66924	A089D9AD3875FFA321D2DFD38661992721EFF5E0ACF36D76A7A5C8FE054B7992
C:\Users\user\mx8043.exe	PE32 executable (GUI) Intel 80386, for MS Windows	335AA2DB46F51A80F6BE08948B564026	848D5909A84BACA2255C932C61EF58A34072AFDA	92B87477B4589030A4D6E94B07CDEFA4712426FCCEC7FDFEEBE0EC4BDC358048

Analysis Report UAE Contract Supply.jar

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map