Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report invoice.jnlp

Overview

General Information

Sample Name:invoice.jnlp
Analysis ID:361228
MD5:67e9e29dde633fc31d03a9075c53788d
SHA1:e3249b46e76b3d94b46d45a38e175ef80b7d0526
SHA256:91c8702137880cebf55f89e1d0b07df0c7c05b277850879384fa1dfe7470006c
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected JAVA Downloader Generic
Creates a process in suspended mode (likely to inject code)
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • jp2launcher.exe (PID: 6792 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe' -securejws 'C:\Users\user\Desktop\invoice.jnlp' MD5: BA7B1294CAB259452105704FA6C6863E)
    • javaws.exe (PID: 6828 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp' MD5: F64595565AB90F21992D5964BE538A1B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
invoice.jnlpJoeSecurity_JAVADownloaderGenericYara detected JAVA Downloader GenericJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\MSVCR100.dllJump to behavior

    Spreading:

    barindex
    Yara detected JAVA Downloader GenericShow sources
    Source: Yara matchFile source: invoice.jnlp, type: SAMPLE
    Source: invoice.jnlpString found in binary or memory: http://invoicesecure.net/documents
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal48.spre.winJNLP@3/0@0/0
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe' -securejws 'C:\Users\user\Desktop\invoice.jnlp'
    Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp'
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp'Jump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp'Jump to behavior
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection12Process Injection12OS Credential DumpingProcess Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1DLL Side-Loading1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 361228 Sample: invoice.jnlp Startdate: 02/03/2021 Architecture: WINDOWS Score: 48 10 Yara detected JAVA Downloader Generic 2->10 6 jp2launcher.exe 2->6         started        process3 process4 8 javaws.exe 6->8         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.