Loading ...

Play interactive tourEdit tour

Analysis Report invoice.jnlp

Overview

General Information

Sample Name:invoice.jnlp
Analysis ID:361228
MD5:67e9e29dde633fc31d03a9075c53788d
SHA1:e3249b46e76b3d94b46d45a38e175ef80b7d0526
SHA256:91c8702137880cebf55f89e1d0b07df0c7c05b277850879384fa1dfe7470006c
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected JAVA Downloader Generic
Creates a process in suspended mode (likely to inject code)
Tries to load missing DLLs

Classification

Startup

  • System is w10x64
  • jp2launcher.exe (PID: 6792 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe' -securejws 'C:\Users\user\Desktop\invoice.jnlp' MD5: BA7B1294CAB259452105704FA6C6863E)
    • javaws.exe (PID: 6828 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp' MD5: F64595565AB90F21992D5964BE538A1B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
invoice.jnlpJoeSecurity_JAVADownloaderGenericYara detected JAVA Downloader GenericJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\MSVCR100.dllJump to behavior

    Spreading:

    barindex
    Yara detected JAVA Downloader GenericShow sources
    Source: Yara matchFile source: invoice.jnlp, type: SAMPLE
    Source: invoice.jnlpString found in binary or memory: http://invoicesecure.net/documents
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal48.spre.winJNLP@3/0@0/0
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe' -securejws 'C:\Users\user\Desktop\invoice.jnlp'
    Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp'
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp'Jump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp'Jump to behavior
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
    Source: jp2launcher.exe, 00000002.00000002.591775696.0000000000FB0000.00000002.00000001.sdmp, javaws.exe, 00000003.00000002.591872141.00000000012A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection12Process Injection12OS Credential DumpingProcess Discovery2Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1DLL Side-Loading1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 361228 Sample: invoice.jnlp Startdate: 02/03/2021 Architecture: WINDOWS Score: 48 10 Yara detected JAVA Downloader Generic 2->10 6 jp2launcher.exe 2->6         started        process3 process4 8 javaws.exe 6->8         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    invoice.jnlp0%VirustotalBrowse
    invoice.jnlp0%ReversingLabs

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://invoicesecure.net/documents0%VirustotalBrowse
    http://invoicesecure.net/documents0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://invoicesecure.net/documentsinvoice.jnlpfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:31.0.0 Emerald
    Analysis ID:361228
    Start date:02.03.2021
    Start time:18:59:50
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 27s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:invoice.jnlp
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:22
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal48.spre.winJNLP@3/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .jnlp
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:XML 1.0 document, ASCII text
    Entropy (8bit):4.73324739062579
    TrID:
    • Java Web Start application descriptor (38001/1) 88.36%
    • Generic XML (ASCII) (5005/1) 11.64%
    File name:invoice.jnlp
    File size:593
    MD5:67e9e29dde633fc31d03a9075c53788d
    SHA1:e3249b46e76b3d94b46d45a38e175ef80b7d0526
    SHA256:91c8702137880cebf55f89e1d0b07df0c7c05b277850879384fa1dfe7470006c
    SHA512:8ef5481b2a928e1ebd8dd5f29f8be4bc853a074e8da889ce5ea31b21e82cb9b9607cf1db7ebd5e04a22f12e9a01ea73108568741dbb0b89fff5287fb515c4dcd
    SSDEEP:12:TMHdIFsPdWuwxxukTAodSh8K/umd+i2oB:2dcnnTAzh/umIi2oB
    File Content Preview:<?xml version="1.0" encoding="utf-8"?> .<jnlp spec="1.0+" codebase="http://invoicesecure.net/documents" href="invoice.jnlp">. <information> . <title>Secure Document Reader</title> . <vendor>Adobe</vendor> . <homepage href="wwww.adobe.com"

    File Icon

    Icon Hash:00828e8e8686b000

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Start time:19:00:38
    Start date:02/03/2021
    Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe
    Wow64 process (32bit):true
    Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\jp2launcher.exe' -securejws 'C:\Users\user\Desktop\invoice.jnlp'
    Imagebase:0x50000
    File size:92536 bytes
    MD5 hash:BA7B1294CAB259452105704FA6C6863E
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low

    General

    Start time:19:00:39
    Start date:02/03/2021
    Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe
    Wow64 process (32bit):true
    Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaws.exe' 'C:\Users\user\Desktop\invoice.jnlp'
    Imagebase:0xc10000
    File size:300408 bytes
    MD5 hash:F64595565AB90F21992D5964BE538A1B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >