Windows Analysis Report 1.2.javaw.exe.22e0000.2.unpack
Overview
General Information
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Machine Learning detection for sample | Show sources |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | 3_2_022E19B0 | |
Source: | Code function: | 3_2_022E8D70 | |
Source: | Code function: | 3_2_022E37F0 | |
Source: | Code function: | 3_2_022E50C0 |
Source: | Static PE information: |
Source: | File created: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Classification label: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Boot Survival: |
---|
Creates autostart registry keys to launch java | Show sources |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 3_2_022E3E40 |
Source: | Process queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Registry Run Keys / Startup Folder1 | Process Injection1 | Virtualization/Sandbox Evasion1 | OS Credential Dumping | Security Software Discovery21 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Registry Run Keys / Startup Folder1 | Software Packing1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Binary Padding | NTDS | Remote System Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | ||
100% | Joe Sandbox ML |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 537742 |
Start date: | 10.12.2021 |
Start time: | 12:09:32 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 0s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | 1.2.javaw.exe.22e0000.2.unpack (renamed file extension from unpack to exe) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.winEXE@2/6@0/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
12:10:35 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.6389289889630374 |
Encrypted: | false |
SSDEEP: | 192:vzrgLpcmqHBUZMXW1xjE/u7s+S274ItJ6Hq:vyoBUZMXIjE/u7s+X4ItEq |
MD5: | 54310057441A752B51A6EEBDEC727CD3 |
SHA1: | F6D401D63835A6238B8DA1B76D3B722BD248B5F2 |
SHA-256: | 0DC9D41649580D49E61EB61E6F6AC57F7E1CBE3E9055C4416F2FA0613FF5A93C |
SHA-512: | 791424CE22E848066D28EDF92998E3A75D853DC5E485BF256A78202574D7BAED17CACF6C6B68045463788EFA6EBAE0E6F1EDD11BA37CCCD61AF94889942DAEBD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 18362 |
Entropy (8bit): | 2.347328936366088 |
Encrypted: | false |
SSDEEP: | 192:6iJ0tDhftbO4tnsTqLaYf2snXpZTC/IY:G6h0PHGv |
MD5: | ECDD07BB2E662BF9271BE42A216F1A85 |
SHA1: | C2CA81ADF4E89DD234BAC7CEFB253A4E0704A983 |
SHA-256: | 93DE7584D41A63CEA55F9BCB5571C904D30EA287F5750BEDAC265F8120D087B8 |
SHA-512: | 43E652ADB338F517319F9C4F58BA5825EA7B3E659786ADB433B6BCAE8FF7178B0102393571A8A7372A93E41DE025B10C1F1C091E6A182555D554E17E6879E6B8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8356 |
Entropy (8bit): | 3.6991685189209553 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNijkq60xCe6YF/SU4RgmfgKbShCprg89bD4fsfqBm:RrlsNiN626YdSU4RgmfhSUD4Ef1 |
MD5: | 2EE68E172F90C667180318D9CA2C711F |
SHA1: | 13D151A5BCAD54552A684C73F3ED15342F0D6B9D |
SHA-256: | 0964010B7ED62433C1FA3B61029FE5C1F3DF0BF8D2C274C4183A2769E40302F3 |
SHA-512: | 46246AF2958126F06CF0B543F5E3F095EEA8DE4F8646C4CAC51391B0EDBBCB183BCFD0830B998167188D39B72B1922F1672CD9BF02F7667B0A41811F8A0D46C8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4654 |
Entropy (8bit): | 4.470639701411706 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsLNJgtWI9kiWSC8BO8fm8M4Jij2mFfD4+q8mWczK9osyd:uITfLn/jSNxJaEw9osyd |
MD5: | E394B1F4E2F42BA574E7B6B595F71057 |
SHA1: | 13AFF3D7C6C76446E94F37D26C1895959961A82A |
SHA-256: | B1F68B71C540E7961BF7CF54EE7D2363F0436C65760372601F7C2A141975E331 |
SHA-512: | 91BE6E351588AEF68D538EEE18BBB42166B9F808B69B9BEAE90F05D24E47EA450C4972BDF002B773CBADDF29BAFAFAC05F3A88922F0ADFAE12DF57B7E29E8993 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.273786215064449 |
Encrypted: | false |
SSDEEP: | 12288:q9MQvxHzCWnzTQvgNfhbaNb+/s9/8Zl4ZIamVGibTzuBskuDQdEVS:4MQvxHzCWnzTQvZO |
MD5: | 602AA249D83967922316C18750C6EAC4 |
SHA1: | 56CD1D74EF0CC49C4697D53843EC6A2A6CC2D426 |
SHA-256: | B072FE5E511EBBF42E5D6A09B826AF898FECF072855417850CE1C0063C951AD5 |
SHA-512: | 4C3B8072176B45D65B9E2CE15DA04406B2A60C3F9B952F2F39D7EA9A24B9C976F2FF1231860380305CCA3C72027ED6F2D32654A3D26909DC723E586D5D2A5CE4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 4.0007119410758385 |
Encrypted: | false |
SSDEEP: | 384:dTyg5Rftx1QPJ4X/ZFFnQ7kDPBqXVSeq5QMVyiy+/Cl4Lk4JZd1DoXznGa8deK:VyWRftx1mJ4XhFFQ7wBqX0eq5QMVyiy/ |
MD5: | 5A748B8B32E99DC16D4DDD27D4F837EA |
SHA1: | 82D7A09EBF405A3D344CDDA5A6BD3728D7EF3A65 |
SHA-256: | FE17718EF6ED2869E26B6E054377BFEFCCA714F95D32C7B58534F98E27A295E7 |
SHA-512: | 769CDD1FC65B2F816A2D820DE0411D16950510A691B4D9A38DC486A7CF7E7E1C5C0BBC0F253FC9189BEDF405DABCA44E705D5270B48C965A120209958F6CFDFD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 5.916588118656297 |
TrID: |
|
File name: | 1.2.javaw.exe.22e0000.2.exe |
File size: | 58880 |
MD5: | c47bfe4e43d258b87c6cece9de90c89f |
SHA1: | eb2c417a29d2f08e37d63f3b75cdc61b42855e91 |
SHA256: | f4d742d82698f532e0215832cb484619a4e84547d8a1ca8dc8f2e9f791a6f27d |
SHA512: | e5fe932fc3245c68f846450db94459d69f992009667e2d9cc6e0ac520723ba9da558698948d596d18512afdfa554ce61dddafa1d0941cc7f3ab94b066885f57b |
SSDEEP: | 768:kg9fMhjuf6B6vgjloxr9EIz2y9Vn/uS4POG1GY5GMxzdAjNxc:klhiCB6gjyBEs3h4WG1lUMld4Nxc |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;.z.h.z.h.z.h...i.z.h...i.z.h...h.z.h.z.h.z.h=..i.z.h=..h.z.h=..i.z.hRich.z.h........................PE..L.....ga........... |
File Icon |
---|
Icon Hash: | 00828e8e8686b000 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x22e4a40 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x22e0000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE |
DLL Characteristics: | GUARD_CF, NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE |
Time Stamp: | 0x616701A9 [Wed Oct 13 15:56:25 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: |
Entrypoint Preview |
---|
Instruction |
---|
push 40000001h |
push dword ptr [ebp-0Ch] |
lea eax, dword ptr [ebp-00000210h] |
push eax |
call dword ptr [0040A074h] |
test eax, eax |
jne 00007F9DBCAA23E1h |
push esi |
push eax |
call dword ptr [0040A184h] |
push eax |
call dword ptr [0040A188h] |
push 00000000h |
push 00000080h |
push 00000004h |
push 00000000h |
push 00000000h |
push C0000000h |
push 0040C028h |
call dword ptr [0040A1A0h] |
mov dword ptr [ebp-1Ch], eax |
test eax, eax |
je 00007F9DBCAA2446h |
push 00000000h |
lea ecx, dword ptr [ebp-000000C0h] |
push ecx |
push dword ptr [ebp-000000B8h] |
push dword ptr [ebp-000000BCh] |
push eax |
call dword ptr [0040A140h] |
push 0040A7C8h |
push 0040A81Ch |
push esi |
push 0040A830h |
push 0040A7C8h |
lea eax, dword ptr [ebp-00000310h] |
push 0040A844h |
push eax |
call dword ptr [0040A1D8h] |
add esp, 1Ch |
lea eax, dword ptr [ebp-00000310h] |
push eax |
call dword ptr [0040A09Ch] |
push 00000000h |
lea ecx, dword ptr [ebp-000000C0h] |
push ecx |
push eax |
lea eax, dword ptr [ebp-00000310h] |
push eax |
push dword ptr [ebp-1Ch] |
call dword ptr [0040A140h] |
mov eax, dword ptr [ebp-1Ch] |
push eax |
call dword ptr [0040A0D0h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xac40 | 0xa0 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x10000 | 0x1e0 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x11000 | 0x5d0 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0xaba0 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xa000 | 0x1e0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x8f5f | 0x9000 | False | 0.487820095486 | data | 6.55103014538 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0xa000 | 0x1740 | 0x1800 | False | 0.583821614583 | data | 5.73452393233 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xc000 | 0x9ec | 0x200 | False | 1.021484375 | data | 7.55445028361 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.teslaX | 0xd000 | 0x2e70 | 0x3000 | False | 0.223551432292 | data | 2.49418691917 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ |
.rsrc | 0x10000 | 0x1e0 | 0x200 | False | 0.291015625 | data | 1.76481887066 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x11000 | 0x5d0 | 0x600 | False | 0.303385416667 | data | 3.43918740047 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 12:10:27 |
Start date: | 10/12/2021 |
Path: | C:\Users\user\Desktop\1.2.javaw.exe.22e0000.2.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x22e0000 |
File size: | 58880 bytes |
MD5 hash: | C47BFE4E43D258B87C6CECE9DE90C89F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
General |
---|
Start time: | 12:10:29 |
Start date: | 10/12/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x8f0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Non-executed Functions |
---|
Function 022E3E40, Relevance: 15.6, Strings: 12, Instructions: 635COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 022E19B0, Relevance: 3.0, Strings: 2, Instructions: 475COMMON
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 73% |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 022E8D70, Relevance: .3, Instructions: 285COMMONCrypto
C-Code - Quality: 36% |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 022E2070, Relevance: 62.6, Strings: 50, Instructions: 113COMMON
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |