Windows Analysis Report
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar

Overview

General Information

Sample Name: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
Analysis ID: 679298
MD5: 8535942f58ba61ce5ce0755d7570f22f
SHA1: fb6c95fa16c2e91f22ac4e8d73233962e645c6bd
SHA256: 308dcf6540932d062dd10a24fefd25d6660afe60dea76c9fa5612ae0f4cb4cda
Tags: jar
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar Virustotal: Detection: 11% Perma Link
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar ReversingLabs: Detection: 12%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: java.exe, 00000002.00000002.256561427.0000000009DC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.256626377.0000000009DD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar Virustotal: Detection: 11%
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar ReversingLabs: Detection: 12%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal48.winJAR@7/2@0/0
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_01
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026CB377 push 00000000h; mov dword ptr [esp], esp 2_2_026CB39D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026CA1CA push ecx; ret 2_2_026CA1DA
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026CA1DB push ecx; ret 2_2_026CA1E5
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026CC437 push 00000000h; mov dword ptr [esp], esp 2_2_026CC45D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026CBB27 push 00000000h; mov dword ptr [esp], esp 2_2_026CBB4D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026CB907 push 00000000h; mov dword ptr [esp], esp 2_2_026CB92D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026D2D44 push eax; retf 2_2_026D2D45
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02770F0D push ecx; retn 0022h 2_2_02770FC2
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02769391 push cs; retf 2_2_027693B1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02770C53 push es; iretd 2_2_02770C5A
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to detect virtual machines (SLDT)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_027710A0 sldt word ptr [eax] 2_2_027710A0
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.253764910.00000000025C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.253764910.00000000025C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: |[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026C4864 LdrInitializeThunk, 2_2_026C4864
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Memory protected: page read and write | page guard Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"" >> C:\cmdlinestart.log 2>&1
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_026C0380 cpuid 2_2_026C0380
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679298 Sample: CMTNGTFESJRKMAMSPWITGCAGOVG... Startdate: 05/08/2022 Architecture: WINDOWS Score: 48 18 Multi AV Scanner detection for submitted file 2->18 8 cmd.exe 2 2->8         started        process3 process4 10 java.exe 5 8->10         started        12 conhost.exe 8->12         started        process5 14 icacls.exe 1 10->14         started        process6 16 conhost.exe 14->16         started       
No contacted IP infos