Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0003401377294.PDF.jar

Overview

General Information

Sample Name:0003401377294.PDF.jar
Analysis ID:837013
MD5:fba62bb8978ca8b1fdd7e081ef5ee1e4
SHA1:52325df55e091d583747fb4277cfe462f4d5d226
SHA256:615f2995b12eda38cfe08c9614bf90468ade52d9914006b637577bdeaf8d7836
Tags:jar
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Connects to many ports of the same IP (likely port scanning)
Uses cmd line tools excessively to alter registry or file data
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Uses reg.exe to modify the Windows registry
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers

Classification

  • System is w10x64
  • 7za.exe (PID: 6404 cmdline: 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\0003401377294.PDF.jar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
    • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • java.exe (PID: 6496 cmdline: java.exe -jar "C:\Users\user\Desktop\0003401377294.PDF.jar" IlIIlLllI.lllIlIlIlll.IIlllllIlIIl.lIlIlIIllI.IllIlIlIllIlIlIl MD5: 28733BA8C383E865338638DF5196E6FE)
    • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • icacls.exe (PID: 6580 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
      • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • attrib.exe (PID: 4664 cmdline: attrib +H C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp MD5: A5540E9F87D4CB083BDF8269DEC1CFF9)
      • conhost.exe (PID: 4788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1092 cmdline: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp" /f" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 1916 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • javaw.exe (PID: 6548 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
    • cmd.exe (PID: 6868 cmdline: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp" /f" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 3884 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • javaw.exe (PID: 4444 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
    • cmd.exe (PID: 6360 cmdline: cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp" /f" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6572 cmdline: REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1680109268319.tmp" /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
Timestamp:192.168.2.579.110.62.20449698450292853044 03/29/23-09:48:32.342321
SID:2853044
Source Port:49698
Destination Port:45029
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.579.110.62.20449698450292853043 03/29/23-09:48:32.415540
SID:2853043
Source Port:49698
Destination Port:45029
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:79.110.62.204192.168.2.545029497002853042 03/29/23-09:48:49.262986
SID:2853042
Source Port:45029
Destination Port:49700
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.579.110.62.20449699450292853043 03/29/23-09:48:45.369313
SID:2853043
Source Port:49699
Destination Port:45029
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:79.110.62.204192.168.2.545029496992853042 03/29/23-09:48:44.717184
SID:2853042
Source Port:45029
Destination Port:49699
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:192.168.2.579.110.62.20449700450292853043 03/29/23-09:48:50.129851
SID:2853043
Source Port:49700
Destination Port:45029
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:79.110.62.204192.168.2.545029496982853042 03/29/23-09:48:29.776304
SID:2853042
Source Port:45029
Destination Port:49698
Protocol:TCP
Classtype:A Network Trojan was detected