Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
javaw.exe

Overview

General Information

Sample name:javaw.exe
Analysis ID:1411848
MD5:7bb3605b8df408b8ff78258b8a737e19
SHA1:10924e3d7e10e5cacfcfc6e9dfb7f355e4d034b2
SHA256:772da0e233d56770280da72a793478fb20186480a704a8e6b0592f360b22dfc2

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Program does not show much activity (idle)
Tries to load missing DLLs

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • javaw.exe (PID: 6816 cmdline: "C:\Users\user\Desktop\javaw.exe" MD5: 7BB3605B8DF408B8FF78258B8A737E19)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: javaw.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\javaw.exeSection loaded: jli.dll
Source: C:\Users\user\Desktop\javaw.exeSection loaded: vcruntime140.dll
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: javaw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\javaw.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: javaw.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: javaw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: javaw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: javaw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: javaw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: javaw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: javaw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: javaw.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: javaw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: javaw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: javaw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: javaw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: javaw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: javaw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
javaw.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1411848
Start date and time:2024-03-19 16:34:26 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:javaw.exe
Detection:CLEAN
Classification:clean1.winEXE@1/0@0/0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 13.85.23.206
  • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
  • VT rate limit hit for: javaw.exe

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):6.024806364376392
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:javaw.exe
File size:39'424 bytes
MD5:7bb3605b8df408b8ff78258b8a737e19
SHA1:10924e3d7e10e5cacfcfc6e9dfb7f355e4d034b2
SHA256:772da0e233d56770280da72a793478fb20186480a704a8e6b0592f360b22dfc2
SHA512:5c8e4c2e6d8805d301fccca2505287009fa11fa4a46ffb0b967bb525562413e0ce3adc30db8b010f4a0def51922e897e55440748cc3c6a87281c38e6f6daea34
SSDEEP:768:nta2hM5R2TyJ5R3s8D/bkt5Ruz3Vb3Kg5:ntRM5RdJ5R3sozkt5RA3Kg5
TLSH:76032A47AA182D82F02F80F24867355641B47D032BD277FA7EC6B31E1C317A19827A9F
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............z...z...z.......z...{...z...{...z.......z...~...z...y...z.$.{...z...{...z.$.~...z.$.....z.$.x...z.Rich..z.........PE..d..

File Icon

Icon Hash:ac8c964f49e38f96

Static PE Info

General

Entrypoint:0x140001434
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x483C922 [Fri May 26 16:26:10 1972 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:55b51ebc05a5bf65c76ada667934953a
Instruction
dec eax
sub esp, 28h
call 00007F13008F8300h
dec eax
add esp, 28h
jmp 00007F13008F7F1Fh
int3
int3
dec eax
sub esp, 28h
call 00007F13008F8880h
test eax, eax
je 00007F13008F80C3h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F13008F80A7h
dec eax
cmp ecx, eax
je 00007F13008F80B6h
xor eax, eax
dec eax
cmpxchg dword ptr [00002BECh], ecx
jne 00007F13008F8090h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F13008F8099h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [00002BD7h]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [00002BC7h], al
call 00007F13008F867Fh
call 00007F13008F8362h
test al, al
jne 00007F13008F80A6h
xor al, al
jmp 00007F13008F80B6h
call 00007F13008F8355h
test al, al
jne 00007F13008F80ABh
xor ecx, ecx
call 00007F13008F834Ah
jmp 00007F13008F808Ch
mov al, bl
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
cmp byte ptr [00002B8Ch], 00000000h
mov ebx, ecx
jne 00007F13008F8109h
cmp ecx, 01h
jnbe 00007F13008F810Ch
call 00007F13008F87E6h
test eax, eax
je 00007F13008F80CAh
test ebx, ebx
jne 00007F13008F80C6h
dec eax
lea ecx, dword ptr [00002B76h]
call 00007F13008F8164h
Programming Language:
  • [IMP] VS2008 SP1 build 30729
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x29340xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x6e34.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x50000x150.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xd0000x38.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x24500x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x23100x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x1f0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xd4c0xe0068ccf727e5dce1869412c3ade49ecad2False0.6364397321428571zlib compressed data5.849709862104785IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x20000x11000x120002ca350b1eda64d9e3a3152692e51a46False0.3743489583333333data4.089128976076526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x40000xe00x200ecc21b19dcaea158b7b2314bd7f8a1b3False0.103515625data0.5851037082600534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x50000x1500x200c9ed6a31d220d3ef125dee1473b67b79False0.3984375data2.6347523520387917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x60000x6e340x7000ef9419445977d73800648c0aa077d2b8False0.4407435825892857data6.217828436308515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xd0000x380x20092c45baa8d7ae71e5b0a3d852242789eFalse0.13671875data0.742423609674915IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x62b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.5101351351351351
RT_ICON0x63d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.5686416184971098
RT_ICON0x69400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7712765957446809
RT_ICON0x6da80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.4112903225806452
RT_ICON0x70900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.506768953068592
RT_ICON0x79380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.6142120075046904
RT_ICON0x89e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.29573170731707316
RT_ICON0x90480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.40298507462686567
RT_ICON0x9ef00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.47354771784232363
RT_GROUP_ICON0xc4980x84dataEnglishUnited States0.6363636363636364
RT_VERSION0xc51c0x310dataEnglishUnited States0.46683673469387754
RT_MANIFEST0xc82c0x608ASCII text, with very long lines (1544), with no line terminatorsEnglishUnited States0.43458549222797926
DLLImport
jli.dllJLI_GetStdArgc, JLI_CmdToArgs, JLI_InitArgProcessing, JLI_Launch, JLI_MemAlloc, JLI_GetStdArgs
KERNEL32.dllInitializeSListHead, GetStartupInfoW, SetUnhandledExceptionFilter, GetModuleHandleW, UnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, GetCommandLineA, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, RtlLookupFunctionEntry, RtlCaptureContext, IsProcessorFeaturePresent
VCRUNTIME140.dllmemset, __current_exception_context, __C_specific_handler, __current_exception, memcpy
api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vfprintf, __acrt_iob_func, _set_fmode, __p__commode
api-ms-win-crt-runtime-l1-1-0.dll__p___argv, _register_onexit_function, terminate, _seh_filter_exe, _set_app_type, __p___argc, _crt_atexit, _get_narrow_winmain_command_line, _initterm, _initterm_e, exit, _exit, _initialize_onexit_table, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_narrow_environment, _configure_narrow_argv
api-ms-win-crt-environment-l1-1-0.dllgetenv, __p__environ
api-ms-win-crt-math-l1-1-0.dll__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll_set_new_mode

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States