Edit tour

Windows Analysis Report
Swift Transaction Report.js

Overview

General Information

Sample name:	Swift Transaction Report.js
Analysis ID:	1585123
MD5:	e865de0263ada94ea596fce4efd89ad0
SHA1:	96447cbcae6c1af91dd19587f729ec6cdddabc54
SHA256:	701435e822a78b82d53281af3ffb20b3732462ec99c6f36afdfc6f8eed4123f9
Infos:

Detection

Branchlock Obfuscator

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for submitted file

Yara detected Branchlock Obfuscator

Exploit detected, runtime environment starts unknown processes

Potential obfuscated javascript found

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found inlined nop instructions (likely shell or obfuscated code)

Java / VBScript file with very long strings (likely obfuscated code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7408 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

java.exe (PID: 7736 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 7820 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

javaw.exe (PID: 7876 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

tasklist.exe (PID: 7928 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.1940846931.0000000014F46000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000006.00000003.1894398279.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: javaw.exe PID: 7876	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", ProcessId: 7408, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", ProcessId: 7408, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Swift Transaction Report.js	ReversingLabs: Detection: 30%
Source: Swift Transaction Report.js	Virustotal: Detection: 31%			Perma Link

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

6_2_02758C18

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: seasonmonster.s3.us-east-1.amazonaws.com

Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.1891530019.0000000004200000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000006.00000002.1941175217.0000000015340000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E18000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm3j
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bmsj
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Swift Confirmation Copy.jar.0.dr	String found in binary or memory: https://branchlock.net
Source: javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: javaw.exe, 00000006.00000002.1931690141.0000000004BD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/email.js
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar
Source: javaw.exe, 00000006.00000002.1931690141.0000000004BD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: Swift Transaction Report.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal84.expl.evad.winJS@12/6@1/1

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7828:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\wscript.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Swift Transaction Report.js	ReversingLabs: Detection: 30%
Source: Swift Transaction Report.js	Virustotal: Detection: 31%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("java -version", "0", "true");ITextStream.WriteLine(" exec:8800 f:");ITextStream.WriteLine(" entry:8805 f:_0x27581a a0:%22UEsDBBQACAgIACW5JFoAAAAAAAAAAAAAAAAUAA0ATUVUQS1JTkYvTUFOSUZFU1QuTUZVVAUAAZa%2FeWf%2BygAA803My0xLLS7RDUstKs7Mz7NSMNQz4PJNzMzTdc5JLC62UkjKz01KLC7JTOYCC%2BgGJJZkWCnocXEBAFBLBwh7RANZOgAAADsAAABQSwMEF");ITextStream.WriteLine(" exec:71816 f:_0x152825");ITextStream.WriteLine(" entry:71827 f:_0xddf113 a0:2535");ITextStream.WriteLine(" exit:71827 f:_0xddf113 r:%22qHOVy%22");ITextStream.WriteLine(" entry:71832 f:_0xddf113 a0:5835");ITextStream.WriteLine(" exit:71832 f:_0xddf113 r:%22split%22");ITextStream.WriteLine(" entry:71822 o:%220%7C1%7C3%7C2%7C4%22 f:split a0:%22%7C%22");ITextStream.WriteLine(" exit:71822 o:%220%7C1%7C3%7C2%7C4%22 f:split r:0%2C1%2C3%2C2%2C4");ITextStream.WriteLine(" entry:71873 f:_0xddf113 a0:5282");ITextStream.WriteLine(" exit:71873 f:_0xddf113 r:%22tzErh%22");ITextStream.WriteLine(" entry:71888 f:_0xddf113 a0:7122");ITextStream.WriteLine(" exit:71888 f:_0xddf113 r:%22createElem%22");ITextStream.WriteLine(" entry:71892 f:_0xddf113 a0:5829");ITextStream.WriteLine(" exit:71892 f:_0xddf113 r:%22ent%22");ITextStream.WriteLine(" entry:71900 f:_0xddf113 a0:7277");ITextStream.WriteLine(" exit:71900 f:_0xddf113 r:%22cOOzb%22");IXMLDOMNode._00000000();ITextStream.WriteLine(" entry:71883 o: f:createElement a0:%22tmp%22");IXMLDOMNode._00000029("tmp");IXMLDOMNode._00000000();IXMLDOMElement._00000000();ITextStream.WriteLine(" exit:71883 o: f:createElement r:");ITextStream.WriteLine(" entry:71929 f:_0xddf113 a0:5037");ITextStream.WriteLine(" exit:71929 f:_0xddf113 r:%22dataType%22");ITextStream.WriteLine(" entry:71936 f:_0xddf113 a0:1394");ITextStream.WriteLine(" exit:71936 f:_0xddf113 r:%22NMYlu%22");IXMLDOMElement.dataType("bin.base64");ITextStream.WriteLine(" entry:71914 f:_0xddf113 a0:6722");ITextStream.WriteLine(" exit:71914 f:_0xddf113 r:%22text%22");IXMLDOMElement.text("UEsDBBQACAgIACW5JFoAAAAAAAAAAAAAAAAUAA0ATUVUQS1JTkYvTUFOSUZFU1QuTUZVVAUAAZa/eWf+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4PJNzMzTdc5JLC62UkjKz01KLC7JTOYCC+gGJJZkWCnocXEBAFBLBwh7RANZOgAAADsAAABQSwMEFAAICAgAtTklWgAAAAAAAAAAAAAAAAwAAADduC/");ITextStream.WriteLine(" entry:71950 f:_0xddf113 a0:5709");ITextStream.WriteLine(" exit:71950 f:_0xddf113 r:%22nodeTypedV%22");ITextStream.WriteLine(" entry:71954 f:_0xddf113 a0:1060");ITextStream.WriteLine(" exit:71954 f:_0xddf113 r:%22alue%22");IXMLDOMElement.nodeTypedValue();ITextStream.WriteLine(" exit:8805 f:_0x27581a r:");ITextStream.WriteLine(" exit:72033 o:%5Bobject%20Object%5D f:QjjLD r:");ITextStream.WriteLine(" entry:72172 f:_0xd6267a a0:3052");ITextStream.WriteLine(" exit:72172 f:_0xd6267a r:%22MWkRL%22");ITextStream.WriteLine(" entry:72114 f:_0xd6267a a0:7959");ITextStream.WriteLine(" exit:72114 f:_0xd6267a r:%22Type%22");_Stream.Type("1");ITextStream.WriteLine(" entry:72099 f:_0xd6267a a0:7433");ITextStream.WriteLine(" exit:72099 f:_0xd6267a r:%22Open%22");_Stream._00000000();ITextStream.WriteLine(" entry:7209

Yara detected Branchlock Obfuscator

Source: Yara match	File source: 00000006.00000002.1940846931.0000000014F46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1894398279.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar, type: DROPPED

Potential obfuscated javascript found

Source: Swift Transaction Report.js

Initial file: High amount of function use 12

Source: Swift Transaction Report.js

Array : entropy: 5.55, length: 8362, content: 'qvwnAjm4Sd''e581tkX1WT''OgWi80OwsB''IyMD17J1x4''XHg0Nic6Xz''RSgweDhlKS''cyxjcmVhdG''9yM2FlICU3''VCN

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_020DA20A push ecx; ret	2_2_020DA21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_020DA21B push ecx; ret	2_2_020DA225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_020DBB67 push 00000000h; mov dword ptr [esp], esp	2_2_020DBB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_020DB3B7 push 00000000h; mov dword ptr [esp], esp	2_2_020DB3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_020DB947 push 00000000h; mov dword ptr [esp], esp	2_2_020DB96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 2_2_020DC477 push 00000000h; mov dword ptr [esp], esp	2_2_020DC49D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_0275B331 push ecx; retn 0022h	6_2_0275B3E6
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_0275B077 push es; iretd	6_2_0275B07E
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_0275D691 push cs; retf	6_2_0275D6B1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_0276159A pushad ; ret	6_2_0276159D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BD8F7 push 00000000h; mov dword ptr [esp], esp	6_2_026BD921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BA20A push ecx; ret	6_2_026BA21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BA21B push ecx; ret	6_2_026BA225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BBB67 push 00000000h; mov dword ptr [esp], esp	6_2_026BBB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BB3B7 push 00000000h; mov dword ptr [esp], esp	6_2_026BB3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BD8E0 push 00000000h; mov dword ptr [esp], esp	6_2_026BD921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BB947 push 00000000h; mov dword ptr [esp], esp	6_2_026BB96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 6_2_026BC477 push 00000000h; mov dword ptr [esp], esp	6_2_026BC49D

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE8
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE8
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE8
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE8
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE8
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE8
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE8
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE8

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Code function: 6_2_0275B4C4 sldt word ptr [eax]

6_2_0275B4C4

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: javaw.exe, 00000006.00000003.1895030760.0000000014CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000006.00000003.1895030760.0000000014CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.1890023261.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1930313342.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000006.00000003.1895030760.0000000014CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.1890023261.00000000006D5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1930313342.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware.exe8
Source: java.exe, 00000002.00000003.1886286444.00000000146CC000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1895030760.0000000014CCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe8
Source: java.exe, 00000002.00000002.1890023261.00000000006AB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1930313342.0000000000C77000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 2_2_020D03C0 cpuid

2_2_020D03C0

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7736 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7876 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	23 Scripting	Valid Accounts	1 Windows Management Instrumentation	23 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Data Encoding	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Swift Transaction Report.js	30%	ReversingLabs	Script-JS.Trojan.Malgent
Swift Transaction Report.js	31%	Virustotal		Browse

Source	Detection	Scanner	Label
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	0%	Avira URL Cloud	safe
http://www.quovadis.bm3j	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	0%	Avira URL Cloud	safe
http://www.quovadis.bmsj	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	0%	Avira URL Cloud	safe
https://branchlock.net	0%	Avira URL Cloud	safe
HTTP://WWW.CHAMBERSIGN.ORG	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.us-east-1.amazonaws.com	54.231.134.106	true	false		high
seasonmonster.s3.us-east-1.amazonaws.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl0	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm3j	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bmsj	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu0	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreport.sun.com/bugreport/	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.exe, 00000002.00000002.1891530019.0000000004200000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009DC7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	javaw.exe, 00000006.00000002.1941175217.0000000015340000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1933486192.0000000009F21000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.00000000048A4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
HTTP://WWW.CHAMBERSIGN.ORG	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://branchlock.net	Swift Confirmation Copy.jar.0.dr	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com	javaw.exe, 00000006.00000002.1931690141.0000000004BD2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	javaw.exe, 00000006.00000002.1931690141.0000000004BD2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl	javaw.exe, 00000006.00000002.1933486192.0000000009FB4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	javaw.exe, 00000006.00000002.1931690141.0000000004CBD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	javaw.exe, 00000006.00000002.1931690141.000000000492A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	javaw.exe, 00000006.00000002.1931690141.0000000004C8C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	javaw.exe, 00000006.00000002.1933486192.0000000009E46000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.231.134.106	s3-r-w.us-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585123
Start date and time:	2025-01-07 05:40:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Swift Transaction Report.js
Detection:	MAL
Classification:	mal84.expl.evad.winJS@12/6@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 75% Number of executed functions: 25 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .js Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target java.exe, PID 7736 because it is empty
Execution Graph export aborted for target javaw.exe, PID 7876 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.us-east-1.amazonaws.com	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	54.231.130.18
	http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdf	Get hash	malicious	Unknown	Browse	52.217.134.50
	https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html	Get hash	malicious	Unknown	Browse	52.217.41.32
	https://verification.com/omid_error?	Get hash	malicious	Unknown	Browse	52.217.85.136
	https://receptive-comfortable-paw.glitch.me/	Get hash	malicious	Unknown	Browse	16.15.178.21
	https://payroll-news.at-eu.therelayservice.com/service/BUX_ZozoSdJWCG_5j9jtL5kIM8s4zpz8F8daQ7vEahL5WDRxV7IghpJPwSaoWNEG9eO6H06U_y_gwUSZJc9fDfwYBqPUPrZdmmRzUZ9qHFiMcq2w4-i7crrAjeyo_fa156_U7Eu0Ww9PKs3fM5eYkKQ_3vneF9YQUPUya3C3-wlq3FWHKATIkpuQEfV3laRldFNeWNfYS-sS9ogrADD3n54QIIqJd8nlTvWUjJCrpgug-gBImSGXyayDT39pkqjgqB_40YKcUcppFI95cuu7iPqdT0iDrU2CjdVlbNBd7udGztDhsYo1On9eJe-8oAEXs4eUbwt4py8g4aPFRtdg8AUlv-D-xKGeqkuRGN01AKHTOx7qZI-nNi5aqPk4UOXYeA3nx4xY22_7T29dLhfKcA	Get hash	malicious	Unknown	Browse	52.217.140.2
	Employee_Important_Message.pdf	Get hash	malicious	HTMLPhisher	Browse	16.182.106.106
	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	52.217.199.10
	https://google.lk/url?q=ernie.grue@nationalmi.com&nationalmi.com&sa=t&url=amp/s/i--iy.s3.us-east-1.amazonaws.com/vocabulary.html#ZXJuaWUuZ3J1ZUBuYXRpb25hbG1pLmNvbQ==	Get hash	malicious	Unknown	Browse	52.217.132.146
	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	16.182.103.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	13.33.219.205
	sh4.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	52.217.12.174
	mpsl.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	la.bot.arm5.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	arm5.elf	Get hash	malicious	Mirai	Browse	13.62.27.251
	spc.elf	Get hash	malicious	Mirai	Browse	52.9.216.221
	i686.elf	Get hash	malicious	Mirai	Browse	13.248.229.191
	main_arm.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	i486.elf	Get hash	malicious	Mirai	Browse	13.48.76.196

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.935546689086913
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4UScF:oJ5bcF
MD5:	165B6782E63C53652327A7A3B8BA6259
SHA1:	4E4DC9EC112A9CDC71BF02D968C858E7ACC517B6
SHA-256:	82B7B17B13895C1FF5858EDC8F5B2BC446532809E20BCE80EBF4A416185D9328
SHA-512:	66FD3B1A5FAFFE3A43478236C6C380327DB7355539B3EC5C9B30FB9219476B43D83A82CC5680731763C6C56BB4992F3B6EBEBD510A7E5B47BD5C710303D21557
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1736224909418..

C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	21359
Entropy (8bit):	7.948030467353428
Encrypted:	false
SSDEEP:	384:OAJjyCdE1n02lxzHm8QkdduiQpbkl/JZ476rvusoEyPsh719/buA5OB5/6RkhZgK:PJy1npQm5QxkBcyvulbkB19/buAoX/Rf
MD5:	8E96E66F83E748D267DF96390C880297
SHA1:	BAE891900C7C646F62A9B51C27F5B13A30CC9589
SHA-256:	AE345B40D165255284BF4C6AB00A871FCB035B552AC0B20B3CFB19E4644E49B7
SHA-512:	CEE16641BBBBF2DA2D1AE7AF00E6B266DE0374B955C37933061C4D1641AAC4CD1216A05C2140CB9203B0DC9CF565C686D5C04CD884EB44C578CD40605F7F7224
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar, Author: Joe Security
Reputation:	low
Preview:	PK........%.$Z................META-INF/MANIFEST.MFUT.....yg.....M..LK-...K-...R0.3..M...u.I,..RH..MJ,..L.....$.dX).qq..PK..{D.Y:...;...PK.........9%Z................./..class.R[O.A.=C...k..P.h.E]. J.....bDI..m...k.-../..7..Q\|..@c..f..^.!./..4......ag.;g.w......N.2.w#.l.,. .U........6..N.qj....}{N..5.....Q.R.4.$..a.....q.f..A9..#....a...LBUcA.PWM.fx.]..x}(.n...g..S.+rio.....j..&!...{.&....)n!JP...fd)3 .T.U....{..6tSw......-}.u......7.....efD.'........<Pl.3...h......u5.f.~~ .~.k.[.....H......J.2.Y......t..ajO.i~....M.8.U...t..1.cP.L[......,...(#ng....%b#..i...8...5A.......8J....X.Dt..S.e.T3Et.H..M.6.$t..]8.... .J#.n.fN.u.J.C...'..5..Q.+....5N.L.m..5<..5.DT......?.......F.ai..`k..uT.b...S..j]....i.A..'.......Gq8.!D!....<.)...p..C.....}.s8....y..uya...x...u...:.p...u.V..J.".RCl.T!......S...F./PK...}j.........PK.........9%Z................./..class.T]O.Y.~N....k[AdY.u....AYQ....G*~.0.....u._.f....%..Q...&..L................B..w..c

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7736

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2198553404843202
Encrypted:	false
SSDEEP:	96:uy4rBfN8GyFE5+46rJI28IAH7TiHG1bowYk:uyWl8GYE5+46WIU+HGd
MD5:	1E6B9565A5D5175458B654DDCA2045E0
SHA1:	5B24A85F082F74348A1D2220DACE62F386A3D57F
SHA-256:	8DAF3465907374B867A93150FD7BF6FD23A034A77CEFD1D17A3CD0249961A0F8
SHA-512:	7BD5AD44B78623CF53E17F16F7373A2FFB97EE82B37E5726771700A3F9B06097467D928DD3722433A985996D832C2078E9398E7F1A921069990C9874DB3F1DF5
Malicious:	false
Preview:	........87......7.!..... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7876

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2855600660551476
Encrypted:	false
SSDEEP:	96:gZprqJ8GgC2Ges6L624wc44eo47TmHG1bowF:gZk8GgpGes6L604WqHGd
MD5:	192F5AFCE72C05BF430C2CBB5E55892E
SHA1:	119B60866C58D739BC45B31A173738266C778308
SHA-256:	0F2AA18A727B9D8241DD7E30B54E24794F01E722E210497326F6492D4BE4E656
SHA-512:	DFC0D96786B250902F6D974BCFC470FF0B1183E934791C51ED9D7FABA2EB7A0959AEA5C0EAB71B7740755C0300761B2F7BC9E0982C6F71B3D69CF213B1B3D456
Malicious:	false
Preview:	........ 9.......Z...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Preview:	........................................J2SE.

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	140
Entropy (8bit):	5.1030619724035935
Encrypted:	false
SSDEEP:	3:CEuXWN0LdmI3VuEHNekOCe3Z8md3EIFHgtzasVVdR1Ikk1:CEuX8jIcCQ93EHt+sVVCF1
MD5:	67923EB5173B4A81DD4F8954EFCF4BDF
SHA1:	F3780A75AE4B391060BB8A953B7A4A3632E2B0AE
SHA-256:	46ED3C9741B74886F805C491E189983FBE21E9B50907514A2D7069DF1D130BBF
SHA-512:	A5CC6BA075EEE88BEDA940337BEE99A65F78D81C7E5F07A559EC7F90F14AC2C5BEF31BFE986B666FC0D3E8EF4F4E7C92EF947545F16EE5E825499D07B49201CE
Malicious:	false
Preview:	java version "1.8.0_381"..Java(TM) SE Runtime Environment (build 1.8.0_381-b09)..Java HotSpot(TM) Client VM (build 25.381-b09, mixed mode)..

Static File Info

General

File type:	ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	5.013450527079773
TrID:
File name:	Swift Transaction Report.js
File size:	334'392 bytes
MD5:	e865de0263ada94ea596fce4efd89ad0
SHA1:	96447cbcae6c1af91dd19587f729ec6cdddabc54
SHA256:	701435e822a78b82d53281af3ffb20b3732462ec99c6f36afdfc6f8eed4123f9
SHA512:	124f57e8f55a87ed2bf2f654d0bc59b5195807fb999c2e534bf22a9eb23471ca84f9a3794a20f3651dcefcd324827988f28c439830ce98e325a7d39de906bb3b
SSDEEP:	3072:mOAfrLpHJttJamF2HVF1SPtDNu8JPJRl0JSc:hAzdtEBF05NdJ7l0JSc
TLSH:	9B641C7839405C475CD97EF7663348CEDEB37805A289C8BBE2002979A28757CAB517F2
File Content Preview:	function _0x5023(){var _0x24472e=['qvwnAjm4Sd','e581tkX1WT','OgWi80OwsB','IyMD17J1x4','XHg0Nic6Xz','RSgweDhlKS','cyxjcmVhdG','9yM2FlICU3','VCNjJbXzB4','NkVceDQ2XH','oYoRMUCKd3','MHhFQzZBLF','B4MjY0KSks','g0Myc6XzB4','6e+QdDu1vk','WzIyOV0sXz','hfMHhFQkE0',

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:41:52.579247952 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:52.579268932 CET	443	49736	54.231.134.106	192.168.2.4
Jan 7, 2025 05:41:52.579374075 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:52.679656982 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:52.679681063 CET	443	49736	54.231.134.106	192.168.2.4
Jan 7, 2025 05:41:53.237752914 CET	443	49736	54.231.134.106	192.168.2.4
Jan 7, 2025 05:41:53.237914085 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:53.237936020 CET	443	49736	54.231.134.106	192.168.2.4
Jan 7, 2025 05:41:53.237982988 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:53.254226923 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:53.254232883 CET	443	49736	54.231.134.106	192.168.2.4
Jan 7, 2025 05:41:53.321324110 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:53.321324110 CET	49736	443	192.168.2.4	54.231.134.106
Jan 7, 2025 05:41:53.321331978 CET	443	49736	54.231.134.106	192.168.2.4
Jan 7, 2025 05:41:53.321528912 CET	443	49736	54.231.134.106	192.168.2.4
Jan 7, 2025 05:41:53.321891069 CET	49736	443	192.168.2.4	54.231.134.106

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:41:52.560559988 CET	58219	53	192.168.2.4	1.1.1.1
Jan 7, 2025 05:41:52.576478958 CET	53	58219	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 05:41:52.560559988 CET	192.168.2.4	1.1.1.1	0x446c	Standard query (0)	seasonmonster.s3.us-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	seasonmonster.s3.us-east-1.amazonaws.com	s3-r-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.134.106	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.168.218	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.15.178.186	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		3.5.7.1	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.217.65.232	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.182.71.34	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.59.18	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:41:52.576478958 CET	1.1.1.1	192.168.2.4	0x446c	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.182.67.98	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:41:24
Start date:	06/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js"
Imagebase:	0x7ff75a900000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:41:48
Start date:	06/01/2025
Path:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
Imagebase:	0xa30000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:41:48
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:41:48
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x440000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:41:48
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:41:49
Start date:	06/01/2025
Path:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
Imagebase:	0x50000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000006.00000002.1940846931.0000000014F46000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000006.00000003.1894398279.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:41:49
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist.exe
Imagebase:	0xf20000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:41:49
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ec4b0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 020D0672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1890887271.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20d0000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a013eb8cabcbd043bbab837161dc4a3803abd5ca43d685801e961288f1562b41
Instruction ID: 910919a3165954fea6663d73dd86e995ebb4238c8c9871640c5c794c3472e2d1
Opcode Fuzzy Hash: a013eb8cabcbd043bbab837161dc4a3803abd5ca43d685801e961288f1562b41
Instruction Fuzzy Hash: 4A1149B6D0232A9FCF24CF49C4854ADB7B2FF98314F164529EC69A7341D3346920DB92

Function 020D0722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1890887271.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20d0000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb70153bec9c499dda192934c6d57752f6382d7c9f8753340781fcfa5a47fa1
Instruction ID: 3068c201e06da88a5925b19bb0d69db692bf8dd01257c5df1ec408dc8052cc40
Opcode Fuzzy Hash: 1fb70153bec9c499dda192934c6d57752f6382d7c9f8753340781fcfa5a47fa1
Instruction Fuzzy Hash: F4F0F27AC003299B8B559F48C4400ADB7B2AB04318F1A8496DC2C3B241D332AD62DF91

Function 020E4B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1890887271.00000000020D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 020D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20d2000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ac9905b987a3990641b5709ce78bf83fcdbcea236263927a1fac8204b75697
Instruction ID: fb6f76310175ac639b8041f68996f40f08fa773ab4c31358cb0b83083f2993fd
Opcode Fuzzy Hash: 82ac9905b987a3990641b5709ce78bf83fcdbcea236263927a1fac8204b75697
Instruction Fuzzy Hash: 31F079B6A04A06EBDB258F61C0047DAFBB4BB88718F14821AD82C67350D778B4698BC1

Function 020DDA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1890887271.00000000020D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 020D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20d2000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1afbe3d185832393eab2cd6ff303083b075a269e66b129544a459ff784383e6
Instruction ID: e7d523d8b5c1e75b7be791b68f93e5cba9665df020a2fe8eb9c339328befc21e
Opcode Fuzzy Hash: b1afbe3d185832393eab2cd6ff303083b075a269e66b129544a459ff784383e6
Instruction Fuzzy Hash: 6BF0CAB6D01A0AABDB258F61C0047DAFBB5BB88718F18421AC42C67320D378B469CFC0

Function 020E3C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1890887271.00000000020D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 020D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20d2000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c43ca9c89e5f67f5914b30089ab596354d400eb743d8a474790ddfe95e4ddc
Instruction ID: eb0ba20701639b14e90ba96db0d09ef37e7fe6258bdbf4842ed073e01fa9df3d
Opcode Fuzzy Hash: 90c43ca9c89e5f67f5914b30089ab596354d400eb743d8a474790ddfe95e4ddc
Instruction Fuzzy Hash: A5F0CAB6D00A0AABDB658F61C0047CAFBB4BB88718F14421AC42C67320D378B469CFC1

Function 020E45E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1890887271.00000000020D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 020D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20d2000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39f7d541a57d8b4e93c0028f473a598da3cc88df402a023e6ccfbd9342a2916
Instruction ID: f03309c1b593bf04d0bfdd87ebe9de6c2a7d6be786a2e61809be0572a358e8ff
Opcode Fuzzy Hash: b39f7d541a57d8b4e93c0028f473a598da3cc88df402a023e6ccfbd9342a2916
Instruction Fuzzy Hash: D2F0C2B6D00A06ABDB258F61C0047CAFBB5BB44714F14421AC52C67310D378B465CFC0

Non-executed Functions

Function 020D03C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1890887271.00000000020D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_20d0000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: 2babe42abf93ceee2650eb5accc0cb415835e6c3ab79564b446d3e24f8312163
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 1721C4BA5043568FDB358F1988407D9B7E6EB58314F21882EDECDA7710D2306A898B51

Analysis Process: javaw.exePID: 7876, Parent PID: 7408COMMON

Executed Functions

Function 026BD8F7 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

`pBl, xrefs: 026BDAC5

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID: `pBl
API String ID: 0-3369615547
Opcode ID: e7e72b5c1298e9e15c523ef118b25a3b60288da43d00497f6bb8a5095c06d2c4
Instruction ID: 9d76355ce60d9d6d475f69947cd9a1de0d513fb73e02e1254e4323865e2565b0
Opcode Fuzzy Hash: e7e72b5c1298e9e15c523ef118b25a3b60288da43d00497f6bb8a5095c06d2c4
Instruction Fuzzy Hash: 37A177B5A04601DFDB1ACF24C494BAAFBB1FF49318F08819DD91A4F381CB35A885CB91

Function 026BD8E0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

`pBl, xrefs: 026BDAC5

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID: `pBl
API String ID: 0-3369615547
Opcode ID: 7982ba43f52b0724060078c2ecba409bc46b0b677bca5d4b8a259aa66ff13a54
Instruction ID: 6797949ddc2992fdc620717b2db7b60f1b6edfa34a6f4950879baf027ceea650
Opcode Fuzzy Hash: 7982ba43f52b0724060078c2ecba409bc46b0b677bca5d4b8a259aa66ff13a54
Instruction Fuzzy Hash: DA6199B1604601DFDB1ACF24C494BAAFBB5FF49718F08819DD91A4F381C774A885CB91

Function 0275FB92 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.0000000002754000.00000040.00000800.00020000.00000000.sdmp, Offset: 02754000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2754000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271c831f421b409bd2571f250908b8fe982b9814735c4085daa43b971fa72ea9
Instruction ID: 1af4aa48c1e3aed35641aff4b52e3db73d51405b5abeb4cca1d8585385d545e0
Opcode Fuzzy Hash: 271c831f421b409bd2571f250908b8fe982b9814735c4085daa43b971fa72ea9
Instruction Fuzzy Hash: A5D13C71A053508FC715DF29C08462AFBE2FF8A314F65896EE8899B755C771E842CF82

Function 0276C4DF Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.0000000002754000.00000040.00000800.00020000.00000000.sdmp, Offset: 02754000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2754000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72907139b7ccd6efef04d5fb9a3613c48a10e7cb3bfd21bc1bf08cc80b85152e
Instruction ID: 33d54a72925234d16011943e73075d522cff785020ff760eec40c4f62b018633
Opcode Fuzzy Hash: 72907139b7ccd6efef04d5fb9a3613c48a10e7cb3bfd21bc1bf08cc80b85152e
Instruction Fuzzy Hash: 1B4148716053548FCB52CF14C88C62AB7E2BBC9624F69896EECC897704D731EC458B82

Function 02769367 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.0000000002754000.00000040.00000800.00020000.00000000.sdmp, Offset: 02754000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2754000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25a61fc9e5f430abecd4f850da4841fad46eb459c0b3448f51339fddeefa5902
Instruction ID: 94fac7979b8a5af0b9df48e6df4e164ba53f004cd7026ff3bc1b08cd37a39c68
Opcode Fuzzy Hash: 25a61fc9e5f430abecd4f850da4841fad46eb459c0b3448f51339fddeefa5902
Instruction Fuzzy Hash: 303191B0908745EFD715CF21C4487B9FBB0BF82308F0882ADC9485B781D7386559DB82

Function 026B0672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b0000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a013eb8cabcbd043bbab837161dc4a3803abd5ca43d685801e961288f1562b41
Instruction ID: 2fd838f8bbd1adbcbcef4aa0ca4707ea4a1d6dda6dae11b790159eb952631ac9
Opcode Fuzzy Hash: a013eb8cabcbd043bbab837161dc4a3803abd5ca43d685801e961288f1562b41
Instruction Fuzzy Hash: FE1149B6D0022A9FCF29CF59C4854EEBBB0FF98314F264565DC65A3741E33469A0CB91

Function 02762A68 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.0000000002754000.00000040.00000800.00020000.00000000.sdmp, Offset: 02754000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2754000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e292246747d129bba915de0298486b934b7f9a144af8e2dcb0341c530f307d00
Instruction ID: 27e51b651e84f1c64d2c6d2624a1a1ade24c2f25ae23433712bc2a38238cf4a8
Opcode Fuzzy Hash: e292246747d129bba915de0298486b934b7f9a144af8e2dcb0341c530f307d00
Instruction Fuzzy Hash: C2F0E2B58093488BD301AF349C45135BBB1BF13230F1957C9D8E4AB2D2D322844ACB51

Function 026B0722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b0000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb70153bec9c499dda192934c6d57752f6382d7c9f8753340781fcfa5a47fa1
Instruction ID: 4cd9999526649ad11cb90f817c929b419aaa6797c183559476cfd0030dbb4831
Opcode Fuzzy Hash: 1fb70153bec9c499dda192934c6d57752f6382d7c9f8753340781fcfa5a47fa1
Instruction Fuzzy Hash: 7FF01576C00229DB8B15DF48C4400EEFBB1EF04218B2A85A6DC2837741E332ADA2CF81

Function 02762A90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.0000000002754000.00000040.00000800.00020000.00000000.sdmp, Offset: 02754000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2754000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a92122b757095567f9b1ab1e5a75132901640dc627915bf7c66fa26a1b6020b
Instruction ID: 79ee0da0223ba6785bce599643777da9782f70f3ad89d38b9c3c823949d9c902
Opcode Fuzzy Hash: 6a92122b757095567f9b1ab1e5a75132901640dc627915bf7c66fa26a1b6020b
Instruction Fuzzy Hash: 63D05E718043098BC601AF34D844529B7A4BF15334F594B8CECDCAB381E332A8858F92

Function 026C4B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c1be2a60e2d48484896d926566ca6d0dc356464296f79be76810bf9f1da541e
Instruction ID: b3b8ca2f284e54e9c110092f9911168f9074752b63a974119939db6544d84fe3
Opcode Fuzzy Hash: 9c1be2a60e2d48484896d926566ca6d0dc356464296f79be76810bf9f1da541e
Instruction Fuzzy Hash: BEF079B6A00A06EBDB258F61C0047DAFBB4BB88718F14821AD82C67350D778B4698BC1

Function 026BEC1C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe8b69d68565ddefe3567da242c244055cdc9dd5cbe090642aa4e64b78282b87
Instruction ID: 6eee1ad020435fc3ce6cfc8a891d9b58dcc384d86c2fbe2c42b65d107e9d6364
Opcode Fuzzy Hash: fe8b69d68565ddefe3567da242c244055cdc9dd5cbe090642aa4e64b78282b87
Instruction Fuzzy Hash: 88F09BB6A00A06EBDB29CF61C0047DAFBB4BB88718F14421AC42C67750D778B4A9CFC0

Function 026C6495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70afb67fee5e9d53bf847f294d9b826d641976ca1ab121b442551debdb6019f2
Instruction ID: 34685e4423038be715261c6705dac4fa7c57f5d76589261e245fc02f09dcd3fb
Opcode Fuzzy Hash: 70afb67fee5e9d53bf847f294d9b826d641976ca1ab121b442551debdb6019f2
Instruction Fuzzy Hash: 66F09BB6A00A16EBDB26CF65C0047CAFBB4BB88714F54421AC42C67350D778B469CFC0

Function 026C6575 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70afb67fee5e9d53bf847f294d9b826d641976ca1ab121b442551debdb6019f2
Instruction ID: 34685e4423038be715261c6705dac4fa7c57f5d76589261e245fc02f09dcd3fb
Opcode Fuzzy Hash: 70afb67fee5e9d53bf847f294d9b826d641976ca1ab121b442551debdb6019f2
Instruction Fuzzy Hash: 66F09BB6A00A16EBDB26CF65C0047CAFBB4BB88714F54421AC42C67350D778B469CFC0

Function 026BDA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 038666c590bf4f76215726f46993a222f6388f14fb895f392c06180a4853ada5
Instruction ID: f64a8269dc6ec5f8413bfb364207423f71baf1a1c819094c96a237eac60fcae7
Opcode Fuzzy Hash: 038666c590bf4f76215726f46993a222f6388f14fb895f392c06180a4853ada5
Instruction Fuzzy Hash: F0F0C2B6D00A06ABDB258F61C0047DAFBB4BF44714F14421AC42C67310D378B465CFC0

Function 026C49AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0746279c65e4adbf625b084895db2a55500f9cc70374574102482dc0cbc5e5
Instruction ID: 8d7c265c1271cca50a4c1d789e928275b475f466e036e36c560e059e53f44e44
Opcode Fuzzy Hash: 7e0746279c65e4adbf625b084895db2a55500f9cc70374574102482dc0cbc5e5
Instruction Fuzzy Hash: E0F0CAB6D00A06ABDB258F61C0047CAFBB4BB88714F18421AC42C67320E378B4A9CFC0

Function 026BDE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820fb2bd1306af8e717d05944195adf82643db201313b83298374a419d172659
Instruction ID: a5a1f91a9ce4676f7bfd0c65aa0af804b4af72e03af7537cb352297a04effb6f
Opcode Fuzzy Hash: 820fb2bd1306af8e717d05944195adf82643db201313b83298374a419d172659
Instruction Fuzzy Hash: D6F0CAB6D00A06ABDB258F61C0047CAFBB4BB88714F14421AC42C63720D778B4A9CFC0

Function 026C3C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6b799af01ce8f83fbf0bb6c0a79060954fe92abe278ebdfe04214b2cd41a83
Instruction ID: 1c9d6dabbc4058d031a54017e5cd92ac241954cb27fcf6dadb2d251c86146565
Opcode Fuzzy Hash: db6b799af01ce8f83fbf0bb6c0a79060954fe92abe278ebdfe04214b2cd41a83
Instruction Fuzzy Hash: B2F0C2B6D00A06ABDB258F61C0047CAFBB4BB44714F14421AC42C67310D378B465CFC1

Function 026BB407 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58538615fb1f07714d1724b677e4269953d2166634b63e523942d9bdfae9dbd8
Instruction ID: 3b5ba1c8da4b09fff5ec2d6656a1cad1539be3c4bf64a445240f52e5fe63ad60
Opcode Fuzzy Hash: 58538615fb1f07714d1724b677e4269953d2166634b63e523942d9bdfae9dbd8
Instruction Fuzzy Hash: B9F0CAB6D00A06ABDB258F61C0047CAFBB4BB88714F19421AC52C63360D378B4A9CFC0

Function 026C45E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.00000000026B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26b2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977510d25bfa77a9f1a5be6bead7aa22e9c4ad656c8ef21cc6cded219d3ed89c
Instruction ID: a12522e887be0812d8adfa76d4d4e504e7a156c6223546339a23b64ee0978412
Opcode Fuzzy Hash: 977510d25bfa77a9f1a5be6bead7aa22e9c4ad656c8ef21cc6cded219d3ed89c
Instruction Fuzzy Hash: A6F0C2B6D00A06ABDB258F61C0047CAFBB4BB44714F14421AC52C67310D378B465CFC0

Non-executed Functions

Function 02758C18 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.0000000002754000.00000040.00000800.00020000.00000000.sdmp, Offset: 02754000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2754000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736e87782326a25bc1fbc53c5a0422e9fd2903ea543d2d73b1ad81f68acf6e1d
Instruction ID: 66efc39ae609fd0967ac90a356bc1f93ca2f2d67dd98e377472a128e9781788c
Opcode Fuzzy Hash: 736e87782326a25bc1fbc53c5a0422e9fd2903ea543d2d73b1ad81f68acf6e1d
Instruction Fuzzy Hash: 0F517272A047218FC711CF28C48462AF7F2BF89714F198A5DDC98A7355D771E986CB82

Function 0275B4C4 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1930770758.0000000002754000.00000040.00000800.00020000.00000000.sdmp, Offset: 02754000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2754000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5e46fd764642a316965d621364c8f23013f227b3638614c770532d5f5935d
Instruction ID: 9d3860e176658aa91555be4bf7fd41e9441964ddb09d28caac445451e49057a8
Opcode Fuzzy Hash: 78b5e46fd764642a316965d621364c8f23013f227b3638614c770532d5f5935d
Instruction Fuzzy Hash: 5F31B96248E7D64FD7435B709CAA2817FB09F13224B1A04DBC4C0DF5A7E19D484EC762

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.Some data encoding systems may also result in data compression, such as gzip.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Swift Transaction Report.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7736

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7876

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
Swift Transaction Report.js