Edit tour

Windows Analysis Report
Swift Transaction Report.js

Overview

General Information

Sample name:	Swift Transaction Report.js
Analysis ID:	1585123
MD5:	e865de0263ada94ea596fce4efd89ad0
SHA1:	96447cbcae6c1af91dd19587f729ec6cdddabc54
SHA256:	701435e822a78b82d53281af3ffb20b3732462ec99c6f36afdfc6f8eed4123f9
Infos:

Detection

Branchlock Obfuscator

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for submitted file

Yara detected Branchlock Obfuscator

Exploit detected, runtime environment starts unknown processes

Potential obfuscated javascript found

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Java / VBScript file with very long strings (likely obfuscated code)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7404 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

java.exe (PID: 7452 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

conhost.exe (PID: 7460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 7540 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

javaw.exe (PID: 7600 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

tasklist.exe (PID: 7656 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1700234294.000001E62DF40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000000.00000003.1696200287.000001E62D7D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000005.00000002.1694868290.000000001574C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000000.00000003.1698297477.000001E62B86E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000000.00000003.1696006697.000001E62B863000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000000.00000003.1696125701.000001E62D7A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000005.00000003.1664179076.00000000015C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000000.00000002.1699073236.000001E62B86E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: wscript.exe PID: 7404	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: javaw.exe PID: 7600	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", ProcessId: 7404, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js", ProcessId: 7404, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Swift Transaction Report.js	Virustotal: Detection: 31%			Perma Link
Source: Swift Transaction Report.js	ReversingLabs: Detection: 30%

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: seasonmonster.s3.us-east-1.amazonaws.com

Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A57E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5FE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A57E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5FE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5FE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000001.00000002.1662238614.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000005.00000002.1695061481.0000000015BA0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A723000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5FE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A57E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000005.00000002.1693783110.000000000A61A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5FE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A559000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/3
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bmK
Source: javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Swift Confirmation Copy.jar.0.dr	String found in binary or memory: https://branchlock.net
Source: wscript.exe, 00000000.00000003.1696006697.000001E62B863000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.net8
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: javaw.exe, 00000005.00000002.1693248875.00000000053C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/email.js
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar
Source: javaw.exe, 00000005.00000002.1693248875.00000000053C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: Swift Transaction Report.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal84.expl.evad.winJS@12/6@1/1

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7460:120:WilError_03

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\wscript.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Swift Transaction Report.js	Virustotal: Detection: 31%
Source: Swift Transaction Report.js	ReversingLabs: Detection: 30%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: .Run("java -version", "0", "true");IWshShell3.Run("java -version", "0", "true");IFileSystem3.GetSpecialFolder("2");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "Swift Confirmation Copy.jar");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("UEsDBBQACAgIACW5JFoAAAAAAAAAAAAAAAAUAA0ATUVUQS1JTkYvTUFOSUZFU1QuTUZVVAUAAZa/eWf+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4PJNzMzTdc5JLC62UkjKz01KLC7JTOYCC+gGJJZkWCnocXEBAFBLBwh7RANZOgAAADsAAABQSwMEFAAICAgAtTklWgAAAAAAAAAAAAAAAAwAAADduC/");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar", "2");IWshShell3.Run("java -version", "0", "true");IFileSystem3.GetSpecialFolder("2");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "Swift Confirmation Copy.jar");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("UEsDBBQACAgIACW5JFoAAAAAAAAAAAAAAAAUAA0ATUVUQS1JTkYvTUFOSUZFU1QuTUZVVAUAAZa/eWf+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4PJNzMzTdc5JLC62UkjKz01KLC7JTOYCC+gGJJZkWCnocXEBAFBLBwh7RANZOgAAADsAAABQSwMEFAAICAgAtTklWgAAAAAAAAAAAAAAAAwAAADduC/");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar", "2");_Stream.Close();IWshShell3.Run("java -version", "0", "true");IFileSystem3.GetSpecialFolder("2");IFileSystem3.BuildPath("Unsupported parameter type 00000009", "Swift Confirmation Copy.jar");IXMLDOMNode._00000029("tmp");IXMLDOMElement.dataType("bin.base64");IXMLDOMElement.text("UEsDBBQACAgIACW5JFoAAAAAAAAAAAAAAAAUAA0ATUVUQS1JTkYvTUFOSUZFU1QuTUZVVAUAAZa/eWf+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4PJNzMzTdc5JLC62UkjKz01KLC7JTOYCC+gGJJZkWCnocXEBAFBLBwh7RANZOgAAADsAAABQSwMEFAAICAgAtTklWgAAAAAAAAAAAAAAAAwAAADduC/");IXMLDOMElement.nodeTypedValue();_Stream.Type("1");_Stream.Open();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar", "2");_Stream.Close();IWshShell3.Run("javaw -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"", "0", "true")

Yara detected Branchlock Obfuscator

Source: Yara match	File source: 00000000.00000002.1700234294.000001E62DF40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1696200287.000001E62D7D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1694868290.000000001574C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1698297477.000001E62B86E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1696006697.000001E62B863000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1696125701.000001E62D7A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1664179076.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1699073236.000001E62B86E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar, type: DROPPED

Potential obfuscated javascript found

Source: Swift Transaction Report.js

Initial file: High amount of function use 12

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 1_2_0285A20A push ecx; ret	1_2_0285A21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 1_2_0285A21B push ecx; ret	1_2_0285A225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 1_2_0285B3B7 push 00000000h; mov dword ptr [esp], esp	1_2_0285B3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 1_2_0285BB67 push 00000000h; mov dword ptr [esp], esp	1_2_0285BB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 1_2_0285B947 push 00000000h; mov dword ptr [esp], esp	1_2_0285B96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 1_2_0285C477 push 00000000h; mov dword ptr [esp], esp	1_2_0285C49D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1D8F7 push 00000000h; mov dword ptr [esp], esp	5_2_02F1D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1A21B push ecx; ret	5_2_02F1A225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1A20A push ecx; ret	5_2_02F1A21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1B3B7 push 00000000h; mov dword ptr [esp], esp	5_2_02F1B3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1BB67 push 00000000h; mov dword ptr [esp], esp	5_2_02F1BB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1D8D1 push 00000000h; mov dword ptr [esp], esp	5_2_02F1D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1B947 push 00000000h; mov dword ptr [esp], esp	5_2_02F1B96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02F1C477 push 00000000h; mov dword ptr [esp], esp	5_2_02F1C49D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02FBD691 push cs; retf	5_2_02FBD6B1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02FBB331 push ecx; retn 0022h	5_2_02FBB3E6
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02FBB077 push es; iretd	5_2_02FBB07E
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Code function: 5_2_02FC159A pushad ; ret	5_2_02FC159D

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE8
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE8
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE8
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE8
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE8
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE8
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE8
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE8

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Code function: 5_2_02FBB4C4 sldt word ptr [eax]

5_2_02FBB4C4

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: javaw.exe, 00000005.00000003.1664504889.00000000154F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000005.00000003.1664504889.00000000154F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000001.00000002.1661708421.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: java.exe, 00000001.00000002.1661708421.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1692830105.0000000001588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000005.00000003.1664504889.00000000154F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000001.00000002.1661708421.0000000000E85000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1692830105.0000000001588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware.exe8
Source: java.exe, 00000001.00000003.1659260644.0000000014E63000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000003.1664504889.00000000154F5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe8
Source: javaw.exe, 00000005.00000002.1692830105.0000000001588000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSn=E

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 1_2_028503C0 cpuid

1_2_028503C0

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7452 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7600 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	22 Scripting	Valid Accounts	1 Windows Management Instrumentation	22 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Swift Transaction Report.js	31%	Virustotal		Browse
Swift Transaction Report.js	30%	ReversingLabs	Script-JS.Trojan.Malgent

Source	Detection	Scanner	Label
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	0%	Avira URL Cloud	safe
http://www.quovadis.bmK	0%	Avira URL Cloud	safe
https://branchlock.net8	0%	Avira URL Cloud	safe
http://repository.swisssign.com/3	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	0%	Avira URL Cloud	safe
HTTP://WWW.CHAMBERSIGN.ORG	0%	Avira URL Cloud	safe
https://branchlock.net	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.us-east-1.amazonaws.com	16.182.70.66	true	false		high
seasonmonster.s3.us-east-1.amazonaws.com	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl0	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.net8	wscript.exe, 00000000.00000003.1696006697.000001E62B863000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu0	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreport.sun.com/bugreport/	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5B9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.exe, 00000001.00000002.1662238614.0000000004A00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A5C9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	javaw.exe, 00000005.00000002.1695061481.0000000015BA0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A723000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
HTTP://WWW.CHAMBERSIGN.ORG	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://branchlock.net	Swift Confirmation Copy.jar.0.dr	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/3	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bmK	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu	javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com	javaw.exe, 00000005.00000002.1693248875.00000000053C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	javaw.exe, 00000005.00000002.1693248875.00000000053C6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl	javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	javaw.exe, 00000005.00000002.1693248875.00000000054BE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	javaw.exe, 00000005.00000002.1693248875.000000000511D000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000005.00000002.1693783110.000000000A7B6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	javaw.exe, 00000005.00000002.1693248875.000000000548E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	javaw.exe, 00000005.00000002.1693783110.000000000A648000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
16.182.70.66	s3-r-w.us-east-1.amazonaws.com	United States		unknown	unknown	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585123
Start date and time:	2025-01-07 05:45:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Swift Transaction Report.js
Detection:	MAL
Classification:	mal84.expl.evad.winJS@12/6@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 81% Number of executed functions: 26 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .js Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target java.exe, PID 7452 because it is empty
Execution Graph export aborted for target javaw.exe, PID 7600 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.us-east-1.amazonaws.com	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	54.231.130.18
	http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdf	Get hash	malicious	Unknown	Browse	52.217.134.50
	https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html	Get hash	malicious	Unknown	Browse	52.217.41.32
	https://verification.com/omid_error?	Get hash	malicious	Unknown	Browse	52.217.85.136
	https://receptive-comfortable-paw.glitch.me/	Get hash	malicious	Unknown	Browse	16.15.178.21
	https://payroll-news.at-eu.therelayservice.com/service/BUX_ZozoSdJWCG_5j9jtL5kIM8s4zpz8F8daQ7vEahL5WDRxV7IghpJPwSaoWNEG9eO6H06U_y_gwUSZJc9fDfwYBqPUPrZdmmRzUZ9qHFiMcq2w4-i7crrAjeyo_fa156_U7Eu0Ww9PKs3fM5eYkKQ_3vneF9YQUPUya3C3-wlq3FWHKATIkpuQEfV3laRldFNeWNfYS-sS9ogrADD3n54QIIqJd8nlTvWUjJCrpgug-gBImSGXyayDT39pkqjgqB_40YKcUcppFI95cuu7iPqdT0iDrU2CjdVlbNBd7udGztDhsYo1On9eJe-8oAEXs4eUbwt4py8g4aPFRtdg8AUlv-D-xKGeqkuRGN01AKHTOx7qZI-nNi5aqPk4UOXYeA3nx4xY22_7T29dLhfKcA	Get hash	malicious	Unknown	Browse	52.217.140.2
	Employee_Important_Message.pdf	Get hash	malicious	HTMLPhisher	Browse	16.182.106.106
	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	52.217.199.10
	https://google.lk/url?q=ernie.grue@nationalmi.com&nationalmi.com&sa=t&url=amp/s/i--iy.s3.us-east-1.amazonaws.com/vocabulary.html#ZXJuaWUuZ3J1ZUBuYXRpb25hbG1pLmNvbQ==	Get hash	malicious	Unknown	Browse	52.217.132.146

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.882568083276078
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4USdUuy:oJ5bWuy
MD5:	746BD29EE52A8086B934AA31D4BFA716
SHA1:	7E8C8E9F84CEC8AB0745D67AAD29EFEAF8571251
SHA-256:	93CB532731C85172D33EB0F9CB1F438C5BFAB98E5194075116F1D4D62B35F9A2
SHA-512:	1A01FFFE1E5E599EAE4C5D53B4FD9AAE24CCD09AB4F61F05F0BE02F605C46A267E33CD26C6FDF4CA2B17E90F83CC9B20ECF23E28C08C274AF78D9666993AEFA9
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1736225192839..

C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	21359
Entropy (8bit):	7.948030467353428
Encrypted:	false
SSDEEP:	384:OAJjyCdE1n02lxzHm8QkdduiQpbkl/JZ476rvusoEyPsh719/buA5OB5/6RkhZgK:PJy1npQm5QxkBcyvulbkB19/buAoX/Rf
MD5:	8E96E66F83E748D267DF96390C880297
SHA1:	BAE891900C7C646F62A9B51C27F5B13A30CC9589
SHA-256:	AE345B40D165255284BF4C6AB00A871FCB035B552AC0B20B3CFB19E4644E49B7
SHA-512:	CEE16641BBBBF2DA2D1AE7AF00E6B266DE0374B955C37933061C4D1641AAC4CD1216A05C2140CB9203B0DC9CF565C686D5C04CD884EB44C578CD40605F7F7224
Malicious:	true
Yara Hits:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar, Author: Joe Security
Reputation:	low
Preview:	PK........%.$Z................META-INF/MANIFEST.MFUT.....yg.....M..LK-...K-...R0.3..M...u.I,..RH..MJ,..L.....$.dX).qq..PK..{D.Y:...;...PK.........9%Z................./..class.R[O.A.=C...k..P.h.E]. J.....bDI..m...k.-../..7..Q\|..@c..f..^.!./..4......ag.;g.w......N.2.w#.l.,. .U........6..N.qj....}{N..5.....Q.R.4.$..a.....q.f..A9..#....a...LBUcA.PWM.fx.]..x}(.n...g..S.+rio.....j..&!...{.&....)n!JP...fd)3 .T.U....{..6tSw......-}.u......7.....efD.'........<Pl.3...h......u5.f.~~ .~.k.[.....H......J.2.Y......t..ajO.i~....M.8.U...t..1.cP.L[......,...(#ng....%b#..i...8...5A.......8J....X.Dt..S.e.T3Et.H..M.6.$t..]8.... .J#.n.fN.u.J.C...'..5..Q.+....5N.L.m..5<..5.DT......?.......F.ai..`k..uT.b...S..j]....i.A..'.......Gq8.!D!....<.)...p..C.....}.s8....y..uya...x...u...:.p...u.V..J.".RCl.T!......S...F./PK...}j.........PK.........9%Z................./..class.T]O.Y.~N....k[AdY.u....AYQ....G*~.0.....u._.f....%..Q...&..L................B..w..c

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7452

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2193462645503217
Encrypted:	false
SSDEEP:	96:By4rb1f8GeE5+46rJI28I3H7TiHG1bowYf:Byg8GeE5+46WIr+HGd+
MD5:	53438E1A67F753F81297EE3194AE307E
SHA1:	D972814AA7D6503C6C99228685B70B5C7DA0752E
SHA-256:	D64BE12B85D477F0F8930FB8DDAFE664FDAAA24F71C8EFC3C82A9ADDA463BC50
SHA-512:	3F74D062013D5B573E21339CFE7D023EED5D71AEF68CCFDC8128C876FE3B2EAA373A458A1DFD8B41EE2181787AEF86B0484565CDF092D1520D29CC9E0E247236
Malicious:	false
Preview:	........87......a....... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7600

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2860345779122162
Encrypted:	false
SSDEEP:	96:6ZerDjE8G95q9PdKp6L6cYwbHP+7gaYbd77TmHG1bowF:6ZT8GjidKp6L6WH25YpPqHGd
MD5:	3C7D7ABB8915CA964D1D267E06B52359
SHA1:	4B22080B46CED9267C429551A8B745ABCABC487B
SHA-256:	699AA1FFE686D2259E66507EDA0DE291197448B9BF9301A204D69835E6FE4800
SHA-512:	E1745DA0F4887FDAAA39A7A58669DCC316B42AABC8CB47235886A89BA0D6BC6C8ED45618DE55FA2E74EC2F2B609B0237B1CD3316DFEC98DEFE42F5A664FEC298
Malicious:	false
Preview:	........ 9.......4...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Preview:	........................................J2SE.

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	140
Entropy (8bit):	5.1030619724035935
Encrypted:	false
SSDEEP:	3:CEuXWN0LdmI3VuEHNekOCe3Z8md3EIFHgtzasVVdR1Ikk1:CEuX8jIcCQ93EHt+sVVCF1
MD5:	67923EB5173B4A81DD4F8954EFCF4BDF
SHA1:	F3780A75AE4B391060BB8A953B7A4A3632E2B0AE
SHA-256:	46ED3C9741B74886F805C491E189983FBE21E9B50907514A2D7069DF1D130BBF
SHA-512:	A5CC6BA075EEE88BEDA940337BEE99A65F78D81C7E5F07A559EC7F90F14AC2C5BEF31BFE986B666FC0D3E8EF4F4E7C92EF947545F16EE5E825499D07B49201CE
Malicious:	false
Preview:	java version "1.8.0_381"..Java(TM) SE Runtime Environment (build 1.8.0_381-b09)..Java HotSpot(TM) Client VM (build 25.381-b09, mixed mode)..

Static File Info

General

File type:	ASCII text, with very long lines (65536), with no line terminators
Entropy (8bit):	5.013450527079773
TrID:
File name:	Swift Transaction Report.js
File size:	334'392 bytes
MD5:	e865de0263ada94ea596fce4efd89ad0
SHA1:	96447cbcae6c1af91dd19587f729ec6cdddabc54
SHA256:	701435e822a78b82d53281af3ffb20b3732462ec99c6f36afdfc6f8eed4123f9
SHA512:	124f57e8f55a87ed2bf2f654d0bc59b5195807fb999c2e534bf22a9eb23471ca84f9a3794a20f3651dcefcd324827988f28c439830ce98e325a7d39de906bb3b
SSDEEP:	3072:mOAfrLpHJttJamF2HVF1SPtDNu8JPJRl0JSc:hAzdtEBF05NdJ7l0JSc
TLSH:	9B641C7839405C475CD97EF7663348CEDEB37805A289C8BBE2002979A28757CAB517F2
File Content Preview:	function _0x5023(){var _0x24472e=['qvwnAjm4Sd','e581tkX1WT','OgWi80OwsB','IyMD17J1x4','XHg0Nic6Xz','RSgweDhlKS','cyxjcmVhdG','9yM2FlICU3','VCNjJbXzB4','NkVceDQ2XH','oYoRMUCKd3','MHhFQzZBLF','B4MjY0KSks','g0Myc6XzB4','6e+QdDu1vk','WzIyOV0sXz','hfMHhFQkE0',

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:46:35.547719955 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:35.547746897 CET	443	49730	16.182.70.66	192.168.2.4
Jan 7, 2025 05:46:35.547818899 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:35.656919956 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:35.656934023 CET	443	49730	16.182.70.66	192.168.2.4
Jan 7, 2025 05:46:36.214342117 CET	443	49730	16.182.70.66	192.168.2.4
Jan 7, 2025 05:46:36.214463949 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:36.214482069 CET	443	49730	16.182.70.66	192.168.2.4
Jan 7, 2025 05:46:36.214524031 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:36.302556992 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:36.302563906 CET	443	49730	16.182.70.66	192.168.2.4
Jan 7, 2025 05:46:36.727056026 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:36.727082014 CET	443	49730	16.182.70.66	192.168.2.4
Jan 7, 2025 05:46:36.727286100 CET	443	49730	16.182.70.66	192.168.2.4
Jan 7, 2025 05:46:36.727370024 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:36.727456093 CET	49730	443	192.168.2.4	16.182.70.66
Jan 7, 2025 05:46:36.727468014 CET	443	49730	16.182.70.66	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 05:46:35.513469934 CET	62880	53	192.168.2.4	1.1.1.1
Jan 7, 2025 05:46:35.544008970 CET	53	62880	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 05:46:35.513469934 CET	192.168.2.4	1.1.1.1	0xd579	Standard query (0)	seasonmonster.s3.us-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	seasonmonster.s3.us-east-1.amazonaws.com	s3-r-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.182.70.66	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.15.192.112	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.172.130	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.236.2	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.139.50	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.217.170.2	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.217.94.192	A (IP address)	IN (0x0001)	false
Jan 7, 2025 05:46:35.544008970 CET	1.1.1.1	192.168.2.4	0xd579	No error (0)	s3-r-w.us-east-1.amazonaws.com		3.5.2.114	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	23:46:30
Start date:	06/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Swift Transaction Report.js"
Imagebase:	0x7ff671150000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000000.00000002.1700234294.000001E62DF40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000000.00000003.1696200287.000001E62D7D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000000.00000003.1698297477.000001E62B86E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000000.00000003.1696006697.000001E62B863000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000000.00000003.1696125701.000001E62D7A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000000.00000002.1699073236.000001E62B86E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:46:32
Start date:	06/01/2025
Path:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
Imagebase:	0x760000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:46:32
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:46:32
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x520000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:46:32
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:46:32
Start date:	06/01/2025
Path:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
Imagebase:	0xf40000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000005.00000002.1694868290.000000001574C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000005.00000003.1664179076.00000000015C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:46:32
Start date:	06/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist.exe
Imagebase:	0x4d0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	23:46:32
Start date:	06/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 0285D9A5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002852000.00000040.00000800.00020000.00000000.sdmp, Offset: 02852000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2852000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e15291be8348b7114f5039d69ae023b5c2755620e676224a39276dfde3f2c4a1
Instruction ID: 5df7c43785a46a42003769747f0de652b62fee0082f468a5792f0127d0639f25
Opcode Fuzzy Hash: e15291be8348b7114f5039d69ae023b5c2755620e676224a39276dfde3f2c4a1
Instruction Fuzzy Hash: 2581897DA04611DFDB19CF24C594BA9FBB2FF49318F088199DC1A8B391DB34A845CB91

Function 02850672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2850000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf75aaba01b5f7ed1f24ecb2bbd60a22b9d75a1251be1aa343e68c7fbe5b3b5
Instruction ID: d063a7e7dea6c84cf0275876b542d5d1b511233a2ba7d39c728e1bf9b728a0d7
Opcode Fuzzy Hash: 5cf75aaba01b5f7ed1f24ecb2bbd60a22b9d75a1251be1aa343e68c7fbe5b3b5
Instruction Fuzzy Hash: E61137BA90023A9FCB18CF88C8954ADB7F0FB9C314B164525DC69E3342D3346920CB91

Function 02850722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2850000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1628532d129ae1b7f736ab46be6e8470d553d486903ff757edcf49299b82b0a
Instruction ID: 73dbb0c2b9cc48f6c7511afbd5b5eaa6756acd82fac3daf03fda1899604e4482
Opcode Fuzzy Hash: d1628532d129ae1b7f736ab46be6e8470d553d486903ff757edcf49299b82b0a
Instruction Fuzzy Hash: 56F0157EC04229DB8B14DF48C4410ADB7B1EB08318B2A8496DC2CB7641D332AD62CF81

Function 02864B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002852000.00000040.00000800.00020000.00000000.sdmp, Offset: 02852000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2852000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2adf1ff9e2999a1639629d569edd706b5f7749dd4d150d3bdfae3d6ee9d6e1a5
Instruction ID: a65b4864608644b046cef383bc1414778f4c0f1a931c1968abeb370f2810e7bd
Opcode Fuzzy Hash: 2adf1ff9e2999a1639629d569edd706b5f7749dd4d150d3bdfae3d6ee9d6e1a5
Instruction Fuzzy Hash: 25F07FB9900A16EBDB158F61C0447DAFBB4BB88718F14421AD82C57750D778B4658BC0

Function 0285DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002852000.00000040.00000800.00020000.00000000.sdmp, Offset: 02852000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2852000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef52f079c814a0805706101f2bc078244514ac6108106910c396ef1e3ed1435
Instruction ID: 562540eeef2f203427646e1dee9107288e8ba0b7a22073c674506fe7169d202a
Opcode Fuzzy Hash: 8ef52f079c814a0805706101f2bc078244514ac6108106910c396ef1e3ed1435
Instruction Fuzzy Hash: 0EF0C2BAD00A16ABDB248F61C0447DAFBB4BB48714F14421AC42C67750D378B465CBC0

Function 02863C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002852000.00000040.00000800.00020000.00000000.sdmp, Offset: 02852000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2852000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16142c7fae2db66099a26e55900dcbc290a6092372a6f458561ab7531400e47
Instruction ID: 99014fc9a2daa39cc3d295409638fe50eb3974d1d43355e68d7d70e79aef6eda
Opcode Fuzzy Hash: a16142c7fae2db66099a26e55900dcbc290a6092372a6f458561ab7531400e47
Instruction Fuzzy Hash: 4EF0C2BAD00A16ABDB248F61C0447CAFBB4BB48714F14421AC42C67750D378B465CBC0

Function 028645E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002852000.00000040.00000800.00020000.00000000.sdmp, Offset: 02852000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2852000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3587d9d475bb055adb6065aa05b1ccb45c37521e1e51c9a98eda220763310196
Instruction ID: 135ffdc11b993a6f758f0f7e9864331faed8abc2d5d1824e7203d90709480810
Opcode Fuzzy Hash: 3587d9d475bb055adb6065aa05b1ccb45c37521e1e51c9a98eda220763310196
Instruction Fuzzy Hash: 67F0C2BAD00A16ABDB258F61C0447CAFBB4BB48714F14421AC52C67750D378B465CBC0

Non-executed Functions

Function 028503C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1661964725.0000000002850000.00000040.00000800.00020000.00000000.sdmp, Offset: 02850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2850000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: 63908504623f90adf00babe1516911e6641fb0cb8b71ea21e973a8194a3774bd
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 4021D6BA5042668FDB358F198C403D9B7E5FB58314F21882EDECDE7710D3346A898B51

Analysis Process: javaw.exePID: 7600, Parent PID: 7404COMMON

Executed Functions

Function 02FBFB92 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002FB4000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fb4000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed19c4ea9ac90fd0d76f100d8933c5d8f3fe5fb320b995d73e693120fe529ab6
Instruction ID: c29eae06ce2fad36362360161503791df1f64f9a6b50d4ed17656aedc6cbb119
Opcode Fuzzy Hash: ed19c4ea9ac90fd0d76f100d8933c5d8f3fe5fb320b995d73e693120fe529ab6
Instruction Fuzzy Hash: C4D16C75A04300CFC715CF19C58061ABBF2FF89354F658A6EE9899B755C731E842CB81

Function 02F1D8F7 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358aa0e2007fb5baf0369232700f11df1abd0958b88fefebfa5ad392c939de05
Instruction ID: 38da8fb741ee12e6503b706108e3bd5c694382a57e4b204e20e5e4585f9ad6e5
Opcode Fuzzy Hash: 358aa0e2007fb5baf0369232700f11df1abd0958b88fefebfa5ad392c939de05
Instruction Fuzzy Hash: 9CA1BE71A04601DFDB18CF64C994BA9FBB1FF49354F48859DDA1A4B382C774A884CF91

Function 02F1D8D1 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a714b699f47145b5d768ba7321b7e4ce7fae5cf9cc4b7d39fa9f227eb9714757
Instruction ID: adb01731ebd5282fd0b9a8c455155101f485ebd5fc8d746a9a438d211ff993e8
Opcode Fuzzy Hash: a714b699f47145b5d768ba7321b7e4ce7fae5cf9cc4b7d39fa9f227eb9714757
Instruction Fuzzy Hash: 2A71E071A04641DFDB18CF24C894BAAFBB1FF49354F48859DDA0A8B382C774A845CF91

Function 02FCC4DF Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002FB4000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fb4000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45eeccfc1138dfdccd65dff7eefc519f16d0861d18b283525ed152512f8b93d5
Instruction ID: 1f55b5f201ce9c8649924e0b27c4ab9bff1beed66a26a96aa3fe963dfc3244f5
Opcode Fuzzy Hash: 45eeccfc1138dfdccd65dff7eefc519f16d0861d18b283525ed152512f8b93d5
Instruction Fuzzy Hash: 09413B71A443468FC711DF14C68061AB7F2FFC9254F798A6EEA8897304D731E8428B92

Function 02FC9567 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002FB4000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fb4000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f050d2ca281992463e19340df3bd63e589376dc97ca96b1a694060d33a3ecbe7
Instruction ID: dddead86ae114d5f1ce5e5aa3a82d08f845ee4a6c2be0a070ecfd127fff77426
Opcode Fuzzy Hash: f050d2ca281992463e19340df3bd63e589376dc97ca96b1a694060d33a3ecbe7
Instruction Fuzzy Hash: 4F31C070A09386EFD716CF64C6183B9BBB0BB42308F6886ADC94857781D7746558DB82

Function 02F10672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f10000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf75aaba01b5f7ed1f24ecb2bbd60a22b9d75a1251be1aa343e68c7fbe5b3b5
Instruction ID: 85686fe4cd4d8b865176855e95191b8ad15d2c5124360cb1ac2371357faa446a
Opcode Fuzzy Hash: 5cf75aaba01b5f7ed1f24ecb2bbd60a22b9d75a1251be1aa343e68c7fbe5b3b5
Instruction Fuzzy Hash: 95118BB2D0022ADFCF18CF88C4954ADB3B0FF98354B964529DD69A3341DB3469A0CF80

Function 02FC2A68 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002FB4000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fb4000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940682dd0204491479f54afc6ee302fa1af8b326b0a3703e82071ecdd1085064
Instruction ID: d493fdaf70c8d20b3fa26ac133f47b6c92254ff054292d2e5ae13b86455c6cea
Opcode Fuzzy Hash: 940682dd0204491479f54afc6ee302fa1af8b326b0a3703e82071ecdd1085064
Instruction Fuzzy Hash: BFF027718083888FC7019B348C44524BBB1AF07264F2947CCD8E4A72D2D322945ACB52

Function 02FC2A90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002FB4000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fb4000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8be7b468f504324248d96a500edf802182a070b1ae5ededb121df8a57556a8f
Instruction ID: 0da232dc6075a653b7b1e3053548b82cdeaf2cc3651402d77fb67dc9140e0e19
Opcode Fuzzy Hash: d8be7b468f504324248d96a500edf802182a070b1ae5ededb121df8a57556a8f
Instruction Fuzzy Hash: DAD05B71C443048BC200AF38D440525F7A4BF15364F554B9CEDD867381D731A8918F91

Function 02F10722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f10000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1628532d129ae1b7f736ab46be6e8470d553d486903ff757edcf49299b82b0a
Instruction ID: 8c4f3383aabeef2bee3d28bef7a18bd82521b3e46451ea5bb1f4614a27059af9
Opcode Fuzzy Hash: d1628532d129ae1b7f736ab46be6e8470d553d486903ff757edcf49299b82b0a
Instruction Fuzzy Hash: 3BF01576C0022DDB8B14DF48C4400ADB7B1FF09358B5A849ADD6C77641D732ADA2CF81

Function 02F24B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca7e7b62271432b5218b829905210024a5fcd195a2ee51631d436f4f3046c2a0
Instruction ID: 00972b1731a5c12b9331ed38961ce9d265741eaf2a4373dda00c27340683f53d
Opcode Fuzzy Hash: ca7e7b62271432b5218b829905210024a5fcd195a2ee51631d436f4f3046c2a0
Instruction Fuzzy Hash: 24F07FB5900A16EBDB158F61C0047DAFBB4BB98718F14421AD92C57750D778B4658BC0

Function 02F26495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cae8f4b4bd49325955f2ea3926d0763a8fab81cef8b2e5040f473405ad8ff25
Instruction ID: fa8a1f0e11999281295a7f74093f4b0c2f8a0084c7c1d976bb3f4e5393c20f62
Opcode Fuzzy Hash: 9cae8f4b4bd49325955f2ea3926d0763a8fab81cef8b2e5040f473405ad8ff25
Instruction Fuzzy Hash: 4EF0FBB6A00A06EBDB25CF21C0047CAFBB0BB88714F04420AD82C67350C778B469CFC0

Function 02F1EC1C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe125acad4c82b60adc65d1e1a5294520aa4f5767d8aabd9c441974179e6e4c
Instruction ID: 82bda9bda58b2932186a6d3539e70546e6483a5392d55e2839f19d81e354d0cd
Opcode Fuzzy Hash: 6fe125acad4c82b60adc65d1e1a5294520aa4f5767d8aabd9c441974179e6e4c
Instruction Fuzzy Hash: 4CF0F2B5900A06EBDB15CF21C0047CAFBB0BB88714F04420AC42C63750C778B469CFC0

Function 02F26575 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cae8f4b4bd49325955f2ea3926d0763a8fab81cef8b2e5040f473405ad8ff25
Instruction ID: fa8a1f0e11999281295a7f74093f4b0c2f8a0084c7c1d976bb3f4e5393c20f62
Opcode Fuzzy Hash: 9cae8f4b4bd49325955f2ea3926d0763a8fab81cef8b2e5040f473405ad8ff25
Instruction Fuzzy Hash: 4EF0FBB6A00A06EBDB25CF21C0047CAFBB0BB88714F04420AD82C67350C778B469CFC0

Function 02F1DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da3e5aafbbaf9ea59f9de9bd28ba5f82c8e069a8c08fe982018a389cf05a64f
Instruction ID: 35b4c93e7b2e81e56d4d0ffabc37fd6fe19d08800b30294009a036051affbfeb
Opcode Fuzzy Hash: 1da3e5aafbbaf9ea59f9de9bd28ba5f82c8e069a8c08fe982018a389cf05a64f
Instruction Fuzzy Hash: A9F0C2B6D00A06ABDB248F61C0047DAFBB4BB54714F14421AD52C63750D778B465CFC0

Function 02F249AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff88c0d8add4f2e63acd6353a112cb706a803ba480241e90c2d836124d6536c7
Instruction ID: ef140f88435c437e8230ee7f5543f338d48779556734dc8befc82039ac7fe123
Opcode Fuzzy Hash: ff88c0d8add4f2e63acd6353a112cb706a803ba480241e90c2d836124d6536c7
Instruction Fuzzy Hash: 97F0CAB6D00A06ABDB248F61C0047CAFBB4BB98714F14421AD92CA7760D778B4A9CFC0

Function 02F1DE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4e2beb0b6e4ae4a1fef05536e375d112aac052e67a535668ed0a5c805a1c8e
Instruction ID: e14dc3e995c62689187efc6234ed74fce78316445557eea6f1c1a1d8cfeaf66e
Opcode Fuzzy Hash: 4a4e2beb0b6e4ae4a1fef05536e375d112aac052e67a535668ed0a5c805a1c8e
Instruction Fuzzy Hash: 9AF0CAB6D00A06ABDB258F61C0047CAFBB4BB98714F15421AC92CA3760C778B4A9CFC0

Function 02F23C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab68bc8ccb0517f4fd5fc8f18b4b57b9cca9c8d6dcbd7962a36934523ef0b8d
Instruction ID: 795b84d6a8601cf4f6604dd9a04574dbf349dabb011936f4af7d6337f2f5b098
Opcode Fuzzy Hash: 9ab68bc8ccb0517f4fd5fc8f18b4b57b9cca9c8d6dcbd7962a36934523ef0b8d
Instruction Fuzzy Hash: 54F0C2B6D00A06ABDB248F61C0047CAFBB4BB54714F14421AD52C67750D778B465CFC0

Function 02F1B407 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe66f99379d26bb58e3241b767572471c9937af80e840d13454c472fd0d9d9e
Instruction ID: 1089f804b65f3d266393b92b0539b7f2973e8c7328580f02a26181b3d8c9a1b7
Opcode Fuzzy Hash: cbe66f99379d26bb58e3241b767572471c9937af80e840d13454c472fd0d9d9e
Instruction Fuzzy Hash: 12F0CAB6D00A06ABDB248F61C0047CAFBB4BB98714F19421AC92C63760D778B4A9CFC0

Function 02F245E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002F12000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F12000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2f12000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcfe8766b1c9faf12f499b8f0097c533bb6db963166c92a5ddf6f320449a7d2d
Instruction ID: 84ef145afeca9d0228a598736f46488429865ecaed645a8cadd8705b79639092
Opcode Fuzzy Hash: fcfe8766b1c9faf12f499b8f0097c533bb6db963166c92a5ddf6f320449a7d2d
Instruction Fuzzy Hash: 47F0C2B6D00A06ABDB258F61C0047CAFBB4BB54714F14421AD52C63750D778B465CFC0

Non-executed Functions

Function 02FBB4C4 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1692989476.0000000002FB4000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2fb4000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5e46fd764642a316965d621364c8f23013f227b3638614c770532d5f5935d
Instruction ID: ba0c3f81cd0246f145077983177c1ff86338d42d003af79805b09afedee42d42
Opcode Fuzzy Hash: 78b5e46fd764642a316965d621364c8f23013f227b3638614c770532d5f5935d
Instruction Fuzzy Hash: C331996249E7C64FD7435B719CAA2813FB09F13224B0A04DBC4C4CF6A7E69D494EC762

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Swift Transaction Report.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7452

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7600

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

\Device\ConDrv

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
Swift Transaction Report.js