Windows
Analysis Report
5hsRaLKPV6.jar
Overview
General Information
Sample name: | 5hsRaLKPV6.jar (renamed file extension from none to jar, renamed because original name is a hash value) |
Original sample name: | ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7 |
Analysis ID: | 1590513 |
MD5: | 8e96e66f83e748d267df96390c880297 |
SHA1: | bae891900c7c646f62a9b51c27f5b13a30cc9589 |
SHA256: | ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7 |
Infos: |
Detection
Score: | 68 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
cmd.exe (PID: 6616 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\Prog ram Files (x86)\Java \jre-1.8\b in\java.ex e" -javaag ent:"C:\Us ers\user\A ppData\Loc al\Temp\ja rtracer.ja r" -jar "C :\Users\us er\Desktop \5hsRaLKPV 6.jar"" >> C:\cmdlin estart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) conhost.exe (PID: 6596 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) java.exe (PID: 6812 cmdline:
"C:\Progra m Files (x 86)\Java\j re-1.8\bin \java.exe" -javaagen t:"C:\User s\user\App Data\Local \Temp\jart racer.jar" -jar "C:\ Users\user \Desktop\5 hsRaLKPV6. jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA) icacls.exe (PID: 6920 cmdline:
C:\Windows \system32\ icacls.exe C:\Progra mData\Orac le\Java\.o racle_jre_ usage /gra nt "everyo ne":(OI)(C I)M MD5: 2E49585E4E08565F52090B144062F97E) conhost.exe (PID: 7008 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) tasklist.exe (PID: 7080 cmdline:
tasklist.e xe MD5: 0A4448B31CE7F83CB7691A2657F330F1) conhost.exe (PID: 7052 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BranchlockObfuscator | Yara detected Branchlock Obfuscator | Joe Security |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_BranchlockObfuscator | Yara detected Branchlock Obfuscator | Joe Security | ||
JoeSecurity_BranchlockObfuscator | Yara detected Branchlock Obfuscator | Joe Security | ||
JoeSecurity_BranchlockObfuscator | Yara detected Branchlock Obfuscator | Joe Security |
- • AV Detection
- • Software Vulnerabilities
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | WMI Queries: |
Source: | Key opened: | Jump to behavior |
Source: | Binary or memory string: |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Data Obfuscation |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: | 2_2_022FD921 | |
Source: | Code function: | 2_2_022FA21A | |
Source: | Code function: | 2_2_022FA225 | |
Source: | Code function: | 2_2_022FBB8D | |
Source: | Code function: | 2_2_022FB3DD | |
Source: | Code function: | 2_2_022FD921 | |
Source: | Code function: | 2_2_022FB96D | |
Source: | Code function: | 2_2_022FC49D | |
Source: | Code function: | 2_2_0239D071 | |
Source: | Code function: | 2_2_0239C211 | |
Source: | Code function: | 2_2_0239F66A |
Source: | Process created: |
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_0239B836 |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 2_2_023063B4 |
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory protected: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Code function: | 2_2_022F03C0 |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | 1 Windows Management Instrumentation | 1 Services File Permissions Weakness | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 111 Security Software Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 1 Exploitation for Client Execution | 1 DLL Side-Loading | 1 Services File Permissions Weakness | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 Virtualization/Sandbox Evasion | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | 1 DLL Side-Loading | 1 Disable or Modify Tools | Security Account Manager | 23 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 1 Obfuscated Files or Information | LSA Secrets | Internet Connection Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 Services File Permissions Weakness | Cached Domain Credentials | Wi-Fi Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
DNS | Web Services | External Remote Services | Systemd Timers | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | Remote System Discovery | Windows Remote Management | Web Portal Capture | Commonly Used Port | Exfiltration Over C2 Channel | Inhibit System Recovery |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
27% | Virustotal | Browse | ||
0% | ReversingLabs |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
s3-r-w.us-east-1.amazonaws.com | 52.217.130.90 | true | false | high | |
seasonmonster.s3.us-east-1.amazonaws.com | unknown | unknown | false | high |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
52.217.130.90 | s3-r-w.us-east-1.amazonaws.com | United States | 16509 | AMAZON-02US | false |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1590513 |
Start date and time: | 2025-01-14 08:19:32 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsfilecookbook.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | 5hsRaLKPV6.jar (renamed file extension from none to jar, renamed because original name is a hash value) |
Original Sample Name: | ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7 |
Detection: | MAL |
Classification: | mal68.expl.evad.winJAR@10/4@1/1 |
EGA Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
- Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtSetInformationFile c alls found.
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
s3-r-w.us-east-1.amazonaws.com | Get hash | malicious | Branchlock Obfuscator | Browse |
| |
Get hash | malicious | Branchlock Obfuscator | Browse |
| ||
Get hash | malicious | Branchlock Obfuscator | Browse |
| ||
Get hash | malicious | Branchlock Obfuscator | Browse |
| ||
Get hash | malicious | Branchlock Obfuscator | Browse |
| ||
Get hash | malicious | Branchlock Obfuscator | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
AMAZON-02US | Get hash | malicious | Unknown | Browse |
| |
Get hash | malicious | AsyncRAT | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | HTMLPhisher | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Program Files (x86)\Java\jre-1.8\bin\java.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 52 |
Entropy (8bit): | 4.858623612163837 |
Encrypted: | false |
SSDEEP: | 3:oFj4I5vpm4US4XTQXov:oJ5b4XTCov |
MD5: | 4F2BEFABC15042E0DB3060D61BB5E25A |
SHA1: | 71FD4E985B1BD9889656F3C09E582B6513BE5BF2 |
SHA-256: | 2105624836497C07D5EE8548CE5332C2D7A870A28DA653B2FEFB273AA489479B |
SHA-512: | 3B65A56BAF33409538D7521C9861363B75FB71F9D29A10E20F941FD1094DE072B5E1E610B433C4B4673701E78281E4856114D142635E239DF0B75DB4DF243925 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Java\jre-1.8\bin\java.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.2984098908421096 |
Encrypted: | false |
SSDEEP: | 96:THerjA58G6QOLDlKTH623w3oQXcwST+HE19o2z:TH358G6QOLcTH6aQ+iHEr |
MD5: | F4FE22EE0FD57A3237D4A55F03677F9E |
SHA1: | 76767CFDDDB83A1F44075DE066D9D86B329C7A2A |
SHA-256: | B8F822138B7885AF2D363F578BC95BEEF88297C33D1E42C77F775E111EBFE92B |
SHA-512: | C3AEDB76862276770AB815068EA80956E33D9B2C45A4CCEF8DA3832F84E7D92C49AEBD03D1EABD97B9CFFA827810C73878D2986CD292D75DE70D1F6C7302BBB1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Java\jre-1.8\bin\java.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45 |
Entropy (8bit): | 0.9111711733157262 |
Encrypted: | false |
SSDEEP: | 3:/lwlt7n:WNn |
MD5: | C8366AE350E7019AEFC9D1E6E6A498C6 |
SHA1: | 5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61 |
SHA-256: | 11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 |
SHA-512: | 33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 3254 |
Entropy (8bit): | 4.919077234352184 |
Encrypted: | false |
SSDEEP: | 48:j6Hv++fj1zQwLDZ25JOYHsrgeNSHsrge26HDTZI5wv1:jMv++LPLDyJOYHsGHsoMDTZI56 |
MD5: | A8D484D615C3A68B9706343EB34FD7E0 |
SHA1: | 9A5434B50379F31189543E61DBD42E5568C1D12D |
SHA-256: | 58C688E12BCEC765F88CFFF81F68FA816A3D77DA2E579EB7C1242EE31F1B310E |
SHA-512: | B11B11807FC22FF10BC5B3ABEA092096144E3E9607431F126C6AB7AF9D4DB70353EF20603A809781EFAC53571A0A4DE252B91812564D5D83FB4FB19F72373807 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.948030467353428 |
TrID: |
|
File name: | 5hsRaLKPV6.jar |
File size: | 21'359 bytes |
MD5: | 8e96e66f83e748d267df96390c880297 |
SHA1: | bae891900c7c646f62a9b51c27f5b13a30cc9589 |
SHA256: | ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7 |
SHA512: | cee16641bbbbf2da2d1ae7af00e6b266de0374b955c37933061c4d1641aac4cd1216a05c2140cb9203b0dc9cf565c686d5c04cd884eb44c578cd40605f7f7224 |
SSDEEP: | 384:OAJjyCdE1n02lxzHm8QkdduiQpbkl/JZ476rvusoEyPsh719/buA5OB5/6RkhZgK:PJy1npQm5QxkBcyvulbkB19/buAoX/Rf |
TLSH: | D6A2E1263CF6065DD43BE071AC374873D08D967848CAD22B1576ABA5427AE3313A2FDC |
File Content Preview: | PK........%.$Z................META-INF/MANIFEST.MFUT.....yg.....M..LK-...K-*....R0.3..M...u.I,..RH..MJ,..L.....$.dX).qq..PK..{D.Y:...;...PK.........9%Z................../....class.R[O.A.=C...k..P.*h.E]. J.....bDI..m....k.-../..7..Q|...@c..f..^.!./..4..... |
Icon Hash: | d08c8e8ea2868a54 |
Download Network PCAP: filtered – full
- Total Packets: 10
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 14, 2025 08:20:26.289171934 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:26.289287090 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:26.289396048 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:26.462063074 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:26.462120056 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:27.058911085 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:27.059046984 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:27.059108019 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:27.059171915 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:27.087277889 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:27.087362051 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:27.175218105 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:27.175270081 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:27.175983906 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:27.175986052 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Jan 14, 2025 08:20:27.176043987 CET | 443 | 49730 | 52.217.130.90 | 192.168.2.4 |
Jan 14, 2025 08:20:27.176090002 CET | 49730 | 443 | 192.168.2.4 | 52.217.130.90 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 14, 2025 08:20:26.230004072 CET | 63437 | 53 | 192.168.2.4 | 1.1.1.1 |
Jan 14, 2025 08:20:26.254848003 CET | 53 | 63437 | 1.1.1.1 | 192.168.2.4 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Jan 14, 2025 08:20:26.230004072 CET | 192.168.2.4 | 1.1.1.1 | 0x983 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | s3-r-w.us-east-1.amazonaws.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 52.217.130.90 | A (IP address) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 3.5.1.188 | A (IP address) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 54.231.163.170 | A (IP address) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 54.231.229.82 | A (IP address) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 52.216.48.194 | A (IP address) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 54.231.130.18 | A (IP address) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 54.231.161.82 | A (IP address) | IN (0x0001) | false | ||
Jan 14, 2025 08:20:26.254848003 CET | 1.1.1.1 | 192.168.2.4 | 0x983 | No error (0) | 16.15.176.228 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 02:20:21 |
Start date: | 14/01/2025 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x240000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 1 |
Start time: | 02:20:21 |
Start date: | 14/01/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 2 |
Start time: | 02:20:21 |
Start date: | 14/01/2025 |
Path: | C:\Program Files (x86)\Java\jre-1.8\bin\java.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x5f0000 |
File size: | 257'664 bytes |
MD5 hash: | 9DAA53BAB2ECB33DC0D9CA51552701FA |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | moderate |
Has exited: | true |
Target ID: | 3 |
Start time: | 02:20:22 |
Start date: | 14/01/2025 |
Path: | C:\Windows\SysWOW64\icacls.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xfe0000 |
File size: | 29'696 bytes |
MD5 hash: | 2E49585E4E08565F52090B144062F97E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 02:20:22 |
Start date: | 14/01/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 02:20:22 |
Start date: | 14/01/2025 |
Path: | C:\Windows\SysWOW64\tasklist.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe50000 |
File size: | 79'360 bytes |
MD5 hash: | 0A4448B31CE7F83CB7691A2657F330F1 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 02:20:22 |
Start date: | 14/01/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7699e0000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 1.6% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 3 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|