Edit tour

Windows Analysis Report
5hsRaLKPV6.jar

Overview

General Information

Sample name:	5hsRaLKPV6.jar renamed because original name is a hash value
Original sample name:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
Analysis ID:	1590513
MD5:	8e96e66f83e748d267df96390c880297
SHA1:	bae891900c7c646f62a9b51c27f5b13a30cc9589
SHA256:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
Infos:

Detection

Branchlock Obfuscator

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Branchlock Obfuscator

Exploit detected, runtime environment starts unknown processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

7za.exe (PID: 3168 cmdline: 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 1356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

java.exe (PID: 6256 cmdline: java.exe -jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" bombastic MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 6180 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1912 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
5hsRaLKPV6.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1404254971.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000003.00000003.1412901184.0000000000948000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000001.00000002.1404433977.0000000000DBD000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: 7za.exe PID: 3168	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: java.exe PID: 6256	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Click to see the 3 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 5hsRaLKPV6.jar

Virustotal: Detection: 27%

Perma Link

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

3_2_023C8E18

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: seasonmonster.s3.us-east-1.amazonaws.com

Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000014FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000015089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/3=
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/s(
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm39
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 5hsRaLKPV6.jar	String found in binary or memory: https://branchlock.net
Source: 7za.exe, 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.netf
Source: 7za.exe, 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.netk
Source: java.exe, 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.nett
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/email.js
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar
Source: java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: classification engine

Classification label: mal64.expl.evad.winJAR@10/8@1/1

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5hsRaLKPV6.jar

Virustotal: Detection: 27%

Source: unknown	Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\5hsRaLKPV6.jar"
Source: C:\Windows\System32\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" bombastic
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Windows\System32\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Data Obfuscation

Yara detected Branchlock Obfuscator

Source: Yara match	File source: 5hsRaLKPV6.jar, type: SAMPLE
Source: Yara match	File source: 00000001.00000003.1404254971.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1412901184.0000000000948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1404433977.0000000000DBD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7za.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: java.exe PID: 6256, type: MEMORYSTR

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023CB277 push es; iretd	3_2_023CB27E
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023CD691 push cs; retf	3_2_023CD6B1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023C5870 pushad ; iretd	3_2_023C5871
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023CB531 push ecx; retn 0022h	3_2_023CB5E6
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232D8F7 push 00000000h; mov dword ptr [esp], esp	3_2_0232D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232A21B push ecx; ret	3_2_0232A225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232A20A push ecx; ret	3_2_0232A21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232BB67 push 00000000h; mov dword ptr [esp], esp	3_2_0232BB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232B3B7 push 00000000h; mov dword ptr [esp], esp	3_2_0232B3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232D8E0 push 00000000h; mov dword ptr [esp], esp	3_2_0232D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232B947 push 00000000h; mov dword ptr [esp], esp	3_2_0232B96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232C477 push 00000000h; mov dword ptr [esp], esp	3_2_0232C49D

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\tasklist.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE8

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 3_2_023CB6C4 sldt word ptr [eax]

3_2_023CB6C4

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: java.exe, 00000003.00000002.1487288527.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6oY
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000003.00000002.1487288527.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000003.00000002.1487288527.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware.exe8
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe8

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe			Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 3_2_023203C0 cpuid

3_2_023203C0

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6256 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5hsRaLKPV6.jar	0%	ReversingLabs
5hsRaLKPV6.jar	27%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.quovadis.bm39	0%	Avira URL Cloud	safe
https://branchlock.netk	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com	0%	Avira URL Cloud	safe
https://branchlock.nett	0%	Avira URL Cloud	safe
http://repository.swisssign.com/s(	0%	Avira URL Cloud	safe
http://repository.swisssign.com/3=	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	0%	Avira URL Cloud	safe
https://branchlock.netf	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.us-east-1.amazonaws.com	52.216.210.114	true	false		high
seasonmonster.s3.us-east-1.amazonaws.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.nett	java.exe, 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/s(	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu0	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.netk	7za.exe, 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000014FA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
HTTP://WWW.CHAMBERSIGN.ORG	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.net	5hsRaLKPV6.jar	false		high
http://policy.camerfirma.com	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm39	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/3=	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com	java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.netf	7za.exe, 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000015089000.00000004.00000020.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.216.210.114	s3-r-w.us-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590513
Start date and time:	2025-01-14 08:23:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Tracing
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5hsRaLKPV6.jar renamed because original name is a hash value
Original Sample Name:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
Detection:	MAL
Classification:	mal64.expl.evad.winJAR@10/8@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 71% Number of executed functions: 18 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .jar Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.95.31.18
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target java.exe, PID 6256 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.us-east-1.amazonaws.com	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	3.5.12.103
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	52.216.29.192
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	52.217.119.34
	Wupos Reciept.pdf.jar	Get hash	malicious	Branchlock Obfuscator	Browse	52.216.217.130
	Swift Transaction Report.js	Get hash	malicious	Branchlock Obfuscator	Browse	16.182.70.66
	Swift Transaction Report.js	Get hash	malicious	Branchlock Obfuscator	Browse	54.231.134.106
	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	54.231.130.18
	http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdf	Get hash	malicious	Unknown	Browse	52.217.134.50
	https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html	Get hash	malicious	Unknown	Browse	52.217.41.32

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://email.lc.haxconsulting.com/c/eJx0k0tv4zgQhH-NdBk4kKgHrQMPdhI5mck78djJRaDIlsSYD4WkpLF__cJOsLvAZq_FLnbhQzWrBCdJS6-fh9_RaK9H9Muk6c9yE3LCCkjrLORGUaGJZGcd_cOMdoP0QrdnzKivt8pMGqzrRF_5fQ-EtqDZvqLOiVYDD4HEOMnxvMB5EoKiQlYKnKMtHLdv5i83BT5n4-tb-75JAbPHy6-p02-Mqp6KVv9LO9pyPE9ZwVKaZjlkgBjkRVEjHIIehTVagfakt4YPzAujw45EeRrF0RziBvIoyeskRxgwwlma0ajAPBQERSiL4jg55o2Ss2YOOYWszps4a5o6CtLoWwySdN73LkgWASoDVE7T9N-pAJXcTFoaymeOSmr3s3YQHGYDhSApG2GdrzRVECQXdyBkgHJJ_5GuqNsJ7QKUnzgEyYUGIbsvNY0644_656a874w-uqIs-lGk6Q-UFjiUrPpkKLQHq6kka1Q6vvq928YBWm7z65vVxHE3FgEq59i-jvvVs0xEw7L6_MK2IhvbP_TKJn77qF7k3TSixbC_V5cBWuI33j_fivpGtZOAqN0Zxga7eJCXr-uXzfMHlIcjgANevhv8USfN_ZM-L_Dhoeu38GTXt4sALYfFzheHl3LNy1VZjw8iQOU6QOWmvb3vrqbc9Y17WtynH9OVVkrF8qdedwDgHtt4eTkPpTn1ebm6Sd7eV-rWxvS93979kt02VOA7wwntRWisaIUm9SB3sxOQsLdmFBwskUA5M1oD88aGlvwv49CZwTIgJ_9MuHE2GbsDG3pyTPFtBE-YUdW31-YJ-Orvpo8E_RUAAP__dHE7Qw	Get hash	malicious	Unknown	Browse	18.245.31.88
	Discord.exe	Get hash	malicious	AsyncRAT	Browse	3.127.138.57
	http://locrmhelp.com	Get hash	malicious	Unknown	Browse	52.84.151.46
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://www.toekan.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturr	Get hash	malicious	Unknown	Browse	108.138.26.27
	http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylter	Get hash	malicious	Unknown	Browse	108.138.26.116
	http://pub-dfc04553e9094cfc93a2df6d57084097.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	3.75.10.80
	https://metahorizonsfacebooksupport.tempisite.com/italy39	Get hash	malicious	HTMLPhisher	Browse	54.229.247.168

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.935546689086913
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4UStyXyn:oJ5bPn
MD5:	71BB2661A134E044A3E3CF0B48A4785C
SHA1:	9295AB1F4C70B60EB427B20D37E6AEFA38A42A7F
SHA-256:	BE7F306BDD7A646968F6038C461AF4B27DB699C227D6F7914F4DAB6E7A1BA406
SHA-512:	BB05987658BC36FCDAC3939C3F459E13A1321B8571D9FDB089DDC2154E035639B7F69E3A3FB9D0A7656E7648EE4408DEE9215A7882D3B121E1039517460FD248
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1736839455772..

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6256

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2828140813520312
Encrypted:	false
SSDEEP:	96:hZpryk8GEJlPLAe6L6JCwgUUvWFi7JYpHG1bow4:hZR8GEBLAe6L6TU+FuJUHGd
MD5:	64AD91969A66215D94D5AF26B75ED389
SHA1:	1DB22F90DE654BB22B721E4B843991E191DAAB88
SHA-256:	50D1CF9831B7CEFE7D3C67F80071E551475F6C54F3C6E9C36078F9BBC8C618BC
SHA-512:	1CEC1FDF94CC97B241DCCAB637B533117EB146AA7787545301C4328CC82DC1DAA846DAD11F71A8B6F9566F977E4EE80DC1774BE82676E7B4026A9C2C89133024
Malicious:	false
Reputation:	low
Preview:	.........8.......m...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Preview:	........................................J2SE.

C:\jar\?.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	7467
Entropy (8bit):	6.386422292092153
Encrypted:	false
SSDEEP:	96:pyeC0vsKCbHxPLLBfvmG8L6d7xyBdxa7/ky8mnMINS5ju/Nn1:pyjGlCbRTLBfvw6dkG7/ky1ZNAS11
MD5:	7453970A7579358CC210524FBA8D3DAA
SHA1:	1B2A7B1240AA287521867830E7ADE213AC872B98
SHA-256:	B8BA3624315FC214D9BEDABE20E9851D4E7BF6131CC426BA15181D00EA997B79
SHA-512:	EF4E77595745D6476DBA10BB8B51D890C010966D5E577999991C91FF03AAAD4A2F204B1A5B60F5A1B76D9FC385DE23058BD323DC44CFBAD4E5D11B32E5F088F9
Malicious:	false
Preview:	.......4.A..........java/lang/Throwable..........[Ljava/lang/Object;.......[Ljava/lang/String;...(Ljava/lang/Object;II)V...java/io/IOException......java/lang/InterruptedException......java/lang/Exception............&java/lang/ReflectiveOperationException...............96....8...java/lang/String......bombastic............)(Ljava/lang/Object;[Ljava/lang/Object;I)I............../...!.........#...<init>..'(Ljava/lang/String;Ljava/lang/String;)V..%.&..".'......_(Ljava/lang/Object;Ljava/lang/Object;ILjava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;..).*....+......N(Ljava/lang/Object;IILjava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;..-....../....l..../...2......;(CLjava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;..4.5....6..$java/util/concurrent/ExecutorService..8...()V..:...(Ljava/io/File;)V....<....=...>...(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;Ljava/lang/invoke/MethodType;Ljava/lang/invoke/MethodHandl

C:\jar\?\?.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	709
Entropy (8bit):	5.436349643687698
Encrypted:	false
SSDEEP:	12:QwpbRaBt0ETsn+2TRsf5VUuNh+TQdldqPgNj4w8MFMjgMu1:Q6aVTsn/9QfH8MFugMK
MD5:	5D09EAC457D870F1D508AEB4D2F005F4
SHA1:	52E9AC3556123DECC93C5494C742DC4BE01631BC
SHA-256:	CABEA422089E3C7DF8808727733F2EBAE6B312C856834196A0D74D3CDCFB183F
SHA-512:	F0DBB371D4F46CA2197A4C7AEAAEAA58023FDF5D1B480C37C79C24C66382D0061BF66E158A6FDE7B0C1A9068DDE5A09F615A1F07FA3516CFCE450E11C91178F2
Malicious:	false
Preview:	.......4.+..../.......java/io/InputStreamReader..........[Ljava/lang/Object;...<clinit>...()V...java/lang/Object....f#.........java/lang/Long......valueOf...(J)Ljava/lang/Long;............[.....>................'(I)Ljava/lang/management/RuntimeMXBean;..&java/lang/management/ManagementFactory............:(Ljava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;............"java/lang/management/RuntimeMXBean.. ...<init>...(Ljava/io/InputStream;)V..".#....$.......(C)Ljava/awt/Desktop;...java/awt/Desktop..(...Code................................&............Y.......SY.......S...................................7.....!........".#...............+..%........&.'...*.............)....6.....).......

C:\jar\Branchlock_?.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	1834
Entropy (8bit):	3.4908661873375055
Encrypted:	false
SSDEEP:	24:b4m8AuMo7QDsoE9fYy4aSwm5ehz6FB2HR/8Ecaf+D88Zq6ZbvVDn5TJyyRDsaZQm:b4m8somTmR02WJEVvrfrs
MD5:	238309786CC1B908892502E152A49A60
SHA1:	72D78AF1A6C8905F8802C991402EF08ECC1612E9
SHA-256:	7B63F628961DF21D2C89A794574D26D171A40FA5C98857309D54D011279884DB
SHA-512:	CC046818C6E7BBD94D2FCCBF389A1C8EBE16E9225414B119DDF24CE153FD73B2884C5DF650BAAFE12EE36FAC6D3C2A9511BF7F3D968700C272F3AE2EAB4D808B
Malicious:	false
Preview:	.......4.D...Branchlock_.......java/lang/Object..........Ljava/lang/String;..: * .........: ###. .........: #######( .........: ################# .........: ## .################## .........: (####### .####. .*######### .........: ########, .#. .#######. .........: #######, #######. .........: ######, #######. .........: (######. #######. .."..........: #######. #######, ..&......: ######## (#######, ## ..)......: ##########. ##### ..,......: ########

C:\jar\META-INF\MANIFEST.MF

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.375258354962731
Encrypted:	false
SSDEEP:	3:ZLCAWIzBEnbzHELGvS14:1KItUbzHyGJ
MD5:	3C6B699D521DDBB93869D35610D86ADA
SHA1:	4747133B51B6171DB1F68D8B7119310333D8807E
SHA-256:	AD8EFAA22B3BA49B93ADFC93BEF58B3C618AAC0BC3BEBB7558EA507504F7053F
SHA-512:	0E4B2FD657E70E49CFB8F49CBCD23CB11A29EE734EA4827670E9B6129C1D4CA0B52FC7EBE0020B6FF94378347334F722D4861EC423DD99A9A5199CBA92C5DF58
Malicious:	false
Preview:	Manifest-Version: 1.0.Main-Class: bombastic.Class-Path: ...

C:\jar\bombastic.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	14875
Entropy (8bit):	6.638357662906348
Encrypted:	false
SSDEEP:	384:NuZ7hHpqqNdAQP79S+VytV34p4doxVyAyKpAF:vkdPU+VytV34p4doxsFKuF
MD5:	07CDA5F9F90C234106CC7E8887B17145
SHA1:	5B74EE2D8C3930A56941AFFC0B0C9C4C242A64CE
SHA-256:	FFBF3D15A8D52E694D7AAC03483F0D228888DDEC7A78107FB0D5EFBF55D0539D
SHA-512:	A3377FC40E82F9441D1E0C9BFA2FEE186AAE931FE4ED3891D397F889B5E15A62474DEC96302F430BDFEC4B1D62BE1E76E71584E3DCC872268D19DCB643F1A979
Malicious:	false
Preview:	.......4.....bombastic......java/lang/Object..........I...................Ljava/util/List;.......[Ljava/lang/String;...........[Ljava/lang/Object;...<clinit>...()V..#java/lang/IndexOutOfBoundsException....................G...........Q............G........F...............................K......B.....C...............................................C.L........................]...........P..................Q........N...............A..............]....#...7....-....../...........)..................................C.(...K....................

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.948030467353428
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	5hsRaLKPV6.jar
File size:	21'359 bytes
MD5:	8e96e66f83e748d267df96390c880297
SHA1:	bae891900c7c646f62a9b51c27f5b13a30cc9589
SHA256:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
SHA512:	cee16641bbbbf2da2d1ae7af00e6b266de0374b955c37933061c4d1641aac4cd1216a05c2140cb9203b0dc9cf565c686d5c04cd884eb44c578cd40605f7f7224
SSDEEP:	384:OAJjyCdE1n02lxzHm8QkdduiQpbkl/JZ476rvusoEyPsh719/buA5OB5/6RkhZgK:PJy1npQm5QxkBcyvulbkB19/buAoX/Rf
TLSH:	D6A2E1263CF6065DD43BE071AC374873D08D967848CAD22B1576ABA5427AE3313A2FDC
File Content Preview:	PK........%.$Z................META-INF/MANIFEST.MFUT.....yg.....M..LK-...K-....R0.3..M...u.I,..RH..MJ,..L.....$.dX).qq..PK..{D.Y:...;...PK.........9%Z................../....class.R[O.A.=C...k..P.h.E]. J.....bDI..m....k.-../..7..Q\|...@c..f..^.!./..4.....

File Icon


Icon Hash:	d08c8e8ea2868a54

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:24:19.994956970 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:19.994982004 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:19.995162964 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.130414963 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.130446911 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:20.685987949 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:20.686065912 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.686088085 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:20.686165094 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.717562914 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.717600107 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.311986923 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:21.312064886 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.312342882 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.312350035 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:21.312371016 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.312402964 CET	49707	443	192.168.2.9	52.216.210.114

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:24:19.973506927 CET	56474	53	192.168.2.9	1.1.1.1
Jan 14, 2025 08:24:19.992058992 CET	53	56474	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 08:24:19.973506927 CET	192.168.2.9	1.1.1.1	0x9de4	Standard query (0)	seasonmonster.s3.us-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	seasonmonster.s3.us-east-1.amazonaws.com	s3-r-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.210.114	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.135.210	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.182.107.250	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.250.8	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.62.42	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.78.0	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.170.90	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.15.177.238	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 7za.exePID: 3168, Parent PID: 3504

General

Target ID:	1
Start time:	02:24:11
Start date:	14/01/2025
Path:	C:\Windows\System32\7za.exe
Wow64 process (32bit):	true
Commandline:	7za.exe x -y -oC:\jar "C:\Users\user\Desktop\5hsRaLKPV6.jar"
Imagebase:	0xe90000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000003.1404254971.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000002.1404433977.0000000000DBD000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1356, Parent PID: 3168

General

Target ID:	2
Start time:	02:24:11
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: java.exePID: 6256, Parent PID: 3504

General

Target ID:	3
Start time:	02:24:12
Start date:	14/01/2025
Path:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Wow64 process (32bit):	true
Commandline:	java.exe -jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" bombastic
Imagebase:	0xbe0000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000003.00000003.1412901184.0000000000948000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1244, Parent PID: 6256

General

Target ID:	4
Start time:	02:24:12
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: icacls.exePID: 6180, Parent PID: 6256

General

Target ID:	5
Start time:	02:24:15
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x8d0000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4708, Parent PID: 6180

General

Target ID:	6
Start time:	02:24:16
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: tasklist.exePID: 1912, Parent PID: 6256

General

Target ID:	7
Start time:	02:24:16
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist.exe
Imagebase:	0x350000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6060, Parent PID: 1912

General

Target ID:	8
Start time:	02:24:16
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: java.exePID: 6256, Parent PID: 3504COMMON

Executed Functions

Function 023CFDD2 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.00000000023C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23c4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a54ae548c75b9de9339da8f0eea08a2462a141ac6c99107225f285d5a0f1a1e
Instruction ID: 72a5a1ffc5351f93f545f9a46a2879517189acbf007349e574f4893261d9d0bd
Opcode Fuzzy Hash: 7a54ae548c75b9de9339da8f0eea08a2462a141ac6c99107225f285d5a0f1a1e
Instruction Fuzzy Hash: E2D13A71A083408FC719DF28D08062ABBF2FF89714F65896EE4999B755C735E842CF81

Function 0232D8F7 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f25d27d5b479f18f26941c83160ea5d03d67ff476df8b191e41a0c569ee7cdd
Instruction ID: 5b0818eb357f63e9350cbd928dc91f4344be2dbbaa5645d956cc45abef122669
Opcode Fuzzy Hash: 1f25d27d5b479f18f26941c83160ea5d03d67ff476df8b191e41a0c569ee7cdd
Instruction Fuzzy Hash: 4EA1F1B1A04669DFDB28CF24C494BAAF7B1FF49714F08819DD81A5B382C774A849CF91

Function 0232D8E0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10eef2a38d22b7d1ad470fc258010e8eab47762a21a0e04e620e4ae8e229f9bb
Instruction ID: eab0441e3e6b32b5fd76aacc4cdc15c2a24dc7d101767e1212e7f6d3f285bdd4
Opcode Fuzzy Hash: 10eef2a38d22b7d1ad470fc258010e8eab47762a21a0e04e620e4ae8e229f9bb
Instruction Fuzzy Hash: C761CCB1600669DFDB28CF24C494BAAF7B1FF49714F18819DE81A5B381C774A849CF91

Function 023D18BD Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.00000000023C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23c4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4775897f13683b8721dd7fa8145fe034cbf6f2506baffb60db1a8c4f150ca49
Instruction ID: 24e0d4878545bf9245c5c5520b95102718057be3d7f2e5bc7b2bfab6a7771f13
Opcode Fuzzy Hash: b4775897f13683b8721dd7fa8145fe034cbf6f2506baffb60db1a8c4f150ca49
Instruction Fuzzy Hash: BD418F329047508FC7229F28D48076AFBF2FF45324F56896DD8D96B692D730E882CB91

Function 023D9227 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.00000000023C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23c4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c433bf6f6ae13abff2d37cf4f6bec8c99c5c3c712e329db2c354011d0cd8fd85
Instruction ID: 23a707c02d9975af877342d0b15466d982fd92782a90212d4c04560528c173d3
Opcode Fuzzy Hash: c433bf6f6ae13abff2d37cf4f6bec8c99c5c3c712e329db2c354011d0cd8fd85
Instruction Fuzzy Hash: C931BFB1A08749EFD715CF20E4587A9BBF0BB42308F1881ADC84897791D7346959DB82

Function 02320672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2320000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d642b47957fdf052be8e6638cce2d99a13f02a464640ca92b0a0cad82bcdbb6b
Instruction ID: d01c0a8967dcb454a65e7065fae313365fb0d4dfd90a282240bce3ee8034eef4
Opcode Fuzzy Hash: d642b47957fdf052be8e6638cce2d99a13f02a464640ca92b0a0cad82bcdbb6b
Instruction Fuzzy Hash: 55115BB6D0023ADFCF28CF48C4855EDB7B1FBA9314B164525DC66A7751D334A928CB90

Function 023D1228 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.00000000023C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23c4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc7475fefce16eac26c2481ae15cfdec3447d540578ff4f6937dd86a7f52724c
Instruction ID: 9f97f9ed7c64b04d7f44cf11d858d3d868d02ea545b03f4488fa0ece903001be
Opcode Fuzzy Hash: dc7475fefce16eac26c2481ae15cfdec3447d540578ff4f6937dd86a7f52724c
Instruction Fuzzy Hash: 7FF027768183488BC301AB34AC41535FFB1BF03220F1857CDE8E8A72C2D322984ACF51

Function 02320722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2320000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4e564fb47a9687075d9a230bc5d95f1e278810fb7c482313b1a277565ad90a
Instruction ID: 19802e2b41dcb71af220ace7a320a78dcaffdc74f9e120ea9fadb5a08b48bc65
Opcode Fuzzy Hash: 7a4e564fb47a9687075d9a230bc5d95f1e278810fb7c482313b1a277565ad90a
Instruction Fuzzy Hash: 6FF01576C00229DBCF18CF48C4400ADF7B1EB14218B1A8496DC2837241D332AD6ACF91

Function 023D1250 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.00000000023C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23c4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d0682de9db020b95774ce49807adfaa5cc96241df8c732df4c42ba62e9099b
Instruction ID: 7c86b2a1861bc1a8bfdd8c95b5dbca59fc14fd0851529c43bf6912bed767dc24
Opcode Fuzzy Hash: a1d0682de9db020b95774ce49807adfaa5cc96241df8c732df4c42ba62e9099b
Instruction Fuzzy Hash: 6AD05E758042088BC714BB28E84152AB7A5BF05324F594B8DFCDCA7281E732E8818F92

Function 02334B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a83513acd4d4c711aaa7be9aeb9f4ebef0a71d983e10225254abaa228f8f1e3
Instruction ID: b884319d01bff04a0f9f0865604ad4142daeec1e7d0f6fa04bbbfbefce21afc4
Opcode Fuzzy Hash: 4a83513acd4d4c711aaa7be9aeb9f4ebef0a71d983e10225254abaa228f8f1e3
Instruction Fuzzy Hash: 89F07FB5900A16EBDB258F61C1047DAFBB4FB88718F14421AD42C67350D77874698BD0

Function 0232EC1C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d160823c3d11f29b98b03732ce915d0251671857d96bfb5f7563c30739200965
Instruction ID: 466b09dc7e19a23739e642cc7b1cb12f10bffbbcb91085c9688cf221dc647a3b
Opcode Fuzzy Hash: d160823c3d11f29b98b03732ce915d0251671857d96bfb5f7563c30739200965
Instruction Fuzzy Hash: 74F09BB6A00A16EBDB29CF61C1047DAFBB4BB88718F14421AC42C67750D779B469CBC0

Function 02336575 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549f7761985e6588f0f7572da54faf6f0cb5957edcb1b3c667eb12391eb18259
Instruction ID: 9e62dfff83f162e89865cd7c2acc7165b3db8ec0bc2171be4be6a408bf771126
Opcode Fuzzy Hash: 549f7761985e6588f0f7572da54faf6f0cb5957edcb1b3c667eb12391eb18259
Instruction Fuzzy Hash: EBF09BBAA04A16EBDB29CF65C1447DAFBB4BB88714F14421AC52C67350D778B469CBC0

Function 0232DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3d13f53f2b0caa742d36c9108561f968472d6ff24db9dd5d0857158a2004a7
Instruction ID: 4dd083914f62752ba202b9d2565bebef6aa9db0a1f2070d91f5ce40983c7cb3f
Opcode Fuzzy Hash: 8a3d13f53f2b0caa742d36c9108561f968472d6ff24db9dd5d0857158a2004a7
Instruction Fuzzy Hash: 3DF0CAB6D01A1AABDB248FA1C1447DAFBB5BB88714F18421AC42C63320D378B469CBD0

Function 023349AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76748662bb31f9550c48935de1bdad6743e968d4c62d30813247cf9c14c4b91
Instruction ID: 2662bb8d9a09c21af103fea0cbf57c591b1c4a71826dbbc9430803b11b009818
Opcode Fuzzy Hash: a76748662bb31f9550c48935de1bdad6743e968d4c62d30813247cf9c14c4b91
Instruction Fuzzy Hash: 29F0CAB6D00A16ABDB248F61C5047DAFBB4BB88B14F14421AC42C67320D3B8B469CBC1

Function 0232DE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1476d833cb70b0ffdd6871f4ae87a27a4777411af65ac9a51711e8733d7fe4d
Instruction ID: 86d2e0bdbb064ea4b9abd39f92188afbeb4c75b5ccb37285dfe86908fd215e82
Opcode Fuzzy Hash: b1476d833cb70b0ffdd6871f4ae87a27a4777411af65ac9a51711e8733d7fe4d
Instruction Fuzzy Hash: DFF0CAB6D00A16ABDB248F61C1047DAFBB4BB88714F14421AC42C63720C778B469CBC0

Function 0232B407 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef97eb8a23831b748f4aeebc88b39fb90eb38a44cdc9d27639370280eeed70c
Instruction ID: fc4bdffc3edfb307d12863cf84e22f47d5c8f9184f3811a368394d4144b34910
Opcode Fuzzy Hash: 6ef97eb8a23831b748f4aeebc88b39fb90eb38a44cdc9d27639370280eeed70c
Instruction Fuzzy Hash: D0F0CAB6D00A16ABDB248F61C1047DAFBB4BB88714F19421AC42C63360D378B469CBC0

Function 02333C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da45740652e67e8114f7b57d9468ce515be3d7dc9fe73160b130df648415883f
Instruction ID: 6c786ebec32eb3194dfc35eaca2db6b21c2a5e0f7f042c8dfb972b007cceaf0c
Opcode Fuzzy Hash: da45740652e67e8114f7b57d9468ce515be3d7dc9fe73160b130df648415883f
Instruction Fuzzy Hash: 63F0CAB6D00A1AABDB248F61C5447DAFBB4BB88714F14421AC42C67320D378B469CBC0

Function 023345E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002322000.00000040.00000800.00020000.00000000.sdmp, Offset: 02322000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2322000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e962ef3accde3f2af2b53745b16bae7fc30975e0c12fba12cc0683f1f0d3c3f
Instruction ID: c94f6342d88fd843a84b68c017974bf06b6cdeda442ed76b60ad5820a5b0e990
Opcode Fuzzy Hash: 3e962ef3accde3f2af2b53745b16bae7fc30975e0c12fba12cc0683f1f0d3c3f
Instruction Fuzzy Hash: A4F0C2B6D00A1AABDB248F61C1447DAFBB4BB44714F14421AC52C63320D3787469CBC0

Non-executed Functions

Function 023C8E18 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.00000000023C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23c4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b8af5438c7e77ab04ff9ee08e9123c48a921a9c64ace1195274b1a3355606a
Instruction ID: 3d4432f990fafbeaef2ab4f486b855f168ba337b7393d7e5ba4fb152152c09e4
Opcode Fuzzy Hash: 06b8af5438c7e77ab04ff9ee08e9123c48a921a9c64ace1195274b1a3355606a
Instruction Fuzzy Hash: 94516E719043218FC711DF28C48076AF7E2BF89728F298A5DE898A7355D732ED46CB91

Function 023CB6C4 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.00000000023C4000.00000040.00000800.00020000.00000000.sdmp, Offset: 023C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_23c4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5e46fd764642a316965d621364c8f23013f227b3638614c770532d5f5935d
Instruction ID: 471126c4afd6b2d430bd43669b214624f6b10d77473b312328e823ea92f03ab5
Opcode Fuzzy Hash: 78b5e46fd764642a316965d621364c8f23013f227b3638614c770532d5f5935d
Instruction Fuzzy Hash: 0231996248E7C64FD7435B709CAA2817FB19F13224B1A04DBC4C4CF9A3E59D494ECB62

Function 023203C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1487935620.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2320000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: d47f0f8e019ab64096cf0e39516513be9307ccc4c1aff0750bb8da1d98f024eb
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 0C21FCBA6042668FDB358F158C403D9B7E5FB58314F21482DDECDE7711D330AA898B51

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5hsRaLKPV6.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6256

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\jar\?.class

C:\jar\?\?.class

C:\jar\Branchlock_?.class

C:\jar\META-INF\MANIFEST.MF

C:\jar\bombastic.class

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
5hsRaLKPV6.jar