Edit tour

Windows Analysis Report
5hsRaLKPV6.jar

Overview

General Information

Sample name:	5hsRaLKPV6.jar renamed because original name is a hash value
Original sample name:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
Analysis ID:	1590513
MD5:	8e96e66f83e748d267df96390c880297
SHA1:	bae891900c7c646f62a9b51c27f5b13a30cc9589
SHA256:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
Infos:

Detection

Branchlock Obfuscator

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Branchlock Obfuscator

Exploit detected, runtime environment starts unknown processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

7za.exe (PID: 3168 cmdline: 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)

conhost.exe (PID: 1356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

java.exe (PID: 6256 cmdline: java.exe -jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" bombastic MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 6180 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1912 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
5hsRaLKPV6.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.1404254971.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000003.00000003.1412901184.0000000000948000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000001.00000002.1404433977.0000000000DBD000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: 7za.exe PID: 3168	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: java.exe PID: 6256	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Click to see the 3 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 5hsRaLKPV6.jar

Virustotal: Detection: 27%

Perma Link

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

3_2_023C8E18

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: seasonmonster.s3.us-east-1.amazonaws.com

Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000014FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000003.00000002.1490083892.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000003.00000002.1490083892.0000000009A23000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.000000000995A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009984000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000015089000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/3=
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/s(
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm39
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 5hsRaLKPV6.jar	String found in binary or memory: https://branchlock.net
Source: 7za.exe, 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.netf
Source: 7za.exe, 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.netk
Source: java.exe, 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.nett
Source: java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/email.js
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar
Source: java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: classification engine

Classification label: mal64.expl.evad.winJAR@10/8@1/1

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Vault\cred

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5hsRaLKPV6.jar

Virustotal: Detection: 27%

Source: unknown	Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\5hsRaLKPV6.jar"
Source: C:\Windows\System32\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" bombastic
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Windows\System32\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Data Obfuscation

Yara detected Branchlock Obfuscator

Source: Yara match	File source: 5hsRaLKPV6.jar, type: SAMPLE
Source: Yara match	File source: 00000001.00000003.1404254971.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1412901184.0000000000948000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1404433977.0000000000DBD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 7za.exe PID: 3168, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: java.exe PID: 6256, type: MEMORYSTR

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023CB277 push es; iretd	3_2_023CB27E
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023CD691 push cs; retf	3_2_023CD6B1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023C5870 pushad ; iretd	3_2_023C5871
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_023CB531 push ecx; retn 0022h	3_2_023CB5E6
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232D8F7 push 00000000h; mov dword ptr [esp], esp	3_2_0232D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232A21B push ecx; ret	3_2_0232A225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232A20A push ecx; ret	3_2_0232A21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232BB67 push 00000000h; mov dword ptr [esp], esp	3_2_0232BB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232B3B7 push 00000000h; mov dword ptr [esp], esp	3_2_0232B3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232D8E0 push 00000000h; mov dword ptr [esp], esp	3_2_0232D921
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232B947 push 00000000h; mov dword ptr [esp], esp	3_2_0232B96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_0232C477 push 00000000h; mov dword ptr [esp], esp	3_2_0232C49D

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\tasklist.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE8
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE8

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 3_2_023CB6C4 sldt word ptr [eax]

3_2_023CB6C4

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: java.exe, 00000003.00000002.1487288527.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6oY
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000003.00000002.1487288527.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000003.00000002.1487288527.000000000090B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware.exe8
Source: java.exe, 00000003.00000003.1430792617.00000000148F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vboxtray.exe8

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe			Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 3_2_023203C0 cpuid

3_2_023203C0

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6256 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
5hsRaLKPV6.jar	0%	ReversingLabs
5hsRaLKPV6.jar	27%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.quovadis.bm39	0%	Avira URL Cloud	safe
https://branchlock.netk	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com	0%	Avira URL Cloud	safe
https://branchlock.nett	0%	Avira URL Cloud	safe
http://repository.swisssign.com/s(	0%	Avira URL Cloud	safe
http://repository.swisssign.com/3=	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	0%	Avira URL Cloud	safe
https://branchlock.netf	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	0%	Avira URL Cloud	safe
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.us-east-1.amazonaws.com	52.216.210.114	true	false		high
seasonmonster.s3.us-east-1.amazonaws.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.nett	java.exe, 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/s(	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu0	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.netk	7za.exe, 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.exe, 00000003.00000002.1490083892.00000000099D2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000003.00000002.1490083892.0000000009B34000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000014FA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
HTTP://WWW.CHAMBERSIGN.ORG	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.net	5hsRaLKPV6.jar	false		high
http://policy.camerfirma.com	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm39	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/3=	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/email.js	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com	java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf	java.exe, 00000003.00000002.1488991611.00000000047B4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false		high
https://branchlock.netf	7za.exe, 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	java.exe, 00000003.00000002.1488991611.00000000048C4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1490083892.0000000009BD8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	java.exe, 00000003.00000002.1488991611.000000000450B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	java.exe, 00000003.00000002.1488991611.0000000004895000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.1491804179.0000000015089000.00000004.00000020.00020000.00000000.sdmp	false		high
https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar	java.exe, 00000003.00000002.1490083892.0000000009A55000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.216.210.114	s3-r-w.us-east-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590513
Start date and time:	2025-01-14 08:23:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Tracing
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5hsRaLKPV6.jar renamed because original name is a hash value
Original Sample Name:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
Detection:	MAL
Classification:	mal64.expl.evad.winJAR@10/8@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 71% Number of executed functions: 18 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .jar Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.95.31.18
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target java.exe, PID 6256 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.us-east-1.amazonaws.com	Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	3.5.12.103
	Mansourbank Swift-TT379733 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	52.216.29.192
	Mansourbank Swift-TT680169 Report.svg	Get hash	malicious	Branchlock Obfuscator	Browse	52.217.119.34
	Wupos Reciept.pdf.jar	Get hash	malicious	Branchlock Obfuscator	Browse	52.216.217.130
	Swift Transaction Report.js	Get hash	malicious	Branchlock Obfuscator	Browse	16.182.70.66
	Swift Transaction Report.js	Get hash	malicious	Branchlock Obfuscator	Browse	54.231.134.106
	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	54.231.130.18
	http://img1.wsimg.com/blobby/go/9b6ed793-452c-4f8f-8f80-6847f4d114d7/downloads/71318864754.pdf	Get hash	malicious	Unknown	Browse	52.217.134.50
	https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html	Get hash	malicious	Unknown	Browse	52.217.41.32

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://email.lc.haxconsulting.com/c/eJx0k0tv4zgQhH-NdBk4kKgHrQMPdhI5mck78djJRaDIlsSYD4WkpLF__cJOsLvAZq_FLnbhQzWrBCdJS6-fh9_RaK9H9Muk6c9yE3LCCkjrLORGUaGJZGcd_cOMdoP0QrdnzKivt8pMGqzrRF_5fQ-EtqDZvqLOiVYDD4HEOMnxvMB5EoKiQlYKnKMtHLdv5i83BT5n4-tb-75JAbPHy6-p02-Mqp6KVv9LO9pyPE9ZwVKaZjlkgBjkRVEjHIIehTVagfakt4YPzAujw45EeRrF0RziBvIoyeskRxgwwlma0ajAPBQERSiL4jg55o2Ss2YOOYWszps4a5o6CtLoWwySdN73LkgWASoDVE7T9N-pAJXcTFoaymeOSmr3s3YQHGYDhSApG2GdrzRVECQXdyBkgHJJ_5GuqNsJ7QKUnzgEyYUGIbsvNY0644_656a874w-uqIs-lGk6Q-UFjiUrPpkKLQHq6kka1Q6vvq928YBWm7z65vVxHE3FgEq59i-jvvVs0xEw7L6_MK2IhvbP_TKJn77qF7k3TSixbC_V5cBWuI33j_fivpGtZOAqN0Zxga7eJCXr-uXzfMHlIcjgANevhv8USfN_ZM-L_Dhoeu38GTXt4sALYfFzheHl3LNy1VZjw8iQOU6QOWmvb3vrqbc9Y17WtynH9OVVkrF8qdedwDgHtt4eTkPpTn1ebm6Sd7eV-rWxvS93979kt02VOA7wwntRWisaIUm9SB3sxOQsLdmFBwskUA5M1oD88aGlvwv49CZwTIgJ_9MuHE2GbsDG3pyTPFtBE-YUdW31-YJ-Orvpo8E_RUAAP__dHE7Qw	Get hash	malicious	Unknown	Browse	18.245.31.88
	Discord.exe	Get hash	malicious	AsyncRAT	Browse	3.127.138.57
	http://locrmhelp.com	Get hash	malicious	Unknown	Browse	52.84.151.46
	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://www.toekan.im/	Get hash	malicious	Unknown	Browse	143.204.215.6
	http://bu9.fysou.web.id/webs6/cx.aktifkn.fiturr	Get hash	malicious	Unknown	Browse	108.138.26.27
	http://bu9.fysou.web.id/webs6/aktrfn.fitur.pylter	Get hash	malicious	Unknown	Browse	108.138.26.116
	http://pub-dfc04553e9094cfc93a2df6d57084097.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	3.75.10.80
	https://metahorizonsfacebooksupport.tempisite.com/italy39	Get hash	malicious	HTMLPhisher	Browse	54.229.247.168

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.935546689086913
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4UStyXyn:oJ5bPn
MD5:	71BB2661A134E044A3E3CF0B48A4785C
SHA1:	9295AB1F4C70B60EB427B20D37E6AEFA38A42A7F
SHA-256:	BE7F306BDD7A646968F6038C461AF4B27DB699C227D6F7914F4DAB6E7A1BA406
SHA-512:	BB05987658BC36FCDAC3939C3F459E13A1321B8571D9FDB089DDC2154E035639B7F69E3A3FB9D0A7656E7648EE4408DEE9215A7882D3B121E1039517460FD248
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1736839455772..

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6256

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2828140813520312
Encrypted:	false
SSDEEP:	96:hZpryk8GEJlPLAe6L6JCwgUUvWFi7JYpHG1bow4:hZR8GEBLAe6L6TU+FuJUHGd
MD5:	64AD91969A66215D94D5AF26B75ED389
SHA1:	1DB22F90DE654BB22B721E4B843991E191DAAB88
SHA-256:	50D1CF9831B7CEFE7D3C67F80071E551475F6C54F3C6E9C36078F9BBC8C618BC
SHA-512:	1CEC1FDF94CC97B241DCCAB637B533117EB146AA7787545301C4328CC82DC1DAA846DAD11F71A8B6F9566F977E4EE80DC1774BE82676E7B4026A9C2C89133024
Malicious:	false
Reputation:	low
Preview:	.........8.......m...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Preview:	........................................J2SE.

C:\jar\?.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	7467
Entropy (8bit):	6.386422292092153
Encrypted:	false
SSDEEP:	96:pyeC0vsKCbHxPLLBfvmG8L6d7xyBdxa7/ky8mnMINS5ju/Nn1:pyjGlCbRTLBfvw6dkG7/ky1ZNAS11
MD5:	7453970A7579358CC210524FBA8D3DAA
SHA1:	1B2A7B1240AA287521867830E7ADE213AC872B98
SHA-256:	B8BA3624315FC214D9BEDABE20E9851D4E7BF6131CC426BA15181D00EA997B79
SHA-512:	EF4E77595745D6476DBA10BB8B51D890C010966D5E577999991C91FF03AAAD4A2F204B1A5B60F5A1B76D9FC385DE23058BD323DC44CFBAD4E5D11B32E5F088F9
Malicious:	false
Preview:	.......4.A..........java/lang/Throwable..........[Ljava/lang/Object;.......[Ljava/lang/String;...(Ljava/lang/Object;II)V...java/io/IOException......java/lang/InterruptedException......java/lang/Exception............&java/lang/ReflectiveOperationException...............96....8...java/lang/String......bombastic............)(Ljava/lang/Object;[Ljava/lang/Object;I)I............../...!.........#...<init>..'(Ljava/lang/String;Ljava/lang/String;)V..%.&..".'......_(Ljava/lang/Object;Ljava/lang/Object;ILjava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;..).*....+......N(Ljava/lang/Object;IILjava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;..-....../....l..../...2......;(CLjava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;..4.5....6..$java/util/concurrent/ExecutorService..8...()V..:...(Ljava/io/File;)V....<....=...>...(Ljava/lang/invoke/MethodHandles$Lookup;Ljava/lang/String;Ljava/lang/invoke/MethodType;Ljava/lang/invoke/MethodType;Ljava/lang/invoke/MethodHandl

C:\jar\?\?.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	709
Entropy (8bit):	5.436349643687698
Encrypted:	false
SSDEEP:	12:QwpbRaBt0ETsn+2TRsf5VUuNh+TQdldqPgNj4w8MFMjgMu1:Q6aVTsn/9QfH8MFugMK
MD5:	5D09EAC457D870F1D508AEB4D2F005F4
SHA1:	52E9AC3556123DECC93C5494C742DC4BE01631BC
SHA-256:	CABEA422089E3C7DF8808727733F2EBAE6B312C856834196A0D74D3CDCFB183F
SHA-512:	F0DBB371D4F46CA2197A4C7AEAAEAA58023FDF5D1B480C37C79C24C66382D0061BF66E158A6FDE7B0C1A9068DDE5A09F615A1F07FA3516CFCE450E11C91178F2
Malicious:	false
Preview:	.......4.+..../.......java/io/InputStreamReader..........[Ljava/lang/Object;...<clinit>...()V...java/lang/Object....f#.........java/lang/Long......valueOf...(J)Ljava/lang/Long;............[.....>................'(I)Ljava/lang/management/RuntimeMXBean;..&java/lang/management/ManagementFactory............:(Ljava/lang/Object;[Ljava/lang/Object;I)Ljava/lang/Object;............"java/lang/management/RuntimeMXBean.. ...<init>...(Ljava/io/InputStream;)V..".#....$.......(C)Ljava/awt/Desktop;...java/awt/Desktop..(...Code................................&............Y.......SY.......S...................................7.....!........".#...............+..%........&.'...*.............)....6.....).......

C:\jar\Branchlock_?.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	1834
Entropy (8bit):	3.4908661873375055
Encrypted:	false
SSDEEP:	24:b4m8AuMo7QDsoE9fYy4aSwm5ehz6FB2HR/8Ecaf+D88Zq6ZbvVDn5TJyyRDsaZQm:b4m8somTmR02WJEVvrfrs
MD5:	238309786CC1B908892502E152A49A60
SHA1:	72D78AF1A6C8905F8802C991402EF08ECC1612E9
SHA-256:	7B63F628961DF21D2C89A794574D26D171A40FA5C98857309D54D011279884DB
SHA-512:	CC046818C6E7BBD94D2FCCBF389A1C8EBE16E9225414B119DDF24CE153FD73B2884C5DF650BAAFE12EE36FAC6D3C2A9511BF7F3D968700C272F3AE2EAB4D808B
Malicious:	false
Preview:	.......4.D...Branchlock_.......java/lang/Object..........Ljava/lang/String;..: * .........: ###. .........: #######( .........: ################# .........: ## .################## .........: (####### .####. .*######### .........: ########, .#. .#######. .........: #######, #######. .........: ######, #######. .........: (######. #######. .."..........: #######. #######, ..&......: ######## (#######, ## ..)......: ##########. ##### ..,......: ########

C:\jar\META-INF\MANIFEST.MF

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	59
Entropy (8bit):	4.375258354962731
Encrypted:	false
SSDEEP:	3:ZLCAWIzBEnbzHELGvS14:1KItUbzHyGJ
MD5:	3C6B699D521DDBB93869D35610D86ADA
SHA1:	4747133B51B6171DB1F68D8B7119310333D8807E
SHA-256:	AD8EFAA22B3BA49B93ADFC93BEF58B3C618AAC0BC3BEBB7558EA507504F7053F
SHA-512:	0E4B2FD657E70E49CFB8F49CBCD23CB11A29EE734EA4827670E9B6129C1D4CA0B52FC7EBE0020B6FF94378347334F722D4861EC423DD99A9A5199CBA92C5DF58
Malicious:	false
Preview:	Manifest-Version: 1.0.Main-Class: bombastic.Class-Path: ...

C:\jar\bombastic.class

Download File

Process:	C:\Windows\System32\7za.exe
File Type:	compiled Java class data, version 52.0 (Java 1.8)
Category:	dropped
Size (bytes):	14875
Entropy (8bit):	6.638357662906348
Encrypted:	false
SSDEEP:	384:NuZ7hHpqqNdAQP79S+VytV34p4doxVyAyKpAF:vkdPU+VytV34p4doxsFKuF
MD5:	07CDA5F9F90C234106CC7E8887B17145
SHA1:	5B74EE2D8C3930A56941AFFC0B0C9C4C242A64CE
SHA-256:	FFBF3D15A8D52E694D7AAC03483F0D228888DDEC7A78107FB0D5EFBF55D0539D
SHA-512:	A3377FC40E82F9441D1E0C9BFA2FEE186AAE931FE4ED3891D397F889B5E15A62474DEC96302F430BDFEC4B1D62BE1E76E71584E3DCC872268D19DCB643F1A979
Malicious:	false
Preview:	.......4.....bombastic......java/lang/Object..........I...................Ljava/util/List;.......[Ljava/lang/String;...........[Ljava/lang/Object;...<clinit>...()V..#java/lang/IndexOutOfBoundsException....................G...........Q............G........F...............................K......B.....C...............................................C.L........................]...........P..................Q........N...............A..............]....#...7....-....../...........)..................................C.(...K....................

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.948030467353428
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	5hsRaLKPV6.jar
File size:	21'359 bytes
MD5:	8e96e66f83e748d267df96390c880297
SHA1:	bae891900c7c646f62a9b51c27f5b13a30cc9589
SHA256:	ae345b40d165255284bf4c6ab00a871fcb035b552ac0b20b3cfb19e4644e49b7
SHA512:	cee16641bbbbf2da2d1ae7af00e6b266de0374b955c37933061c4d1641aac4cd1216a05c2140cb9203b0dc9cf565c686d5c04cd884eb44c578cd40605f7f7224
SSDEEP:	384:OAJjyCdE1n02lxzHm8QkdduiQpbkl/JZ476rvusoEyPsh719/buA5OB5/6RkhZgK:PJy1npQm5QxkBcyvulbkB19/buAoX/Rf
TLSH:	D6A2E1263CF6065DD43BE071AC374873D08D967848CAD22B1576ABA5427AE3313A2FDC
File Content Preview:	PK........%.$Z................META-INF/MANIFEST.MFUT.....yg.....M..LK-...K-....R0.3..M...u.I,..RH..MJ,..L.....$.dX).qq..PK..{D.Y:...;...PK.........9%Z................../....class.R[O.A.=C...k..P.h.E]. J.....bDI..m....k.-../..7..Q\|...@c..f..^.!./..4.....

File Icon


Icon Hash:	d08c8e8ea2868a54

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 10
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:24:19.994956970 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:19.994982004 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:19.995162964 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.130414963 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.130446911 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:20.685987949 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:20.686065912 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.686088085 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:20.686165094 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.717562914 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:20.717600107 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.311986923 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:21.312064886 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.312342882 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.312350035 CET	49707	443	192.168.2.9	52.216.210.114
Jan 14, 2025 08:24:21.312371016 CET	443	49707	52.216.210.114	192.168.2.9
Jan 14, 2025 08:24:21.312402964 CET	49707	443	192.168.2.9	52.216.210.114

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:24:19.973506927 CET	56474	53	192.168.2.9	1.1.1.1
Jan 14, 2025 08:24:19.992058992 CET	53	56474	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 08:24:19.973506927 CET	192.168.2.9	1.1.1.1	0x9de4	Standard query (0)	seasonmonster.s3.us-east-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	seasonmonster.s3.us-east-1.amazonaws.com	s3-r-w.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.210.114	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.135.210	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.182.107.250	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.250.8	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.62.42	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		52.216.78.0	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		54.231.170.90	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:24:19.992058992 CET	1.1.1.1	192.168.2.9	0x9de4	No error (0)	s3-r-w.us-east-1.amazonaws.com		16.15.177.238	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• 7za.exe
• conhost.exe
• java.exe
• conhost.exe
• icacls.exe
• conhost.exe
• tasklist.exe
• conhost.exe

Click to jump to process

Memory Usage

• 7za.exe
• conhost.exe
• java.exe
• conhost.exe
• icacls.exe
• conhost.exe
• tasklist.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: 7za.exePID: 3168, Parent PID: 3504

Function Logs

General

Target ID:	1
Start time:	02:24:11
Start date:	14/01/2025
Path:	C:\Windows\System32\7za.exe
Wow64 process (32bit):	true
Commandline:	7za.exe x -y -oC:\jar "C:\Users\user\Desktop\5hsRaLKPV6.jar"
Imagebase:	0xe90000
File size:	289'792 bytes
MD5 hash:	77E556CDFDC5C592F5C46DB4127C6F4C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000003.1404254971.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000002.1404509529.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000002.1404433977.0000000000DBD000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000001.00000002.1404564718.0000000000F07000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	02:24:12
Start date:	14/01/2025
Path:	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
Wow64 process (32bit):	true
Commandline:	java.exe -jar "C:\Users\user\Desktop\5hsRaLKPV6.jar" bombastic
Imagebase:	0xbe0000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000003.00000003.1412901184.0000000000948000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000003.00000002.1491550634.0000000014B3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Target ID:	5
Start time:	02:24:15
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x8d0000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	02:24:16
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5hsRaLKPV6.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6256

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\jar\?.class

C:\jar\?\?.class

C:\jar\Branchlock_?.class

C:\jar\META-INF\MANIFEST.MF

C:\jar\bombastic.class

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
5hsRaLKPV6.jar