Analysis Report jp2launcher.exe

Overview

General Information

Sample Name: jp2launcher.exe
Analysis ID: 352860
MD5: 092f1dfbfc3c59dd11248a919c480ba8
SHA1: 7166ee1eff110644f6050ed37dd3df865823e57b
SHA256: 8eb019c26a17e48470c1bf9a0f712019a931189b7ca72d62daaecdfcf1a14f8f

Detection

Score: 6
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Compliance:

barindex
Uses 32bit PE files
Source: jp2launcher.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE / OLE file has a valid certificate
Source: jp2launcher.exe Static PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: jp2launcher.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb??3 source: jp2launcher.exe
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00836802 memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose, 0_2_00836802
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00831EAC memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose, 0_2_00831EAC
Source: jp2launcher.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: jp2launcher.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: jp2launcher.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: jp2launcher.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: jp2launcher.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: jp2launcher.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: jp2launcher.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: jp2launcher.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: jp2launcher.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: jp2launcher.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: jp2launcher.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: jp2launcher.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: jp2launcher.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: jp2launcher.exe String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00833209 0_2_00833209
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00835305 0_2_00835305
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: String function: 00831A09 appears 37 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\jp2launcher.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: jp2launcher.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: clean6.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00836C67 memset,OpenProcess,GetProcAddress,FreeLibrary,FreeLibrary,memset,CreateToolhelp32Snapshot,GetLastError,Sleep,Module32First,GetLongPathNameA,_mbsnbcpy_s,CloseHandle,CloseHandle, 0_2_00836C67
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: -secure 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: update 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: block 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: later 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: true 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: %llu 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: update 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: block 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: later 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: true 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: %llu 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: false 0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe Command line argument: %llu 0_2_008314A4
Source: jp2launcher.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\jp2launcher.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jp2launcher.exe String found in binary or memory: -help
Source: jp2launcher.exe String found in binary or memory: LoadLibraryExA-d32-client-server-verbose-version-showversion-help-X-ea-enableassertions-da-disableassertions-esa-enablesystemassertions-dsa-disablesystemassertions-Xmixed-Xint-Xnoclassgc-Xincgc-Xbatch-Xprof-Xdebug-Xfuture-Xrs-XX:+ForceTimeHighResolution-XX:-ForceTimeHighResolution-XX:+PrintGCDetails-XX:+PrintGCTimeStamps-XX:+PrintHeapAtGC-XX:+PrintTenuringDistribution-XX:+TraceClassUnloading-XX:+CMSClassUnloadingEnabled-XX:+CMSIncrementalPacing-XX:+UseConcMarkSweepGC-XX:-ParallelRefProcEnabled-XX:+DisableExplicitGC-XX:+UseG1GC-XX:+HeapDumpOnOutOfMemoryError-XX:-TransmitErrorReport-XstartOnFirstThread-XX:+UseStringDeduplication-XX:+PrintStringDeduplicationStatistics-XX:+UseParallelOldGC-XX:-UseParallelOldGC-XX:+UseParallelOldGCCompacting-XX:-UseParallelOldGCCompacting-XX:+UseParallelGC-XX:-UseParallelGC-XX:+UseGCTimeLimit-XX:-UseGCTimeLimit-XX:+UseGCOverheadLimit-XX:-UseGCOverheadLimit-XX:+ScavengeBeforeFullGC-XX:-ScavengeBeforeFullGC-XX:+UseParallelScavenge-XX:-UseParallelScavenge-ea:-enableassertions:-da:-disableassertions:-verbose:-Xmn-Xms-Xmx-Xss-XX:NewRatio-XX:NewSize-XX:MaxNewSize-XX:PermSize-XX:MaxPermSize-XX:MaxHeapFreeRatio-XX:MinHeapFreeRatio-XX:-UseSerialGC-XX:ThreadStackSize-XX:MaxInlineSize-XX:ReservedCodeCacheSize-XX:MaxDirectMemorySize-XX:PrintCMSStatistics-XX:SurvivorRatio-XX:MaxTenuringThreshold-XX:CMSMarkStackSize-XX:CMSMarkStackSizeMax-XX:CMSIncrementalDutyCycleMin-XX:ParallelCMSThreads-XX:ParallelGCThreads-XX:CMSInitiatingOccupancyFraction-XX:+UseCompressedOops-XX:GCPauseIntervalMillis-XX:MaxGCPauseMillis-XX:+CMSIncrementalMode-XX:MaxMetaspaceSize-XX:StringDeduplicationAgeThreshold-XX:GCTimeLimit-XX:GCHeapFreeLimitsun.java2d.noddrawjavaws.cfg.jauthenticatorswing.useSystemFontSettingsswing.metalThemehttp.agenthttp.keepAlivesun.awt.noerasebackgroundsun.java2d.openglsun.java2d.d3djava.awt.syncLWRequestsjava.awt.Window.locationByPlatformsun.awt.erasebackgroundonresizesun.awt.keepWorkingSetOnMinimizeswing.noxpswing.boldMetalawt.useSystemAAFontSettingssun.java2d.dpiawaresun.awt.disableMixingsun.lang.ClassLoader.allowArraySyntaxjava.awt.smartInvalidateapple.laf.useScreenMenuBarjava.net.preferIPv4Stackjava.util.Arrays.useLegacyMergeSortsun.locale.formatasdefaultsun.awt.enableExtraMouseButtonscom.sun.management.jmxremote.local.onlysun.nio.ch.bugLevelsun.nio.ch.disableSystemWideOverlappingFileLockCheckjdk.map.althashing.thresholdjavaplugin.lifecycle.cachesize
Source: jp2launcher.exe Static PE information: certificate valid
Source: jp2launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jp2launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jp2launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jp2launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jp2launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jp2launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: jp2launcher.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: jp2launcher.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb??3 source: jp2launcher.exe
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe
Source: jp2launcher.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jp2launcher.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jp2launcher.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jp2launcher.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jp2launcher.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00836FFF _mbsicmp,GetEnvironmentVariableA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress, 0_2_00836FFF
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083C256 push ecx; ret 0_2_0083C269
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083BB34 push ecx; ret 0_2_0083BB47

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00835BD3 _mbscmp,memset,memset,memset,CreateToolhelp32Snapshot,Process32First,CloseHandle,GetCurrentProcessId,Process32Next,CloseHandle,_mbsrchr,_mbsrchr,_mbsnbcpy_s,_mbsrchr,_mbsrchr,_mbsnbcmp,memset,__fprintf_l,CreateEventA,SetEvent,CloseHandle, 0_2_00835BD3
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\jp2launcher.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\jp2launcher.exe API coverage: 5.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00836802 memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose, 0_2_00836802
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00831EAC memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose, 0_2_00831EAC
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083CE91 VirtualQuery,GetSystemInfo, 0_2_0083CE91

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083C436 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0083C436
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00835BD3 _mbscmp,memset,memset,memset,CreateToolhelp32Snapshot,Process32First,CloseHandle,GetCurrentProcessId,Process32Next,CloseHandle,_mbsrchr,_mbsrchr,_mbsnbcpy_s,_mbsrchr,_mbsrchr,_mbsnbcmp,memset,__fprintf_l,CreateEventA,SetEvent,CloseHandle, 0_2_00835BD3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_00836FFF _mbsicmp,GetEnvironmentVariableA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress, 0_2_00836FFF
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083C5CC SetUnhandledExceptionFilter, 0_2_0083C5CC
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083B8AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0083B8AD
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083C436 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0083C436

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083C28F cpuid 0_2_0083C28F
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083C621 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_0083C621
Source: C:\Users\user\Desktop\jp2launcher.exe Code function: 0_2_0083785A memset,GetVersionExA, 0_2_0083785A

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 352860 Sample: jp2launcher.exe Startdate: 14/02/2021 Architecture: WINDOWS Score: 6 4 jp2launcher.exe 2->4         started       
No contacted IP infos