Analysis Report jp2launcher.exe

Overview

General Information

Sample Name:	jp2launcher.exe
Analysis ID:	352860
MD5:	092f1dfbfc3c59dd11248a919c480ba8
SHA1:	7166ee1eff110644f6050ed37dd3df865823e57b
SHA256:	8eb019c26a17e48470c1bf9a0f712019a931189b7ca72d62daaecdfcf1a14f8f

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Compliance:

Uses 32bit PE files

Source: jp2launcher.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

PE / OLE file has a valid certificate

Source: jp2launcher.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: jp2launcher.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb??3 source: jp2launcher.exe
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe

Spreading:

Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_00836802 memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose,		0_2_00836802
Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_00831EAC memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose,		0_2_00831EAC

Networking:

Source: jp2launcher.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: jp2launcher.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: jp2launcher.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: jp2launcher.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: jp2launcher.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: jp2launcher.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: jp2launcher.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: jp2launcher.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: jp2launcher.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: jp2launcher.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: jp2launcher.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: jp2launcher.exe	String found in binary or memory: http://ocsp.digicert.com0N
Source: jp2launcher.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: jp2launcher.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Detected potential crypto function

Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_00833209		0_2_00833209
Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_00835305		0_2_00835305

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: String function: 00831A09 appears 37 times

Tries to load missing DLLs

Source: C:\Users\user\Desktop\jp2launcher.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: jp2launcher.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: classification engine

Classification label: clean6.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_00836C67 memset,OpenProcess,GetProcAddress,FreeLibrary,FreeLibrary,memset,CreateToolhelp32Snapshot,GetLastError,Sleep,Module32First,GetLongPathNameA,_mbsnbcpy_s,CloseHandle,CloseHandle,

0_2_00836C67

Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: -secure	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: update	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: block	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: later	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: true	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: %llu	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: update	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: block	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: later	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: true	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: %llu	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: false	0_2_008314A4
Source: C:\Users\user\Desktop\jp2launcher.exe	Command line argument: %llu	0_2_008314A4

Source: jp2launcher.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\jp2launcher.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: jp2launcher.exe	String found in binary or memory: -help
Source: jp2launcher.exe	String found in binary or memory: LoadLibraryExA-d32-client-server-verbose-version-showversion-help-X-ea-enableassertions-da-disableassertions-esa-enablesystemassertions-dsa-disablesystemassertions-Xmixed-Xint-Xnoclassgc-Xincgc-Xbatch-Xprof-Xdebug-Xfuture-Xrs-XX:+ForceTimeHighResolution-XX:-ForceTimeHighResolution-XX:+PrintGCDetails-XX:+PrintGCTimeStamps-XX:+PrintHeapAtGC-XX:+PrintTenuringDistribution-XX:+TraceClassUnloading-XX:+CMSClassUnloadingEnabled-XX:+CMSIncrementalPacing-XX:+UseConcMarkSweepGC-XX:-ParallelRefProcEnabled-XX:+DisableExplicitGC-XX:+UseG1GC-XX:+HeapDumpOnOutOfMemoryError-XX:-TransmitErrorReport-XstartOnFirstThread-XX:+UseStringDeduplication-XX:+PrintStringDeduplicationStatistics-XX:+UseParallelOldGC-XX:-UseParallelOldGC-XX:+UseParallelOldGCCompacting-XX:-UseParallelOldGCCompacting-XX:+UseParallelGC-XX:-UseParallelGC-XX:+UseGCTimeLimit-XX:-UseGCTimeLimit-XX:+UseGCOverheadLimit-XX:-UseGCOverheadLimit-XX:+ScavengeBeforeFullGC-XX:-ScavengeBeforeFullGC-XX:+UseParallelScavenge-XX:-UseParallelScavenge-ea:-enableassertions:-da:-disableassertions:-verbose:-Xmn-Xms-Xmx-Xss-XX:NewRatio-XX:NewSize-XX:MaxNewSize-XX:PermSize-XX:MaxPermSize-XX:MaxHeapFreeRatio-XX:MinHeapFreeRatio-XX:-UseSerialGC-XX:ThreadStackSize-XX:MaxInlineSize-XX:ReservedCodeCacheSize-XX:MaxDirectMemorySize-XX:PrintCMSStatistics-XX:SurvivorRatio-XX:MaxTenuringThreshold-XX:CMSMarkStackSize-XX:CMSMarkStackSizeMax-XX:CMSIncrementalDutyCycleMin-XX:ParallelCMSThreads-XX:ParallelGCThreads-XX:CMSInitiatingOccupancyFraction-XX:+UseCompressedOops-XX:GCPauseIntervalMillis-XX:MaxGCPauseMillis-XX:+CMSIncrementalMode-XX:MaxMetaspaceSize-XX:StringDeduplicationAgeThreshold-XX:GCTimeLimit-XX:GCHeapFreeLimitsun.java2d.noddrawjavaws.cfg.jauthenticatorswing.useSystemFontSettingsswing.metalThemehttp.agenthttp.keepAlivesun.awt.noerasebackgroundsun.java2d.openglsun.java2d.d3djava.awt.syncLWRequestsjava.awt.Window.locationByPlatformsun.awt.erasebackgroundonresizesun.awt.keepWorkingSetOnMinimizeswing.noxpswing.boldMetalawt.useSystemAAFontSettingssun.java2d.dpiawaresun.awt.disableMixingsun.lang.ClassLoader.allowArraySyntaxjava.awt.smartInvalidateapple.laf.useScreenMenuBarjava.net.preferIPv4Stackjava.util.Arrays.useLegacyMergeSortsun.locale.formatasdefaultsun.awt.enableExtraMouseButtonscom.sun.management.jmxremote.local.onlysun.nio.ch.bugLevelsun.nio.ch.disableSystemWideOverlappingFileLockCheckjdk.map.althashing.thresholdjavaplugin.lifecycle.cachesize

Source: jp2launcher.exe

Static PE information: certificate valid

Source: jp2launcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jp2launcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jp2launcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jp2launcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jp2launcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jp2launcher.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: jp2launcher.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: jp2launcher.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb??3 source: jp2launcher.exe
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin\jdk8u271\605\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe

Source: jp2launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jp2launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jp2launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jp2launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jp2launcher.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_00836FFF _mbsicmp,GetEnvironmentVariableA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

0_2_00836FFF

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_0083C256 push ecx; ret		0_2_0083C269
Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_0083BB34 push ecx; ret		0_2_0083BB47

Malware Analysis System Evasion:

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_00835BD3 _mbscmp,memset,memset,memset,CreateToolhelp32Snapshot,Process32First,CloseHandle,GetCurrentProcessId,Process32Next,CloseHandle,_mbsrchr,_mbsrchr,_mbsnbcpy_s,_mbsrchr,_mbsrchr,_mbsnbcmp,memset,__fprintf_l,CreateEventA,SetEvent,CloseHandle,

0_2_00835BD3

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\jp2launcher.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\jp2launcher.exe

API coverage: 5.2 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_00836802 memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose,		0_2_00836802
Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_00831EAC memset,memset,GetEnvironmentVariableA,lstrcpyA,_mbsstr,memset,memset,GetWindowsDirectoryA,FindFirstFileA,FindFirstFileA,memset,memset,GetModuleFileNameA,strrchr,FindFirstFileA,FindClose,FindClose,FindClose,FindClose,		0_2_00831EAC

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_0083CE91 VirtualQuery,GetSystemInfo,

0_2_0083CE91

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_0083C436 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0083C436

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\jp2launcher.exe

0_2_00835BD3

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_00836FFF _mbsicmp,GetEnvironmentVariableA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,

0_2_00836FFF

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_0083C5CC SetUnhandledExceptionFilter,	0_2_0083C5CC
Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_0083B8AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0083B8AD
Source: C:\Users\user\Desktop\jp2launcher.exe	Code function: 0_2_0083C436 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0083C436

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_0083C28F cpuid

0_2_0083C28F

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_0083C621 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0083C621

Source: C:\Users\user\Desktop\jp2launcher.exe

Code function: 0_2_0083785A memset,GetVersionExA,

0_2_0083785A

Screenshots

No Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	352860
Product:	CloudBasic
Start time:	21:25:51
Start date:	14.02.2021
Sample:	jp2launcher.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	092f1dfbfc3c59dd11248a919c480ba8
SHA1:	7166ee1eff110644f6050ed37dd3df865823e57b
SHA256:	8eb019c26a17e48470c1bf9a0f712019a931189b7ca72d62daaecdfcf1a14f8f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Analysis Report jp2launcher.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map