Edit tour
Windows
Analysis Report
DWG Material, Standard BS 4360 GR. 40A43A.jar
Overview
General Information
| Sample Name: | DWG Material, Standard BS 4360 GR. 40A43A.jar |
| Analysis ID: | 705884 |
| MD5: | f5f4e477595a3a7070ee43f0e044b644 |
| SHA1: | 26ce44fe72446eda537519d3d93253232a8bddca |
| SHA256: | 7cd39be56600bf17c8a7753c6be6d6aa91233294d1a3fe30afe2905adf1e286b |
| Infos: | |
 | |
Detection
| Score: | 72 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Exploit detected, runtime environment starts unknown processes
Uses dynamic DNS services
Uses cacls to modify the permissions of files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Detected TCP or UDP traffic on non-standard ports
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
cmd.exe (PID: 244 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\Prog ram Files (x86)\Java \jre1.8.0_ 211\bin\ja va.exe" -j avaagent:" C:\Users\u ser\AppDat a\Local\Te mp\jartrac er.jar" -j ar "C:\Use rs\user\De sktop\DWG Material, Standard B S 4360 GR. 40A43A.ja r"" >> C:\ cmdlinesta rt.log 2>& 1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 5020 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
java.exe (PID: 5192 cmdline: "C:\Progra m Files (x 86)\Java\j re1.8.0_21 1\bin\java .exe" -jav aagent:"C: \Users\use r\AppData\ Local\Temp \jartracer .jar" -jar "C:\Users \user\Desk top\DWG Ma terial, St andard BS 4360 GR. 4 0A43A.jar" MD5: 28733BA8C383E865338638DF5196E6FE) 
icacls.exe (PID: 6060 cmdline: C:\Windows \system32\ icacls.exe C:\Progra mData\Orac le\Java\.o racle_jre_ usage /gra nt "everyo ne":(OI)(C I)M MD5: FF0D1D4317A44C951240FAE75075D501) - conhost.exe (PID: 6044 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - javaw.exe (PID: 5652 cmdline:
C:\Program Files (x8 6)\Java\jr e1.8.0_211 \bin\javaw " -jar "C: \Users\use r\AppData\ Local\Temp \dropbox33 2625228411 4201190.ja r MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
- javaw.exe (PID: 732 cmdline:
C:\Program Files (x8 6)\Java\jr e1.8.0_211 \bin\javaw .exe" -jar "C:\Users \user\AppD ata\Local\ Temp\dropb ox33262522 8411420119 0.jar MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
- javaw.exe (PID: 1652 cmdline:
C:\Program Files (x8 6)\Java\jr e1.8.0_211 \bin\javaw .exe" -jar "C:\Users \user\AppD ata\Local\ Temp\dropb ox33262522 8411420119 0.jar MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
| Timestamp: | 194.5.98.141192.168.2.35445497142811175 09/20/22-03:43:09.235557 |
| SID: | 2811175 |
| Source Port: | 5445 |
| Destination Port: | 49714 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3194.5.98.1414971654452811176 09/20/22-03:43:09.236098 |
| SID: | 2811176 |
| Source Port: | 49716 |
| Destination Port: | 5445 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3194.5.98.1414971454452811176 09/20/22-03:43:09.236313 |
| SID: | 2811176 |
| Source Port: | 49714 |
| Destination Port: | 5445 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 194.5.98.141192.168.2.35445497162811175 09/20/22-03:43:09.235529 |
| SID: | 2811175 |
| Source Port: | 5445 |
| Destination Port: | 49716 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 192.168.2.3194.5.98.1414971054452811176 09/20/22-03:43:09.235958 |
| SID: | 2811176 |
| Source Port: | 49710 |
| Destination Port: | 5445 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
| Timestamp: | 194.5.98.141192.168.2.35445497102811175 09/20/22-03:43:09.235489 |
| SID: | 2811175 |
| Source Port: | 5445 |
| Destination Port: | 49710 |
| Protocol: | TCP |
| Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | |||
| Source: | Virustotal: | Perma Link | ||
| Source: | Virustotal: | Perma Link | ||
| Source: | File opened: | Jump to behavior | ||
Software Vulnerabilities | |
|---|
| Source: | Process created: | ||
Networking | |
|---|
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | Snort IDS: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | IP Address: | ||
| Source: | IP Address: | ||
| Source: | HTTP traffic detected: | ||