Edit tour

Windows Analysis Report
java.exe

Overview

General Information

Sample Name:	java.exe
Analysis ID:	745315
MD5:	830ebc951ec7fe682a8917f58fdae098
SHA1:	078a4189fce94f757534d827344fbc55c5e04156
SHA256:	ac63f0631e9e20c2b3683bdcb1b8c1006a9b6430b95b1d1c0d2347cdf97df6e4
Infos:

Detection

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Detected Stratum mining protocol

Machine Learning detection for sample

Potential thread-based time evasion detected

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Abnormal high CPU Usage

Classification

Process Tree

System is w7x64

java.exe (PID: 1448 cmdline: C:\Users\user\Desktop\java.exe MD5: 830EBC951EC7FE682A8917F58FDAE098)

cleanup

Snort Signatures

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) - Source IP: 192.168.2.22 - Destination IP: 109.71.252.45

Timestamp:	192.168.2.22109.71.252.45491714432831812 11/14/22-07:24:42.896816
SID:	2831812
Source Port:	49171
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-05-29 11) - Source IP: 192.168.2.22 - Destination IP: 109.71.252.45

Timestamp:	192.168.2.22109.71.252.45491714432831074 11/14/22-07:24:42.896816
SID:	2831074
Source Port:	49171
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a *.pw domain - Likely Hostile - Source IP: 192.168.2.22 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.228.8.8.855868532016778 11/14/22-07:24:42.601249
SID:	2016778
Source Port:	55868
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: java.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: java.exe	ReversingLabs: Detection: 58%
Source: java.exe	Virustotal: Detection: 56%			Perma Link

Multi AV Scanner detection for domain / URL

Source: eu.minerpool.pw

Virustotal: Detection: 14%

Perma Link

Machine Learning detection for sample

Source: java.exe

Joe Sandbox ML: detected

Bitcoin Miner

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 109.71.252.45:443 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 77 65 62 6c 57 69 6e 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 4a 61 76 61 28 54 4d 29 20 50 6c 61 74 66 6f 72 6d 20 53 45 20 38 2f 31 2e 38 2e 30 5f 31 37 31 2d 62 31 31 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 data ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"weblwin","pass":"","agent":"java(tm) platform se 8/1.8.0_171-b11 (windows nt 6.1; win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","

Source: java.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2831812 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8) 192.168.2.22:49171 -> 109.71.252.45:443
Source: Traffic	Snort IDS: 2831074 ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-05-29 11) 192.168.2.22:49171 -> 109.71.252.45:443
Source: Traffic	Snort IDS: 2016778 ET DNS Query to a *.pw domain - Likely Hostile 192.168.2.22:55868 -> 8.8.8.8:53

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: unknown

DNS traffic detected: queries for: eu.minerpool.pw

Source: C:\Users\user\Desktop\java.exe

Process Stats: CPU usage > 98%

Source: java.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9991264115124331

Source: java.exe	ReversingLabs: Detection: 58%
Source: java.exe	Virustotal: Detection: 56%

Source: C:\Users\user\Desktop\java.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\java.exe

Mutant created: \Sessions\1\BaseNamedObjects\4pC39Ev2yuzFY8izw76DGDJR

Source: classification engine

Classification label: mal92.evad.mine.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\java.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: java.exe

Static file information: File size 1639424 > 1048576

Source: java.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: java.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x18d200

Source: java.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\java.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\java.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: java.exe, 00000001.00000002.1423529584.000000000038E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXEW4

Potential thread-based time evasion detected

Source: Initial file

Signature Results: Thread-based counter

Source: C:\Users\user\Desktop\java.exe TID: 152	Thread sleep count: 329 > 30			Jump to behavior
Source: C:\Users\user\Desktop\java.exe TID: 152	Thread sleep time: -164500s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\java.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\java.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\java.exe

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	11 Virtualization/Sandbox Evasion	OS Credential Dumping	3 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Software Packing	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
java.exe	59%	ReversingLabs	Win64.Trojan.DisguisedXMRigMiner
java.exe	56%	Virustotal		Browse
java.exe	100%	Avira	HEUR/AGEN.1213003
java.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.java.exe.13fa10000.0.unpack	100%	Avira	HEUR/AGEN.1213003		Download File

Domains

Source	Detection	Scanner	Label	Link
eu.minerpool.pw	15%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
eu.minerpool.pw	107.182.129.82	true	false	15%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.71.252.45	unknown	Germany		207770	ATLANTIACLOUDNL	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	745315
Start date and time:	2022-11-14 07:23:55 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	java.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.evad.mine.winEXE@1/0@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

Time	Type	Description
07:25:12	API Interceptor	256x Sleep call for process: java.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
eu.minerpool.pw	sasd.bat	Get hash	malicious	Browse	185.10.68.220
eu.minerpool.pw	services.exe	Get hash	malicious	Browse	185.10.68.86

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ATLANTIACLOUDNL	Dhl Waybill Document.doc	Get hash	malicious	Browse	109.71.253.24

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.998805720258012
TrID:	UPX compressed Win32 Executable (30571/9) 65.62% Win64 Executable (generic) (12005/4) 25.77% Generic Win/DOS Executable (2004/3) 4.30% DOS Executable Generic (2002/1) 4.30% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
File name:	java.exe
File size:	1639424
MD5:	830ebc951ec7fe682a8917f58fdae098
SHA1:	078a4189fce94f757534d827344fbc55c5e04156
SHA256:	ac63f0631e9e20c2b3683bdcb1b8c1006a9b6430b95b1d1c0d2347cdf97df6e4
SHA512:	34ac7837e337d448708ee44e267fa7159d8af89362319164a4ad8a03ce244ac713a6fdc3cca23a820d275e8dd47eba4e931a14693f2e84f220adc0dd779a5643
SSDEEP:	49152:zpYmFTLZIKFp/XE9cp2us3AKrJ0Qt9s4C:zpYuxPE9cBs3AKraL4
TLSH:	857533A583746255CDDF05F8914F1CF0C85A7FDFAE28A31E2A66BE2287B33425190637
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...J^ec.....................0...0[...t..@[....@.............................Pt...........`................................

File Icon


Icon Hash:	8a8c8e8eaa868f86

Static PE Info

General

Entrypoint:	0x1407403d0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63655E4A [Fri Nov 4 18:47:38 2022 UTC]
TLS Callbacks:	0x40740f89, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	bb388b5fb16beacfa2a7403d25eaa8c4

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFE73C4Ah]
dec eax
lea edi, dword ptr [esi-005B3025h]
dec eax
lea eax, dword ptr [edi+006F6244h]
push dword ptr [eax]
mov dword ptr [eax], 840DFACFh
push eax
push edi
mov eax, 0073E4F1h
push eax
dec eax
mov ecx, esp
dec eax
mov edx, edi
dec eax
mov edi, esi
mov esi, 0018C3A6h
push ebp
dec eax
mov ebp, esp
inc esp
mov ecx, dword ptr [ecx]
dec ecx
mov eax, edx
dec eax
mov edx, esi
dec eax
lea esi, dword ptr [edi+02h]
push esi
mov al, byte ptr [edi]
dec edx
mov cl, al
and al, 07h
shr cl, 00000003h
dec eax
mov ebx, FFFFFD00h
dec eax
shl ebx, cl
mov cl, al
dec eax
lea ebx, dword ptr [esp+ebx*2-00000E78h]
dec eax
and ebx, FFFFFFC0h
push 00000000h
dec eax
cmp esp, ebx
jne 00007F3F3CB9BC8Bh
push ebx
dec eax
lea edi, dword ptr [ebx+08h]
mov cl, byte ptr [esi-01h]
dec edx
mov byte ptr [edi+02h], al
mov al, cl
shr cl, 00000004h
mov byte ptr [edi+01h], cl
and al, 0Fh
mov byte ptr [edi], al
dec eax
lea ecx, dword ptr [edi-04h]
push eax
inc ecx
push edi
dec eax
lea eax, dword ptr [edi+04h]
inc ebp
xor edi, edi
inc ecx
push esi
inc ecx
mov esi, 00000001h
inc ecx
push ebp
inc ebp
xor ebp, ebp
inc ecx
push esp
push ebp
push ebx
dec eax
mov dword ptr [esp-10h], ecx
dec eax
mov dword ptr [esp-28h], eax
mov eax, 00000001h
dec eax
mov dword ptr [esp-08h], esi
dec esp
mov dword ptr [esp-18h], eax
mov ebx, eax
inc esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x744b04	0x2d4	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x742000	0x2b04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x70a000	0x1d970	UPX1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x744dd8	0x2c	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x740fb0	0x28	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x741028	0x138	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x5b3000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x5b4000	0x18e000	0x18d200	False	0.9991264115124331	data	7.999803292136756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x742000	0x3000	0x3000	False	0.3019205729166667	data	5.576902214031187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x742134	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States
RT_GROUP_ICON	0x7446e0	0x14	data	English	United States
RT_VERSION	0x7446f8	0x2ac	data	English	United States
RT_MANIFEST	0x7449a8	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	LsaClose
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertOpenStore
IPHLPAPI.DLL	GetAdaptersAddresses
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
ole32.dll	CoInitializeEx
PSAPI.DLL	GetProcessMemoryInfo
USER32.dll	ShowWindow
USERENV.dll	GetUserProfileDirectoryW
WS2_32.dll	ioctlsocket

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.22109.71.252.45491714432831812 11/14/22-07:24:42.896816	TCP	2831812	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-07-16 8)	49171	443	192.168.2.22	109.71.252.45
192.168.2.22109.71.252.45491714432831074 11/14/22-07:24:42.896816	TCP	2831074	ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-05-29 11)	49171	443	192.168.2.22	109.71.252.45
192.168.2.228.8.8.855868532016778 11/14/22-07:24:42.601249	UDP	2016778	ET DNS Query to a *.pw domain - Likely Hostile	55868	53	192.168.2.22	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2022 07:24:42.685228109 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:24:42.685296059 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:42.685374975 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:24:42.686233044 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:24:42.686265945 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:42.889381886 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:42.892291069 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:24:42.892344952 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:42.894368887 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:42.894596100 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:24:42.896470070 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:24:42.896496058 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:42.896604061 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:43.102992058 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:24:43.103234053 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:25:43.914841890 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:25:43.914923906 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:25:44.004998922 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:25:44.229959965 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:26:44.324513912 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:26:44.324578047 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:26:44.414793015 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:26:44.638382912 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:26:56.520035028 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:26:56.745023966 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:27:56.602669954 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:27:56.602761984 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:27:56.698777914 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:27:56.950782061 CET	49171	443	192.168.2.22	109.71.252.45
Nov 14, 2022 07:28:11.388005018 CET	443	49171	109.71.252.45	192.168.2.22
Nov 14, 2022 07:28:11.647259951 CET	49171	443	192.168.2.22	109.71.252.45

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2022 07:24:42.601248980 CET	55868	53	192.168.2.22	8.8.8.8
Nov 14, 2022 07:24:42.669042110 CET	53	55868	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 14, 2022 07:24:42.601248980 CET	192.168.2.22	8.8.8.8	0x7fd1	Standard query (0)	eu.minerpool.pw	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 14, 2022 07:24:42.669042110 CET	8.8.8.8	192.168.2.22	0x7fd1	No error (0)	eu.minerpool.pw	107.182.129.82	A (IP address)	IN (0x0001)	false
Nov 14, 2022 07:24:42.669042110 CET	8.8.8.8	192.168.2.22	0x7fd1	No error (0)	eu.minerpool.pw	109.71.252.45	A (IP address)	IN (0x0001)	false
Nov 14, 2022 07:24:42.669042110 CET	8.8.8.8	192.168.2.22	0x7fd1	No error (0)	eu.minerpool.pw	185.10.68.123	A (IP address)	IN (0x0001)	false
Nov 14, 2022 07:24:42.669042110 CET	8.8.8.8	192.168.2.22	0x7fd1	No error (0)	eu.minerpool.pw	185.10.68.220	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	109.71.252.45	443	C:\Users\user\Desktop\java.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-14 06:24:42 UTC	0	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 77 65 62 6c 57 69 6e 22 2c 22 70 61 73 73 22 3a 22 22 2c 22 61 67 65 6e 74 22 3a 22 4a 61 76 61 28 54 4d 29 20 50 6c 61 74 66 6f 72 6d 20 53 45 20 38 2f 31 2e 38 2e 30 5f 31 37 31 2d 62 31 31 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 31 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 6c 69 62 75 76 2f 31 2e 33 38 2e 30 20 6d 73 76 63 2f 32 30 31 39 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"weblWin","pass":"","agent":"Java(TM) Platform SE 8/1.8.0_171-b11 (Windows NT 6.1; Win64; x64) libuv/1.38.0 msvc/2019","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","
2022-11-14 06:24:43 UTC	0	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 62 62 36 31 30 65 66 39 64 66 64 62 39 33 30 65 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 33 31 33 66 30 62 64 63 37 39 62 30 36 39 31 62 61 33 65 31 66 38 34 34 65 36 35 31 31 63 35 31 36 34 64 36 38 64 37 32 30 64 36 31 37 36 38 36 34 66 63 34 32 39 38 36 38 64 37 32 38 62 33 39 61 62 33 64 36 33 66 37 39 38 30 35 35 30 30 30 30 30 30 62 66 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"bb610ef9dfdb930e","job":{"blob":"1313f0bdc79b0691ba3e1f844e6511c5164d68d720d6176864fc429868d728b39ab3d63f798055000000bf00000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-11-14 06:25:43 UTC	1	OUT	Data Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 62 62 36 31 30 65 66 39 64 66 64 62 39 33 30 65 22 7d 7d 0d 0a Data Ascii: {"id":2,"jsonrpc":"2.0","method":"keepalived","params":{"id":"bb610ef9dfdb930e"}}
2022-11-14 06:25:44 UTC	1	IN	Data Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a Data Ascii: {"id":2,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
2022-11-14 06:26:44 UTC	1	OUT	Data Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 62 62 36 31 30 65 66 39 64 66 64 62 39 33 30 65 22 7d 7d 0d 0a Data Ascii: {"id":3,"jsonrpc":"2.0","method":"keepalived","params":{"id":"bb610ef9dfdb930e"}}
2022-11-14 06:26:44 UTC	1	IN	Data Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a Data Ascii: {"id":3,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
2022-11-14 06:26:56 UTC	1	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 33 31 33 62 30 62 66 63 37 39 62 30 36 31 65 61 34 32 32 36 62 65 66 39 34 66 64 31 63 38 36 63 34 62 31 35 62 38 65 31 36 33 32 33 32 62 38 30 64 32 64 39 32 34 66 32 30 30 34 62 33 36 64 63 38 65 38 30 63 64 34 31 39 65 36 66 61 30 30 30 30 30 30 62 66 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1313b0bfc79b061ea4226bef94fd1c86c4b15b8e163232b80d2d924f2004b36dc8e80cd419e6fa000000bf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2022-11-14 06:27:56 UTC	2	OUT	Data Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6b 65 65 70 61 6c 69 76 65 64 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 62 62 36 31 30 65 66 39 64 66 64 62 39 33 30 65 22 7d 7d 0d 0a Data Ascii: {"id":4,"jsonrpc":"2.0","method":"keepalived","params":{"id":"bb610ef9dfdb930e"}}
2022-11-14 06:27:56 UTC	2	IN	Data Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4b 45 45 50 41 4c 49 56 45 44 22 7d 7d 0a Data Ascii: {"id":4,"jsonrpc":"2.0","error":null,"result":{"status":"KEEPALIVED"}}
2022-11-14 06:28:11 UTC	2	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 33 31 33 66 61 62 66 63 37 39 62 30 36 62 61 36 33 66 62 34 38 62 61 39 66 39 32 33 34 37 39 31 34 63 37 32 38 32 64 62 30 64 31 35 36 66 37 63 34 32 39 30 31 62 65 61 39 65 65 64 34 31 36 31 32 64 39 39 38 61 35 33 62 38 62 34 39 30 30 30 30 30 30 62 66 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 Data Ascii: {"jsonrpc":"2.0","method":"job","params":{"blob":"1313fabfc79b06ba63fb48ba9f92347914c7282db0d156f7c42901bea9eed41612d998a53b8b49000000bf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Target ID:	1
Start time:	07:25:11
Start date:	14/11/2022
Path:	C:\Users\user\Desktop\java.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\java.exe
Imagebase:	0x13fa10000
File size:	1639424 bytes
MD5 hash:	830EBC951EC7FE682A8917F58FDAE098
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report java.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: java.exePID: 1448, Parent PID: 1860

General

Chronological Activities

Windows Analysis Report
java.exe