Edit tour
Windows
Analysis Report
jre-6-windows-i586.exe
Overview
General Information
Detection
Score: | 60 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Creates an undocumented autostart registry key
Creates autostart registry keys to launch java
Found suspicious ZIP file
Machine Learning detection for sample
PE file has a writeable .text section
Checks for available system drives (often done to infect USB drives)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sigma detected: Common Autorun Keys Modification
Sigma detected: Internet Explorer Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
- jre-6-windows-i586.exe (PID: 612 cmdline:
"C:\Users\ user\Deskt op\jre-6-w indows-i58 6.exe" MD5: 55AB61022DAB7D960308C56FCAA1A7F3) - msiexec.exe (PID: 6068 cmdline:
"C:\Window s\SysWOW64 \\msiexec. exe" /i "C :\Users\us er\AppData \LocalLow\ Sun\Java\j re1.6.0\jr e1.6.0.msi " METHOD=j off MD5: 9D09DC1EDA745A5F87553048E57620CF)
- msiexec.exe (PID: 3472 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 5412 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 0706A44 E185502DEE 18F2AC4C12 ABF0C C MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 5268 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng 9B70B2B 81B7B7F095 784D7E6B8D F4E62 MD5: 9D09DC1EDA745A5F87553048E57620CF) - msiexec.exe (PID: 7072 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng A29A8C8 B6FA2D29B2 615C3F18EF 36D1B E Gl obal\MSI00 00 MD5: 9D09DC1EDA745A5F87553048E57620CF) - zipper.exe (PID: 5424 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\zippe r.exe" "C: \Program F iles (x86) \Common Fi les\Java\U pdate\Base Images\jr e1.6.0.b10 5\\core1.z ip" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\" "" MD5: 94B35117B42EE3D2E971127448047DF3) - zipper.exe (PID: 2744 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\zippe r.exe" "C: \Program F iles (x86) \Common Fi les\Java\U pdate\Base Images\jr e1.6.0.b10 5\\core2.z ip" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\" "" MD5: 94B35117B42EE3D2E971127448047DF3) - zipper.exe (PID: 6720 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\zippe r.exe" "C: \Program F iles (x86) \Common Fi les\Java\U pdate\Base Images\jr e1.6.0.b10 5\\core3.z ip" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\" "" MD5: 94B35117B42EE3D2E971127448047DF3) - launcher.exe (PID: 3748 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\\laun cher.exe" "C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\rt.pack " "C:\Prog ram Files (x86)\Java \jre1.6.0\ \lib\rt.ja r" MD5: CD1DD5A323E3F1EB75A8B39B2BBE6B9C) - unpack200.exe (PID: 6816 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\rt.pack " "C:\Prog ram Files (x86)\Java \jre1.6.0\ \lib\rt.ja r" MD5: 45908B6BDE2C77056E77C975CE6FA77B) - launcher.exe (PID: 1088 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\\laun cher.exe" "C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\jsse.pa ck" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\lib\jss e.jar" MD5: CD1DD5A323E3F1EB75A8B39B2BBE6B9C) - unpack200.exe (PID: 5888 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\jsse.pa ck" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\lib\jss e.jar" MD5: 45908B6BDE2C77056E77C975CE6FA77B) - launcher.exe (PID: 7132 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\\laun cher.exe" "C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\plugin. pack" "C:\ Program Fi les (x86)\ Java\jre1. 6.0\\lib\p lugin.jar" MD5: CD1DD5A323E3F1EB75A8B39B2BBE6B9C) - unpack200.exe (PID: 2216 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\plugin. pack" "C:\ Program Fi les (x86)\ Java\jre1. 6.0\\lib\p lugin.jar" MD5: 45908B6BDE2C77056E77C975CE6FA77B) - launcher.exe (PID: 1808 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\\laun cher.exe" "C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\javaws. pack" "C:\ Program Fi les (x86)\ Java\jre1. 6.0\\lib\j avaws.jar" MD5: CD1DD5A323E3F1EB75A8B39B2BBE6B9C) - unpack200.exe (PID: 4132 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\javaws. pack" "C:\ Program Fi les (x86)\ Java\jre1. 6.0\\lib\j avaws.jar" MD5: 45908B6BDE2C77056E77C975CE6FA77B) - launcher.exe (PID: 2524 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\\laun cher.exe" "C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\deploy. pack" "C:\ Program Fi les (x86)\ Java\jre1. 6.0\\lib\d eploy.jar" MD5: CD1DD5A323E3F1EB75A8B39B2BBE6B9C) - unpack200.exe (PID: 6324 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\deploy. pack" "C:\ Program Fi les (x86)\ Java\jre1. 6.0\\lib\d eploy.jar" MD5: 45908B6BDE2C77056E77C975CE6FA77B) - zipper.exe (PID: 1832 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\zippe r.exe" "C: \Program F iles (x86) \Common Fi les\Java\U pdate\Base Images\jr e1.6.0.b10 5\\other.z ip" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\" "" MD5: 94B35117B42EE3D2E971127448047DF3) - launcher.exe (PID: 3984 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\\laun cher.exe" "C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\charset s.pack" "C :\Program Files (x86 )\Java\jre 1.6.0\\lib \charsets. jar" MD5: CD1DD5A323E3F1EB75A8B39B2BBE6B9C) - unpack200.exe (PID: 4892 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\charset s.pack" "C :\Program Files (x86 )\Java\jre 1.6.0\\lib \charsets. jar" MD5: 45908B6BDE2C77056E77C975CE6FA77B) - launcher.exe (PID: 3884 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\\laun cher.exe" "C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\ext\loc aledata.pa ck" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\lib\ext \localedat a.jar" MD5: CD1DD5A323E3F1EB75A8B39B2BBE6B9C) - unpack200.exe (PID: 5832 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\unpack2 00.exe" -r -v -l "" "C:\Progra m Files (x 86)\Java\j re1.6.0\\l ib\ext\loc aledata.pa ck" "C:\Pr ogram File s (x86)\Ja va\jre1.6. 0\\lib\ext \localedat a.jar" MD5: 45908B6BDE2C77056E77C975CE6FA77B) - patchjre.exe (PID: 2168 cmdline:
"C:\Progra m Files (x 86)\Common Files\Jav a\Update\B ase Images \jre1.6.0. b105\patch -jre1.6.0. b105\patch jre.exe" - s "C:\Prog ram Files (x86)\Java \jre1.6.0\ " MD5: 917E368E67D9CB1DCD422C0273DC675A) - javaw.exe (PID: 876 cmdline:
"C:\Progra m Files (x 86)\Java\j re1.6.0\bi n\\javaw.e xe" -Xshar e:dump MD5: 2BECBD5C00B3373017D65F441D4F9473)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name): |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Source: | Author: frack113: |
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Window detected: |