Edit tour

Windows Analysis Report
Mtcn_1637256355_pdf.jar

Overview

General Information

Sample name:	Mtcn_1637256355_pdf.jar
Analysis ID:	1532153
MD5:	44699ea6b454cd863c21fd8128e0fd0e
SHA1:	34bd46468b48b25238d40f67a64ad8721f967e38
SHA256:	eb51ad2218a1759fd60f956739cbb885eb2ed2422ff23659b97c2547f81cec7b
Tags:	jaruser-abuse_ch
Infos:

Detection

Branchlock Obfuscator

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Branchlock Obfuscator

AI detected suspicious sample

Exploit detected, runtime environment starts unknown processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6512 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar"" >> C:\cmdlinestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

java.exe (PID: 6484 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

icacls.exe (PID: 5920 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2800 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Mtcn_1637256355_pdf.jar	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.2113099983.0000000001078000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
00000002.00000002.2172947650.0000000015250000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security
Process Memory Space: java.exe PID: 6484	JoeSecurity_BranchlockObfuscator	Yara detected Branchlock Obfuscator	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.8% probability

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\tasklist.exe

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: soakawaypit.s3.eu-west-1.amazonaws.com

Source: java.exe, 00000002.00000002.2171143861.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000513A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000513A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000513A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2171143861.000000000A20F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.2173529549.0000000015A9A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A40B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2173529549.00000000158E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/3
Source: java.exe, 00000002.00000002.2171143861.000000000A645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: Mtcn_1637256355_pdf.jar	String found in binary or memory: https://branchlock.net
Source: java.exe, 00000002.00000003.2113099983.0000000001078000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://branchlock.netU
Source: java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/def.jar
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/email.js
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/ext.jar
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/neft.pdf
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/res.jar
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/server.jar
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/server1.jar
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://soakawaypit.s3.eu-west-1.amazonaws.com/startup.jar

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02B09BF0		2_2_02B09BF0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02BA9DD0		2_2_02BA9DD0

Source: classification engine

Classification label: mal60.expl.evad.winJAR@10/4@1/1

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Data Obfuscation

Yara detected Branchlock Obfuscator

Source: Yara match	File source: Mtcn_1637256355_pdf.jar, type: SAMPLE
Source: Yara match	File source: 00000002.00000003.2113099983.0000000001078000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2172947650.0000000015250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6484, type: MEMORYSTR

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AD428D push ecx; retn 0022h	2_2_02AD4342
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02ACC7C8 push cs; ret	2_2_02ACC811
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AD3FD3 push es; iretd	2_2_02AD3FDA
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AC9F11 push cs; retf	2_2_02AC9F31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02ACAB48 push eax; retf	2_2_02ACAB49
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AD399B push es; iretd	2_2_02AD399E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AD3996 push es; iretd	2_2_02AD399A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2D8F7 push 00000000h; mov dword ptr [esp], esp	2_2_02A2D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2A20A push ecx; ret	2_2_02A2A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2A21B push ecx; ret	2_2_02A2A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2B3B7 push 00000000h; mov dword ptr [esp], esp	2_2_02A2B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2BB67 push 00000000h; mov dword ptr [esp], esp	2_2_02A2BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2D8E0 push 00000000h; mov dword ptr [esp], esp	2_2_02A2D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2B947 push 00000000h; mov dword ptr [esp], esp	2_2_02A2B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A2C477 push 00000000h; mov dword ptr [esp], esp	2_2_02A2C49D

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\tasklist.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: REGMON.EXE
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AUTORUNS.EXE
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FILEMON.EXE

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Code function: 2_2_02ACBE36 sldt cx

2_2_02ACBE36

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: java.exe, 00000002.00000003.2114653557.000000001506F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.2114653557.000000001506F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware.exe
Source: java.exe, 00000002.00000002.2162049093.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.2114653557.000000001506F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.2162049093.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.2114653557.000000001506F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.2162049093.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Code function: 2_2_02B09BF0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

2_2_02B09BF0

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Code function: 2_2_02A203C0 cpuid

2_2_02A203C0

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6484 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\jartracer.jar VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procmon.exe
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tcpview.exe
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autoruns.exe
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe
Source: java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: regmon.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Mtcn_1637256355_pdf.jar	0%	ReversingLabs
Mtcn_1637256355_pdf.jar	5%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
s3-r-w.eu-west-1.amazonaws.com	0%	Virustotal		Browse
soakawaypit.s3.eu-west-1.amazonaws.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://bugreport.sun.com/bugreport/	0%	URL Reputation	safe
http://java.oracle.com/	0%	URL Reputation	safe
http://repository.swisssign.com/0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://www.quovadisglobal.com/cps	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://www.quovadisglobal.com/cps0	0%	URL Reputation	safe
http://repository.swisssign.com/	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl	0%	Virustotal		Browse
http://crl.chambersign.org/chambersroot.crl0	0%	Virustotal		Browse
http://cps.chambersign.org/cps/chambersroot.html0	0%	Virustotal		Browse
http://null.oracle.com/	0%	Virustotal		Browse
http://policy.camerfirma.com	0%	Virustotal		Browse
https://branchlock.net	1%	Virustotal		Browse
https://ocsp.quovadisoffshore.com	0%	Virustotal		Browse
http://repository.swisssign.com/3	0%	Virustotal		Browse
http://cps.chambersign.org/cps/chambersroot.html	0%	Virustotal		Browse
http://crl.xrampsecurity.com/XGCA.crl0	0%	Virustotal		Browse
http://www.quovadis.bm	0%	Virustotal		Browse
https://repository.luxtrust.lu	0%	Virustotal		Browse
http://crl.chambersign.org/chambersroot.crl	0%	Virustotal		Browse
http://www.chambersign.org	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s3-r-w.eu-west-1.amazonaws.com	52.218.60.168	true	false	0%, Virustotal, Browse	unknown
soakawaypit.s3.eu-west-1.amazonaws.com	unknown	unknown	false	1%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://soakawaypit.s3.eu-west-1.amazonaws.com/server.jar	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000513A000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://soakawaypit.s3.eu-west-1.amazonaws.com/res.jar	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://repository.luxtrust.lu0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.2171143861.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://soakawaypit.s3.eu-west-1.amazonaws.com/server1.jar	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://soakawaypit.s3.eu-west-1.amazonaws.com/ext.jar	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://java.oracle.com/	java.exe, 00000002.00000002.2171143861.000000000A20F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://null.oracle.com/	java.exe, 00000002.00000002.2173529549.0000000015A9A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A40B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2173529549.00000000158E4000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.chambersign.org1	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://soakawaypit.s3.eu-west-1.amazonaws.com/startup.jar	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://repository.swisssign.com/0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://branchlock.net	Mtcn_1637256355_pdf.jar	false	1%, Virustotal, Browse	unknown
http://policy.camerfirma.com	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://repository.swisssign.com/3	java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://ocsp.quovadisoffshore.com	java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://crl.securetrust.com/STCA.crl0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://branchlock.netU	java.exe, 00000002.00000003.2113099983.0000000001078000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000513A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://repository.luxtrust.lu	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.quovadisglobal.com/cps0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://soakawaypit.s3.eu-west-1.amazonaws.com/neft.pdf	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.quovadis.bm	java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://www.quovadis.bm0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ocsp.quovadisoffshore.com0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2162749884.000000000504F000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://repository.swisssign.com/	java.exe, 00000002.00000002.2171143861.000000000A5DC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.chambersign.org	java.exe, 00000002.00000002.2171143861.000000000A645000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://soakawaypit.s3.eu-west-1.amazonaws.com/def.jar	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://policy.camerfirma.com0	java.exe, 00000002.00000002.2171143861.000000000A514000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2171143861.000000000A4CC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://soakawaypit.s3.eu-west-1.amazonaws.com/email.js	java.exe, 00000002.00000002.2171143861.000000000A24F000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.218.60.168	s3-r-w.eu-west-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532153
Start date and time:	2024-10-12 16:38:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mtcn_1637256355_pdf.jar
Detection:	MAL
Classification:	mal60.expl.evad.winJAR@10/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 53% Number of executed functions: 20 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .jar Stop behavior analysis, all processes terminated

Warnings

Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.eu-west-1.amazonaws.com	http://www.ledger-secure03948.sssgva.com/	Get hash	malicious	Unknown	Browse	3.5.71.123
	https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiN2NmYmYzYzYtZGJhZS00MDU2LWFmNjEtZTE1OTY4NGUxZTc4IiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyOTI1NTE2OCwibmJmIjoxNzI4MDQ1NTY4LCJpYXQiOjE3MjgwNDU1NjgsImp0aSI6IjdjZmJmM2M2LWRiYWUtNDA1Ni1hZjYxLWUxNTk2ODRlMWU3OCIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiIyNDYxNDE2ZC1iYWJmLTQzMDktOTRhYy1hZWJkYzRjMmZmY2MiLCJzaWduX3JlcXVlc3RfaWQiOiI3Y2ZiZjNjNi1kYmFlLTQwNTYtYWY2MS1lMTU5Njg0ZTFlNzgiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6ImZyYW5jZXMud29vZEB1a3JpLm9yZyIsInVzZXJfZmlyc3RuYW1lIjoiZnJhbmNlcy53b29kQHVrcmkub3JnIiwidXNlcl9sYXN0bmFtZSI6ImZyYW5jZXMud29vZEB1a3JpLm9yZyJ9fQ.OqxYiO2DP6wYmX2t6u3X4Qa-FIZ5J__ELTV29qKimLo&eid=2461416d-babf-4309-94ac-aebdc4c2ffcc&esrt=7cfbf3c6-dbae-4056-af61-e159684e1e78	Get hash	malicious	HTMLPhisher	Browse	3.5.66.206
	https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiNjE3MmQyMzMtODcyNy00M2NhLWI1NjQtYjgwZDUyZjYxYmVjIiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyODYzODEyMCwibmJmIjoxNzI3NDI4NTIwLCJpYXQiOjE3Mjc0Mjg1MjAsImp0aSI6IjYxNzJkMjMzLTg3MjctNDNjYS1iNTY0LWI4MGQ1MmY2MWJlYyIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiI2ZWRlMzFjZS00Mzc2LTQwYzItYjJjNy1jMDc2Y2M3MjY4NjIiLCJzaWduX3JlcXVlc3RfaWQiOiI2MTcyZDIzMy04NzI3LTQzY2EtYjU2NC1iODBkNTJmNjFiZWMiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6ImNoYW8ud3VAd3JpLm9yZyIsInVzZXJfZmlyc3RuYW1lIjoiY2hhby53dUB3cmkub3JnIiwidXNlcl9sYXN0bmFtZSI6ImNoYW8ud3VAd3JpLm9yZyJ9fQ.UX67GiHBKgjV8XyH-SFTt_KgB2I_q2j9cbGTSqbzRvY&eid=6ede31ce-4376-40c2-b2c7-c076cc726862&esrt=6172d233-8727-43ca-b564-b80d52f61bec	Get hash	malicious	Unknown	Browse	3.5.66.42
	http://allegro-wosp-2023.4hosting2.4ourclient.com/	Get hash	malicious	Unknown	Browse	3.5.65.134
	https://f1nancier.com/?r=9d755ee7-eeac-4657-b730-d10960eca9d4&rg=eu	Get hash	malicious	Unknown	Browse	3.5.69.212
	https://f1nancier.com/?r=9d755ee7-eeac-4657-b730-d10960eca9d4&rg=eu	Get hash	malicious	Unknown	Browse	52.218.36.35
	Remittance-Slip.jar	Get hash	malicious	Branchlock Obfuscator	Browse	3.5.71.206
	passport_Copy_pdf.jar	Get hash	malicious	Branchlock Obfuscator	Browse	52.92.2.234
	http://ymc8.informz.net/z/cjUucD9taT0zOTI4MzU0JnU9NDExMjkzMTk0JmxpPTQxMDE5ODI2Jmw9aHR0cHM6Ly9iNGIwbGF0LXQzbm4xNS1jMHVyNy1iNDExMG4uczMuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20vaW5kZXguaHRtbA==/index.html	Get hash	malicious	HTMLPhisher	Browse	52.92.18.162
	https://qrco.de.mcas-gov.ms/mysharepoint-document-invoice?McasTsid=20893&McasCSRF=fc590cd217a913ae6fe5ca1f44c85f6f9edfe2fac3a68608cef7b5feeaf0d38f	Get hash	malicious	Unknown	Browse	3.5.71.55

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	na.elf	Get hash	malicious	Unknown	Browse	54.247.62.1
	http://coin-have.c0m	Get hash	malicious	Unknown	Browse	34.210.170.212
	na.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	na.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	na.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	na.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	na.elf	Get hash	malicious	Unknown	Browse	34.254.182.186
	z198902873827.exe	Get hash	malicious	DBatLoader, FormBook	Browse	185.166.143.49
	http://myweatherradar.org./	Get hash	malicious	Unknown	Browse	34.249.211.147
	http://link.adultspace.com/link/67097a59d79290df75176b77/aHR0cHM6Ly93d3cuZnVja2Jvb2tkYXRpbmcubmV0L2VuL2F1dGg_dXNlcj00MzMwMDA4NzEmY29kZT0xZDE3OTYyMTE3YWUwMzNjN2QyOWFlOTdkZWFhZjY1MyZyZWRpcmVjdFBhZ2U9JTJGYWNjb3VudCZyZWRpcmVjdFBhZ2VQYXJhbXMlNUJ1c2VyJTVEPTQzMzAwMDg3MQ==?linkId=link_9	Get hash	malicious	Unknown	Browse	3.128.228.77

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.92611928532397
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4US0bRsXyn:oJ5bER2yn
MD5:	5841566035FF98D90DE58D90347118BD
SHA1:	1842727524995F32902F30062CFD0495A5977BFC
SHA-256:	B3BE4158DD7DFFC5F471956968B6EFAA8A244658AF36337A664A979DD576CC43
SHA-512:	731AD6B08BC6780818057DD581E6CF4C44F635F02A09121921A9A7F372330DECEEF97B4A8A8E5306E8B5192D20E4CDA649A847C8619CC307F7EB38ED35D7459D
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1728743946582..

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6484

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3012510522145688
Encrypted:	false
SSDEEP:	96:zH+r+w8GuIsUK6eabk3sQNELeySBYH/1jo1q:zHg8GuIsUK6E8QNEL+yH/5
MD5:	E224EFE5F1CAAA2E7E83CBB2E873439F
SHA1:	1DB58EEE07FC2CADA5940F184646CE9BEEFB61B8
SHA-256:	E609A46BBA92A31648B4901DF409FCA220EACF15920E37C10F614CA86A042606
SHA-512:	993890162D762F2B8057F893BF3EFE8138151E7CBB7EF20BBA49B5CB9EE7B47E6409266781CCE96339296C79AFC857BCE7B58A6CD7A76E327E64CBF57B7D4E5D
Malicious:	false
Reputation:	low
Preview:	.........9.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..9.......@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..2.......8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................J2SE.

C:\cmdlinestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	3481
Entropy (8bit):	4.909649020414966
Encrypted:	false
SSDEEP:	48:j6Hv++fj1zQwLDZ25JOJYYN8oNRHsIaHsP6HDTZIhwv2:jMv++LPLDyJOJYu8eRHsIaHsPMDTZIhR
MD5:	4202AE794FADF197A277A8CB08DF32F7
SHA1:	197FA71CB016E772891E574D1EC9182E0189CFA9
SHA-256:	FB2D047756D7EB33DAA180C91588AB6B08B0A97D5D6BF8E2E6936B63B7929169
SHA-512:	92A6AC960B59D383E82EDFA0D0E17CA65EBF42336F78D85028D5CCE219D9C30EED2B8B00859D18B0FBDD7238DF006DA75008EADAC17D41F024340C0738AE279C
Malicious:	false
Preview:	javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target...at sun.security.ssl.Alert.createSSLException(Unknown Source)...at sun.security.ssl.TransportContext.fatal(Unknown Source)...at sun.security.ssl.TransportContext.fatal(Unknown Source)...at sun.security.ssl.TransportContext.fatal(Unknown Source)...at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)...at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)...at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)...at sun.security.ssl.SSLHandshake.consume(Unknown Source)...at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)...at sun.security.ssl.HandshakeContext.dispatch(Unknown Source)...at sun.security.ssl.TransportContext.dispatch(Unknow

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	4.792083140519132
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	Mtcn_1637256355_pdf.jar
File size:	151'008 bytes
MD5:	44699ea6b454cd863c21fd8128e0fd0e
SHA1:	34bd46468b48b25238d40f67a64ad8721f967e38
SHA256:	eb51ad2218a1759fd60f956739cbb885eb2ed2422ff23659b97c2547f81cec7b
SHA512:	42cf4c6e8dd0d06b21303fb786416889d489d3c2220942f986ccf657b2db667ed7734cd49c773a408ddf85a7f74d4fce34b156145eabb7752a59b63774bf815f
SSDEEP:	384:UDxzrbA+xjbK4MhNDeDnxtpL3/380P7TnVHmWixZ7YyWxtZItYIQUmJeZ:KxAE6fhotpLv803nVGB98ERkk
TLSH:	DAE38666E44B95E43D45FE73B30CCEB76AC3255C8717D90AD0B08A6248918FEAF80DC6
File Content Preview:	PK........0oHY................META-INF/MANIFEST.MFUT...L:.g.....M..LK-...K-....R0.3..M...u.I,..R()./O-...t..K2......PK..AU..6...8...PK..........HY................J/g.class..=o.P......I.R....\|.Z;.LJaI..:.D..0.X....7..)../.......@,,...v.&..s-.#....s.y....

File Icon


Icon Hash:	d08c8e8ea2868a54

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 16:39:09.599325895 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:09.599375963 CEST	443	49710	52.218.60.168	192.168.2.6
Oct 12, 2024 16:39:09.599445105 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:09.847143888 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:09.847162962 CEST	443	49710	52.218.60.168	192.168.2.6
Oct 12, 2024 16:39:10.586201906 CEST	443	49710	52.218.60.168	192.168.2.6
Oct 12, 2024 16:39:10.586313963 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:10.586329937 CEST	443	49710	52.218.60.168	192.168.2.6
Oct 12, 2024 16:39:10.591681004 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:10.879311085 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:10.879338026 CEST	443	49710	52.218.60.168	192.168.2.6
Oct 12, 2024 16:39:10.988984108 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:10.988996983 CEST	443	49710	52.218.60.168	192.168.2.6
Oct 12, 2024 16:39:10.989803076 CEST	443	49710	52.218.60.168	192.168.2.6
Oct 12, 2024 16:39:10.990418911 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:10.991024017 CEST	49710	443	192.168.2.6	52.218.60.168
Oct 12, 2024 16:39:10.991041899 CEST	443	49710	52.218.60.168	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 12, 2024 16:39:09.581120968 CEST	50165	53	192.168.2.6	1.1.1.1
Oct 12, 2024 16:39:09.592999935 CEST	53	50165	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 12, 2024 16:39:09.581120968 CEST	192.168.2.6	1.1.1.1	0x7263	Standard query (0)	soakawaypit.s3.eu-west-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	soakawaypit.s3.eu-west-1.amazonaws.com	s3-r-w.eu-west-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		52.218.60.168	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		3.5.66.254	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		52.92.2.114	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		52.218.1.24	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		52.218.106.72	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		52.92.0.66	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		52.218.106.160	A (IP address)	IN (0x0001)	false
Oct 12, 2024 16:39:09.592999935 CEST	1.1.1.1	192.168.2.6	0x7263	No error (0)	s3-r-w.eu-west-1.amazonaws.com		52.92.35.82	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:39:05
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar"" >> C:\cmdlinestart.log 2>&1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:39:05
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:39:05
Start date:	12/10/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Mtcn_1637256355_pdf.jar"
Imagebase:	0x7c0000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000002.00000003.2113099983.0000000001078000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BranchlockObfuscator, Description: Yara detected Branchlock Obfuscator, Source: 00000002.00000002.2172947650.0000000015250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:39:06
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x830000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:39:06
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:39:06
Start date:	12/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist.exe
Imagebase:	0xec0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:39:06
Start date:	12/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 02B09BF0 Relevance: 3.4, Strings: 2, Instructions: 855COMMON

Download Yara Rule

Strings

(=$, xrefs: 02B0A580
(B$, xrefs: 02B0A560

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002AC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ac7000_java.jbxd

Similarity

API ID:
String ID: (=$$(B$
API String ID: 0-1751454547
Opcode ID: 4d5baf8f985975635e6ad29ea590b78aa77da6356573f2038d2f162dbf65e64c
Instruction ID: 440ef1296d72c9d55f730ed3808643287ab39bd7c10bd31e3b93cd1c36567914
Opcode Fuzzy Hash: 4d5baf8f985975635e6ad29ea590b78aa77da6356573f2038d2f162dbf65e64c
Instruction Fuzzy Hash: F6822C75A057418FC716CF24C18471ABBE2FF89318F6689ADD9599F392CB35E842CB80

Function 02A20672 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 02A206D5

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a20000_java.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 797d99b91ce07dffead3ff367cfaf895e9b2a9c3710aa2d173e0a1d562508624
Instruction ID: 3c8ed6088d8065db99053feefdda3549347f4c795f0a5427fa0aed0e5eaf4766
Opcode Fuzzy Hash: 797d99b91ce07dffead3ff367cfaf895e9b2a9c3710aa2d173e0a1d562508624
Instruction Fuzzy Hash: 1F113AB6C0027ADFCB28CF5CC4855AEB7B1FFA8314B168525DC65A3341EB346924CB91

Function 02A2066F Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 02A206D5

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a20000_java.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 88c0446a7af5de7949776c1010f0b7de4e56f325c90ad334f59947cd2f43b44b
Instruction ID: ea0d5967a485609a6db4c993afc8655234c1217c00fe24e68b330c9bae73f3ee
Opcode Fuzzy Hash: 88c0446a7af5de7949776c1010f0b7de4e56f325c90ad334f59947cd2f43b44b
Instruction Fuzzy Hash: 681136B6D0027A8BCF28CF8CC4855AEB7B1FF58218B064569EC64A3341E734A964CB81

Function 02AFF890 Relevance: .3, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002AC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ac7000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e752ca34232d8504108c8afeef02e1cc6fe6a6298188a72ab7548d6d5b910714
Instruction ID: 9beab40df133a3da9c32834703f300448eb3069d1f74c6d92d820371732a18a9
Opcode Fuzzy Hash: e752ca34232d8504108c8afeef02e1cc6fe6a6298188a72ab7548d6d5b910714
Instruction Fuzzy Hash: 1EA15A316057048FC756DF64C5C061AB3F2FB89318F29886DEA85DBB94DB39E842CB81

Function 02A2D8F7 Relevance: .2, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f25c512c087025236075771d938de6719d7ccd31a1fc6d20cd97d87093f551c
Instruction ID: 0777ca7fa7a26b7c698d92a1bdad8f8457e45b3bfbc39e0564651433eede2608
Opcode Fuzzy Hash: 9f25c512c087025236075771d938de6719d7ccd31a1fc6d20cd97d87093f551c
Instruction Fuzzy Hash: 0EA18B71A05A51DFEB18CF28C5D4BAAFBB1FF49314F088199D9195B382CB74A848CF91

Function 02ABF408 Relevance: .2, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002ABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2abe000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37041f2a314b11e49a60743d5675f64a1536585235f13d45060635e7e73eee6d
Instruction ID: 60303a258bff0a7014b60a53a04f6277b81afaa27b7be15439329133353843a9
Opcode Fuzzy Hash: 37041f2a314b11e49a60743d5675f64a1536585235f13d45060635e7e73eee6d
Instruction Fuzzy Hash: 6161C8B29006519FD3668F28C9903A5FBB4FF40318F5A426EDC5557A53DB3AA816CFC0

Function 02A2D8E0 Relevance: .2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8370c60dbbdf70c22342447732a4391251ec8183ce0aa1c8601a3089e6256517
Instruction ID: b9eafe8f2b06e3fa3c845754e81de41fd7878914d2d394b33cddb81ad2c517de
Opcode Fuzzy Hash: 8370c60dbbdf70c22342447732a4391251ec8183ce0aa1c8601a3089e6256517
Instruction Fuzzy Hash: 6D61CC71604A11DFEB18CF28C5D4BAAF7B1FB48718F04819CD9095B382CB74A848CB90

Function 02A5B88F Relevance: .1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A5A000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a5a000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a9289bd73349a1919e5dc7b71ae69cec4811113b5b0bea99d61955d21f3991f
Instruction ID: 9b686ee022a04fb3ab8613101791f494936a2d15a72a20eebb3b2014c214fc3e
Opcode Fuzzy Hash: 4a9289bd73349a1919e5dc7b71ae69cec4811113b5b0bea99d61955d21f3991f
Instruction Fuzzy Hash: 2531A1B6949B806FE3134B20A6723D5BFF1BF57324F060196C89C8B753E33956298B91

Function 02B86127 Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002AC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ac7000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6170d7eee24cddbfd813eafa491c100ea5d80120cf663ee0501067de05f3fb7b
Instruction ID: efa750929dd177a5a91f21deb2bf1bbea3af999c516d62ab286a98ad45e6d8a9
Opcode Fuzzy Hash: 6170d7eee24cddbfd813eafa491c100ea5d80120cf663ee0501067de05f3fb7b
Instruction Fuzzy Hash: 15318BB0909786AFE725EF20C4087B9FBB4FF42308F0581ADC84857382D7346999CB92

Function 02ABF631 Relevance: .1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002ABE000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2abe000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62413eb8966013a054b5b82b0006a1d01c6d9ffdf7d24e1b9b2e795f654a740f
Instruction ID: 4cbfa74bdb61d5ee2afb95551baa72f0a0aff25030ecb4c3cec146100969096e
Opcode Fuzzy Hash: 62413eb8966013a054b5b82b0006a1d01c6d9ffdf7d24e1b9b2e795f654a740f
Instruction Fuzzy Hash: B12160765087919BE351CF2098803C6FBA2FBC0369F99062EEC9923116CB3B5459C7C2

Function 02A34CCD Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9b4bd9a32cfb00575ad81376ca5e20b0db1f3141f4de2e6767968d8717b2ef3
Instruction ID: b36e3d565d13ac77bd63992ae4d65ead580b322a00d1af550d5a10267200dc70
Opcode Fuzzy Hash: e9b4bd9a32cfb00575ad81376ca5e20b0db1f3141f4de2e6767968d8717b2ef3
Instruction Fuzzy Hash: 93F0DFB5900A06EBEB25CF64C004BEAF7B4FB88704F04420AD82C53310C7787429CBD0

Function 02A34B78 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4c1139768bc4f87c66d8edb726e240dbca067728504f529730131ef21c4e98
Instruction ID: 9b19b73dcff9bc1a441e996cc68391e48bb9641757645c51213269d7cfe96e0e
Opcode Fuzzy Hash: 8a4c1139768bc4f87c66d8edb726e240dbca067728504f529730131ef21c4e98
Instruction Fuzzy Hash: 3EF07FB6900A16EBDB258F65C0447DAFBB4BB88718F14421AD82C57350D77874698BC0

Function 02A2EC1C Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00196549652a4af62a4b5b08b9aebb2c34b418c9bf0404c14d0084046acd6cfd
Instruction ID: df0b8c9e48bccfed1656a7dbe96890e76ed766965e0af9b2249ec8b30d5519f7
Opcode Fuzzy Hash: 00196549652a4af62a4b5b08b9aebb2c34b418c9bf0404c14d0084046acd6cfd
Instruction Fuzzy Hash: 94F092B5900A16EBDB25CF65C0447DAFBB4BB88714F14421AC42C67750D778B469CBC0

Function 02A2DA35 Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd2b1ad2a2bc4ed61f2fe41bd04fb1effe0e684402fc1b0fc1ff521539ac69e
Instruction ID: 6bcabf72e6229b894a30a376d6564cc4dbfa7c052d4e9fa285140cd27ec2c903
Opcode Fuzzy Hash: 1fd2b1ad2a2bc4ed61f2fe41bd04fb1effe0e684402fc1b0fc1ff521539ac69e
Instruction Fuzzy Hash: D0F0C2B6D00A16ABDB248F65C4447DAFBB4BB44714F14461AC82C67310D7787469CBC0

Function 02A349AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f4b72d770764672fd25ca4c18ea24eef121ab2c3f36a1f1beb2253054f1cd3
Instruction ID: 74fc3f442b81138aa28cb059b81c4e163414cf8cf4e31e2a7ca4f3270d0b1548
Opcode Fuzzy Hash: 39f4b72d770764672fd25ca4c18ea24eef121ab2c3f36a1f1beb2253054f1cd3
Instruction Fuzzy Hash: CEF0C2B6D00A16ABDB248F65C0447CAFBB4BB48714F14421AC42C67310D778B469CBC0

Function 02A2DE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 591d206b3abdbfd00e63b0ea67309dfbca4ab12974d9c77d298d8d2026d3efad
Instruction ID: ee20284e65166a25bcf71f49292bdc6c5aa064aa66ce5201c51dc3981ee90ef2
Opcode Fuzzy Hash: 591d206b3abdbfd00e63b0ea67309dfbca4ab12974d9c77d298d8d2026d3efad
Instruction Fuzzy Hash: 5FF0CAB6D00A16ABDB248F61C0447CAFBB4BB88714F14421AC82C63720DBB8B469CBD0

Function 02A2B407 Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5f41e157946c754b856ecaa2a7cd5a14f993c10b38c7c7b2999547f1ee3166
Instruction ID: 781f8db245a9aed3d2aee9fa665488d31c70f9d05c1c87718fd74010cd038769
Opcode Fuzzy Hash: be5f41e157946c754b856ecaa2a7cd5a14f993c10b38c7c7b2999547f1ee3166
Instruction Fuzzy Hash: 3CF0C2B6D00A16ABDB248F65C0447CAFBB4BB44714F15421AC42C63350D7787469CBC0

Function 02A33C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff8a0711e91ad3cbb615ee8762067f1ee4d114f9a27b677a94eb09d25b18f43
Instruction ID: decbe3f701e3a1b68a2e4867510afe0f3b40e44aeb904e5c2d3dc1d8f17fc137
Opcode Fuzzy Hash: eff8a0711e91ad3cbb615ee8762067f1ee4d114f9a27b677a94eb09d25b18f43
Instruction Fuzzy Hash: E1F0C2B6D00A16ABDB248F65C0447CAFBB4BB44714F14461AC82C67310D7787469CBC0

Function 02A345E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09095eaf7c2f557b82ddb7220bd3523aff6a5fa2165d4a0c524492914e3877a0
Instruction ID: 10220dcd4f8e7e6ae3ba9bb5200e561e922ccf945216ea59bd19dfa6683569f7
Opcode Fuzzy Hash: 09095eaf7c2f557b82ddb7220bd3523aff6a5fa2165d4a0c524492914e3877a0
Instruction Fuzzy Hash: 20F0C2B6D00A16ABDB248FA5C0447CAFBB4BB44714F14461AC92C63310D7B87469CBC0

Function 02A34EF4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A22000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A22000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a22000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c9306eb77e4858559877b955631d2959aff1f58ef50a3b5ba5c472a3f1f999
Instruction ID: 480e44a2ffe9088820b167f4f722a14958e90353c83ad95fd9f50a852b8fe046
Opcode Fuzzy Hash: 90c9306eb77e4858559877b955631d2959aff1f58ef50a3b5ba5c472a3f1f999
Instruction Fuzzy Hash: 22F0C2B5D00A16ABDB24CF61C10438AF7B0BB44B14F14421AC82C63310D778B465CBC0

Non-executed Functions

Function 02BA9DD0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002AC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ac7000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15431ab66ce2c6020d10faf28e4b88d38a1cfcd6ff56ef114373cd187d0bd61
Instruction ID: b4a0a208b7f03516d9c2ffdecd95c3cde95cd6756c16166eabe020c646680f9f
Opcode Fuzzy Hash: d15431ab66ce2c6020d10faf28e4b88d38a1cfcd6ff56ef114373cd187d0bd61
Instruction Fuzzy Hash: 7AE1FB75A097409FC354DF14C194619BBB2FB89314F66D9ADE8495F3A2CB36E842CF80

Function 02A203C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a20000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: 1c79ae4963c29b812d3a2046a668b5ce1cda49d0d2ca9b873f3bbabdd07ad411
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 7A21F9BA5042668FDB358F198C403D9B7E5FB58314F21882EDECDE7710D7306A898B51

Function 02ACBE36 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2162366584.0000000002AC7000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ac7000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9648e87a7b50ac75c21ce1a2cf0c962df324a7c6b7e70e3b7563904a9a40dc16
Instruction ID: 1599a2af3fb643b0ff2d5e21bc48ba12825caf1f87a71e773f4e57220c95b09e
Opcode Fuzzy Hash: 9648e87a7b50ac75c21ce1a2cf0c962df324a7c6b7e70e3b7563904a9a40dc16
Instruction Fuzzy Hash: 69F01CA240D7D08FE703872098A66D17F70DF1372474A85CBC0C0CE1A7D55A450FC722

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mtcn_1637256355_pdf.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6484

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\cmdlinestart.log

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exePID: 6512, Parent PID: 6052

General

Windows Analysis Report
Mtcn_1637256355_pdf.jar

Function 02A20672 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Function 02A2066F Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 02AFF890 Relevance: .3, Instructions: 255
COMMON

Function 02A2D8F7 Relevance: .2, Instructions: 223
COMMON

Function 02ABF408 Relevance: .2, Instructions: 168
COMMON

Function 02A2D8E0 Relevance: .2, Instructions: 160
COMMON

Function 02A5B88F Relevance: .1, Instructions: 122
COMMON

Function 02B86127 Relevance: .1, Instructions: 76
COMMON

Function 02ABF631 Relevance: .1, Instructions: 67
COMMON

Function 02A34CCD Relevance: .0, Instructions: 22
COMMON

Function 02A34B78 Relevance: .0, Instructions: 21
COMMON

Function 02A2EC1C Relevance: .0, Instructions: 20
COMMON

Function 02A2DA35 Relevance: .0, Instructions: 18
COMMON

Function 02A2B407 Relevance: .0, Instructions: 18
COMMON