File name:

JapanWare.exe

Full analysis: https://app.any.run/tasks/fa5f4df0-d933-41ae-b3ac-464de7f39438
Verdict: Malicious activity
Threats:

Blank Grabber is an infostealer written in Python. It is designed to steal a wide array of data, such as browser login credentials, crypto wallets, Telegram sessions, and Discord tokens. It is an open-source malware, with its code available on GitHub and regularly receiving updates. Blank Grabber builder’s simple interface lets threat actors even with basic skills to deploy it and conduct attacks.

Malware Trends Tracker     >>>
Analysis date: December 01, 2024, 07:37:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
blankgrabber
stealer
discord
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

F24A1C5064EDB7E29B1F147CF2954AFA

SHA1:

93C6A7EB05781EB7FFEF9D4094847BC3876D81FC

SHA256:

0CD3EBD25CD67E8E62B887563B0FCA437080843D797D24513694E6CB712D37F0

SSDEEP:

98304:dJ3z+GmE/ZsG6TRAXfjE+DkVkFOBNdtL/tHfktEzafhOsE+XZ03SA2ibMlq0TK75:Rqxqe6rA44a+bAdjRUbdU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • JapanWare.exe (PID: 2212)

    • Process drops legitimate windows executable

      • JapanWare.exe (PID: 2212)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:01 07:23:35+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 172032
InitializedDataSize: 94208
UninitializedDataSize: -
EntryPoint: 0xce20
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.4355
ProductVersionNumber: 10.0.19041.4355
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Host Process for Setting Synchronization
FileVersion: 10.0.19041.4355 (WinBuild.160101.0800)
InternalName: SettingSyncHost
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SettingSyncHost.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.4355
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
6
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start japanware.exe no specs japanware.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\JapanWare.exe" /f"C:\Windows\System32\cmd.exeJapanWare.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
1792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
2212"C:\Users\admin\Desktop\JapanWare.exe" C:\Users\admin\Desktop\JapanWare.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Setting Synchronization
Version:
10.0.19041.4355 (WinBuild.160101.0800)
3848"C:\Users\admin\Desktop\JapanWare.exe" C:\Users\admin\Desktop\JapanWare.exeJapanWare.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Setting Synchronization
Version:
10.0.19041.4355 (WinBuild.160101.0800)
3984C:\WINDOWS\system32\cmd.exe /c "reg add hkcu\Software\Classes\ms-settings\shell\open\command /v "DelegateExecute" /f"C:\Windows\System32\cmd.exeJapanWare.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
4052reg add hkcu\Software\Classes\ms-settings\shell\open\command /d "C:\Users\admin\Desktop\JapanWare.exe" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
24
DNS requests
11
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
shared
GET
204
142.250.181.227:443
https://gstatic.com/generate_204
unknown
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
shared
POST
200
162.159.136.232:443
https://discord.com/api/webhooks/1312671971120513075/vUVXiVKOqjJgz78tSfQNti7dAB2punKfnntZ5WmQ-koOrJ1exJso4KIVgYpyOJz9lXfF
unknown
binary
2.40 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
184.86.251.9:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
142.250.186.163:443
gstatic.com
GOOGLE
US
whitelisted
162.159.136.232:443
discord.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 184.86.251.9
  • 184.86.251.21
  • 184.86.251.22
  • 184.86.251.19
  • 184.86.251.7
  • 184.86.251.27
  • 184.86.251.13
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.43
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
blank-d07ty.in
unknown
ip-api.com
  • 208.95.112.1
shared
gstatic.com
  • 142.250.186.163
whitelisted
discord.com
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.128.233
whitelisted
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
A Network Trojan was detected
STEALER [ANY.RUN] BlankGrabber (SkochGrabber) Generic External IP Check
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
JapanWare.exe