analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Crimson3.0.0.jar

Full analysis: https://app.any.run/tasks/5a67acfe-9580-4590-a550-c7b83518c8f7
Verdict: Malicious activity
Analysis date: November 16, 2019, 08:26:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D568964FAAB371221530E93316092837

SHA1:

827A0E4BF0009422EB3CE81F23486B36FE69A99D

SHA256:

224D58CD2346D12B1AFC902CC7C8737670C543286573607D83D09075DA195B97

SSDEEP:

196608:X7gDnEvuhyfMZY7tg7xR7oM3+l+YS35OlLGgkalPZXPufeZu:X7g/hyfMg+7b7oM3wDS35OQ3sPVGfJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 2308)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 2308)

    • Checks for external IP

      • javaw.exe (PID: 2308)

    • Creates files in the user directory

      • javaw.exe (PID: 2308)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2014:12:25 19:21:02
ZipCRC: 0x2cdc8b21
ZipCompressedSize: 126
ZipUncompressedSize: 166
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
1
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start javaw.exe

Process information

PID
CMD
Path
Indicators
Parent process
2308"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Crimson3.0.0.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
Total events
25
Read events
24
Write events
1
Delete events
0

Modification events

(PID) Process:(2308) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
1
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2308javaw.exeC:\Users\admin\AppData\Local\Temp\Ssettings.db-journal
MD5:
SHA256:
2308javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:C0C4E73BD90CD154461F3A16E04C1A7C
SHA256:76D5F30311DECCB152FC109538CD58594CD9925BE69EA67B30CC6AEFC89FAB0A
2308javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
2308javaw.exeC:\Users\admin\AppData\Local\Temp\sqlite-3.8.7-9686518b-2f36-4494-8cf6-507935071b49-sqlitejdbc.dllexecutable
MD5:F017FCD918DCEA77C40E88210565066D
SHA256:2394696215211746215241E1255C0D4A65B462D5C057840DB8F6BC9C339B35BF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2308
javaw.exe
GET
301
104.26.15.73:80
http://freegeoip.net/xml/185.183.107.236
US
shared
2308
javaw.exe
GET
200
52.44.169.135:80
http://checkip.amazonaws.com/
US
text
16 b
shared
2308
javaw.exe
GET
403
104.26.15.73:80
http://freegeoip.net/shutdown
US
text
1.51 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2308
javaw.exe
52.44.169.135:80
checkip.amazonaws.com
Amazon.com, Inc.
US
shared
2308
javaw.exe
104.26.15.73:80
freegeoip.net
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
checkip.amazonaws.com
  • 52.44.169.135
  • 18.214.132.216
  • 34.196.181.158
  • 3.224.145.145
  • 52.55.255.113
  • 34.236.80.17
  • 18.215.65.215
  • 34.224.0.116
shared
freegeoip.net
  • 104.26.15.73
  • 104.26.14.73
shared
subterranean-security.pw
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Crimson3.0.0.jar