analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Invoice #960494.jar

Full analysis: https://app.any.run/tasks/ab605920-6203-42b7-94e3-b817daed2f36
Verdict: Malicious activity
Analysis date: November 29, 2020, 09:58:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

8078E36E51162854E12A05B482E2F5E7

SHA1:

CB09C63BE4312FF8F2A2481EFAD6135037CD26F2

SHA256:

2B6470A593F15DC92C4BAFEC9CDEE03245A81F6F14072629647BA3CC2FA820C7

SSDEEP:

768:GnBq+FQxjJKJa4CieXnA9DQHJITsSNt19ypXt9D/Y30M7O3UVwj:yboj0a4BcAUuTJm/9DW5iK8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 2228)
    • Application launched itself

      • javaw.exe (PID: 2556)
    • Executable content was dropped or overwritten

      • javaw.exe (PID: 2228)
    • Executes JAVA applets

      • javaw.exe (PID: 2556)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • javaw.exe (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipFileName: 632487310
ZipUncompressedSize: 1297
ZipCompressedSize: 1302
ZipCRC: 0xeea276f0
ZipModifyDate: 2020:11:27 07:46:01
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe no specs javaw.exe node.exe

Process information

PID
CMD
Path
Indicators
Parent process
2556"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\Invoice #960494.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
2228"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\79644347.tmpC:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3992C:\Users\admin\node-v14.12.0-win-x86\node.exe - --hub-domain deskt.linkpc.netC:\Users\admin\node-v14.12.0-win-x86\node.exe
javaw.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Version:
14.12.0
Total events
14
Read events
14
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
3 467
Unknown types
7

Dropped files

PID
Process
Filename
Type
2228javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp14921809373\node-v14.12.0-win-x86\node.exe
MD5:
SHA256:
2228javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:096B8078F43202F5B896DFDF91CCE0A3
SHA256:84D2B1E6CC9847C920A2B17E5BFCA355398DA3CC76FE23A436E648E4440D6A50
2556javaw.exeC:\Users\admin\AppData\Local\Temp\79644347.tmpjava
MD5:8078E36E51162854E12A05B482E2F5E7
SHA256:2B6470A593F15DC92C4BAFEC9CDEE03245A81F6F14072629647BA3CC2FA820C7
2556javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:86E6D408C2BF32B21BE9B97BCD7A83C1
SHA256:12069225AC226C434A22E1869F6F2520B043AF5C071BFF79D531F3225B207E9E
2228javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp14921809373\node-v14.12.0-win-x86\node_modules\npm\bin\npxtext
MD5:F3AC8B0BCC82456D9C702DD17C232796
SHA256:99911D9C4BEBA98143FE160A55999331DD5C80038E48F23EE517A0E0DAD4BFB3
2228javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp14921809373\node-v14.12.0-win-x86\node_modules\npm\.licensee.jsontext
MD5:B133415ABE39E5C1865AAD84712B3941
SHA256:66218BC67A524799BA7CCAD7C493A8D24EEED81C07BED24E0C3034ABA6014061
2228javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp14921809373\node-v14.12.0-win-x86\nodevars.battext
MD5:E6636C5B093F5CC13DFB7508305B8D8B
SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5
2228javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp14921809373\node-v14.12.0-win-x86\node_etw_provider.mantext
MD5:1D51E18A7247F47245B0751F16119498
SHA256:1975AA34C1050B8364491394CEBF6E668E2337C3107712E3EECA311262C7C46F
2228javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp14921809373\node-v14.12.0-win-x86\node_modules\npm\bin\node-gyp-bin\node-gyptext
MD5:6E25816F1EC43CA4D9DF43634F4FDC74
SHA256:EE2C0CD004287093A3767C0A31D9A0A3C4B00C0517CC974473E2B483EEF438E7
2228javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2228
javaw.exe
104.20.22.46:443
nodejs.org
Cloudflare Inc
US
shared
3992
node.exe
136.175.8.251:443
deskt.linkpc.net
unknown

DNS requests

Domain
IP
Reputation
nodejs.org
  • 104.20.22.46
  • 104.20.23.46
whitelisted
deskt.linkpc.net
  • 136.175.8.251
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info