analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

SJNB-MESH-P19060415410_pdf.jar

Full analysis: https://app.any.run/tasks/6077eb93-904e-44de-bb0c-d86a7ee1790c
Verdict: Malicious activity
Analysis date: June 12, 2019, 09:47:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

261CFEF96F318B8E7E1E961465328577

SHA1:

6F4654DECDE2AE0902EDD07FE95C0DABD1978811

SHA256:

3554DA250F587CC07B4DC6FACE517C77EA5FA7F7D4F83607EB8A9DEDA4231439

SSDEEP:

6144:nvvvuw19dB5oRi6HjHAYEZEjdBzAi4JfCaMuPq0+WY9zzrg095J:v11Dci0oeR5Ai4JK18q0S37

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • python5851450334535684914.exe (PID: 3864)
      • python5851450334535684914.exe (PID: 2828)
      • python5851450334535684914.exe (PID: 3100)
      • python5851450334535684914.exe (PID: 1884)
      • python5851450334535684914.exe (PID: 3780)
      • python5851450334535684914.exe (PID: 2776)
      • python5851450334535684914.exe (PID: 3172)
      • python5851450334535684914.exe (PID: 4088)
      • python5851450334535684914.exe (PID: 2480)
      • python5851450334535684914.exe (PID: 3432)
    • Loads dropped or rewritten executable

      • python5851450334535684914.exe (PID: 3864)
      • python5851450334535684914.exe (PID: 3100)
      • python5851450334535684914.exe (PID: 2776)
      • python5851450334535684914.exe (PID: 2480)
      • python5851450334535684914.exe (PID: 4088)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 2956)
    • Creates files in the user directory

      • javaw.exe (PID: 2956)
    • Application launched itself

      • javaw.exe (PID: 2956)
      • python5851450334535684914.exe (PID: 3780)
    • Executes JAVA applets

      • javaw.exe (PID: 2956)
    • Executable content was dropped or overwritten

      • javaw.exe (PID: 3104)
      • python5851450334535684914.exe (PID: 2828)
      • python5851450334535684914.exe (PID: 1884)
      • python5851450334535684914.exe (PID: 3780)
      • python5851450334535684914.exe (PID: 3172)
    • Loads Python modules

      • python5851450334535684914.exe (PID: 3864)
      • python5851450334535684914.exe (PID: 3100)
      • python5851450334535684914.exe (PID: 2776)
      • python5851450334535684914.exe (PID: 4088)
      • python5851450334535684914.exe (PID: 2480)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 3252)
  • INFO

    • Application launched itself

      • AcroRd32.exe (PID: 3424)
      • RdrCEF.exe (PID: 3260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: META-INF/MANIFEST.MF
ZipUncompressedSize: 65
ZipCompressedSize: 67
ZipCRC: 0x1eb04602
ZipModifyDate: 2019:06:10 07:18:28
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
20
Malicious processes
10
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start javaw.exe no specs cmd.exe no specs javaw.exe acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs python5851450334535684914.exe python5851450334535684914.exe no specs python5851450334535684914.exe python5851450334535684914.exe no specs python5851450334535684914.exe python5851450334535684914.exe no specs adobearm.exe no specs reader_sl.exe no specs python5851450334535684914.exe python5851450334535684914.exe no specs python5851450334535684914.exe no specs python5851450334535684914.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\SJNB-MESH-P19060415410_pdf.jar.zip"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3040cmd.exe /c C:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdfC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3104"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\1374294343281_3246824361940206088.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
3424"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
cmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3028"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3260"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2856"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3260.0.1614991664\867697769" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3592"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3260.1.1061943202\699832050" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2828C:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exeC:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exe
javaw.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3864C:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exeC:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exepython5851450334535684914.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
571
Read events
538
Write events
33
Delete events
0

Modification events

(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection
Operation:writeName:bLastExitNormal
Value:
0
(PID) Process:(3028) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral
Operation:writeName:bExpandRHPInViewer
Value:
1
(PID) Process:(3424) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3424) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3424) AcroRd32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3424) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3424) AcroRd32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3252) AdobeARM.exeKey:HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iSpeedLauncherLogonTime
Value:
90062E4340F0D401
(PID) Process:(3252) AdobeARM.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3252) AdobeARM.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
70
Suspicious files
2
Text files
27
Unknown types
13

Dropped files

PID
Process
Filename
Type
3028AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
2956javaw.exeC:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdfpdf
MD5:38AC5B30BF85501F678FB8286C704379
SHA256:2CD51A84BA6967752A68F0DACDCF7F5F158AAF0B6384E82D432E171821DF280B
3104javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:3853477455CF67CA53AFBEACC47E9332
SHA256:044691B3DD385220327022E868762E795054A5128F8BD652012FADEC861A9AFE
2956javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:76A02346EF3B0596D33C89A708DC8B8F
SHA256:53BFC9470F211F10F7617142A4F85E0880062FF62CFAAE58EA47F34EE4BEE8E2
3028AcroRd32.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.binbinary
MD5:9AF9570F52CE2D5A24C119823B05D90B
SHA256:913B0B5A310BC01F4DF8CC2D9183EC99A6D95D3980D6875CD592688934DB8163
3028AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessagessqlite
MD5:0B8BDBB076B08E5036ED7E9D59564860
SHA256:60E1FE70C2C455F22D9BE3E19CAB4FF36C4D12D92B5058EE5CE71A8C8373E3EB
2956javaw.exeC:\Users\admin\AppData\Local\Temp\1374294343281_3246824361940206088.jarjava
MD5:5F2E2AC036D6CC97D7D6A91294F52AAF
SHA256:84EE2BC6E59F0FDF76BB29F031FDF086D757A52837E9A673226E5EBA3E8D0902
3104javaw.exeC:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exeexecutable
MD5:F88F40A3A528CB0F1EDF613FD13E8A76
SHA256:CBC72DCE1F78B27C025B0BBA167EAB69E6FAC1A04DBB10BFA019F2E6DDFECF14
2828python5851450334535684914.exeC:\Users\admin\AppData\Local\Temp\_MEI28282\_elementtree.pydexecutable
MD5:1C143C741A5EC702BDC52EF496905662
SHA256:C2FC1A8775B9B593A07CFE6DA23ED43EA1D806A9529654A7CAB380DC0F37790A
2956javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3424
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
3424
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
3424
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
3424
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
3424
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.111.214.232:443
ardownload2.adobe.com
Akamai International B.V.
NL
whitelisted
3104
javaw.exe
157.230.178.244:80
Joao Carlos de Almeida Silveira trading as Bitcanal
US
malicious
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3424
AcroRd32.exe
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3424
AcroRd32.exe
2.16.186.33:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
acroipm2.adobe.com
  • 2.16.186.33
  • 2.16.186.32
  • 2.16.186.26
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
ardownload2.adobe.com
  • 104.111.214.232
whitelisted

Threats

PID
Process
Class
Message
3104
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
3104
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
3104
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
3104
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
3104
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
No debug info