File name: | SJNB-MESH-P19060415410_pdf.jar |
Full analysis: | https://app.any.run/tasks/6077eb93-904e-44de-bb0c-d86a7ee1790c |
Verdict: | Malicious activity |
Analysis date: | June 12, 2019, 09:47:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | 261CFEF96F318B8E7E1E961465328577 |
SHA1: | 6F4654DECDE2AE0902EDD07FE95C0DABD1978811 |
SHA256: | 3554DA250F587CC07B4DC6FACE517C77EA5FA7F7D4F83607EB8A9DEDA4231439 |
SSDEEP: | 6144:nvvvuw19dB5oRi6HjHAYEZEjdBzAi4JfCaMuPq0+WY9zzrg095J:v11Dci0oeR5Ai4JK18q0S37 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | META-INF/MANIFEST.MF |
---|---|
ZipUncompressedSize: | 65 |
ZipCompressedSize: | 67 |
ZipCRC: | 0x1eb04602 |
ZipModifyDate: | 2019:06:10 07:18:28 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0808 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\SJNB-MESH-P19060415410_pdf.jar.zip" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | — | explorer.exe |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 | ||||
3040 | cmd.exe /c C:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdf | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3104 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\1374294343281_3246824361940206088.jar" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | javaw.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
3424 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | cmd.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3028 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdf" | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641 | ||||
3260 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | AcroRd32.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2856 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3260.0.1614991664\867697769" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
3592 | "C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3260.1.1061943202\699832050" --allow-no-sandbox-job /prefetch:673131151 | C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | — | RdrCEF.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe RdrCEF Version: 15.23.20053.211670 | ||||
2828 | C:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exe | C:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exe | javaw.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3864 | C:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exe | C:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exe | — | python5851450334535684914.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
(PID) Process: | (3028) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\ExitSection |
Operation: | write | Name: | bLastExitNormal |
Value: 0 | |||
(PID) Process: | (3028) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\AVGeneral |
Operation: | write | Name: | bExpandRHPInViewer |
Value: 1 | |||
(PID) Process: | (3424) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3424) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (3424) AcroRd32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3424) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3424) AcroRd32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3252) AdobeARM.exe | Key: | HKEY_CURRENT_USER\Software\Adobe\Adobe ARM\1.0\ARM |
Operation: | write | Name: | iSpeedLauncherLogonTime |
Value: 90062E4340F0D401 | |||
(PID) Process: | (3252) AdobeARM.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3252) AdobeARM.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3028 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
2956 | javaw.exe | C:\Users\admin\AppData\Local\Temp\1374294449072_7433928953492942139.pdf | ||
MD5:38AC5B30BF85501F678FB8286C704379 | SHA256:2CD51A84BA6967752A68F0DACDCF7F5F158AAF0B6384E82D432E171821DF280B | |||
3104 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:3853477455CF67CA53AFBEACC47E9332 | SHA256:044691B3DD385220327022E868762E795054A5128F8BD652012FADEC861A9AFE | |||
2956 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:76A02346EF3B0596D33C89A708DC8B8F | SHA256:53BFC9470F211F10F7617142A4F85E0880062FF62CFAAE58EA47F34EE4BEE8E2 | |||
3028 | AcroRd32.exe | C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin | binary | |
MD5:9AF9570F52CE2D5A24C119823B05D90B | SHA256:913B0B5A310BC01F4DF8CC2D9183EC99A6D95D3980D6875CD592688934DB8163 | |||
3028 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages | sqlite | |
MD5:0B8BDBB076B08E5036ED7E9D59564860 | SHA256:60E1FE70C2C455F22D9BE3E19CAB4FF36C4D12D92B5058EE5CE71A8C8373E3EB | |||
2956 | javaw.exe | C:\Users\admin\AppData\Local\Temp\1374294343281_3246824361940206088.jar | java | |
MD5:5F2E2AC036D6CC97D7D6A91294F52AAF | SHA256:84EE2BC6E59F0FDF76BB29F031FDF086D757A52837E9A673226E5EBA3E8D0902 | |||
3104 | javaw.exe | C:\Users\admin\AppData\Local\Temp\tmp1384634636828\python5851450334535684914.exe | executable | |
MD5:F88F40A3A528CB0F1EDF613FD13E8A76 | SHA256:CBC72DCE1F78B27C025B0BBA167EAB69E6FAC1A04DBB10BFA019F2E6DDFECF14 | |||
2828 | python5851450334535684914.exe | C:\Users\admin\AppData\Local\Temp\_MEI28282\_elementtree.pyd | executable | |
MD5:1C143C741A5EC702BDC52EF496905662 | SHA256:C2FC1A8775B9B593A07CFE6DA23ED43EA1D806A9529654A7CAB380DC0F37790A | |||
2956 | javaw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2f | dbf | |
MD5:C8366AE350E7019AEFC9D1E6E6A498C6 | SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3424 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | unknown | — | — | whitelisted |
3424 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | unknown | — | — | whitelisted |
3424 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | unknown | — | — | whitelisted |
3424 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | unknown | — | — | whitelisted |
3424 | AcroRd32.exe | GET | 304 | 2.16.186.33:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 104.111.214.232:443 | ardownload2.adobe.com | Akamai International B.V. | NL | whitelisted |
3104 | javaw.exe | 157.230.178.244:80 | — | Joao Carlos de Almeida Silveira trading as Bitcanal | US | malicious |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3424 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3424 | AcroRd32.exe | 2.16.186.33:80 | acroipm2.adobe.com | Akamai International B.V. | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3104 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic |
3104 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic |
3104 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic |
3104 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic |
3104 | javaw.exe | A Network Trojan was detected | MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic |