File name:

javaw.exe

Full analysis: https://app.any.run/tasks/be291f74-a3e8-43fe-bd74-c4baeafb05a5
Verdict: Malicious activity
Threats:

BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.

Malware Trends Tracker     >>>
Analysis date: July 20, 2024, 13:05:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
bluesky
scan
smb
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D8A44D2ED34B5FEE7C8E24D998F805D9

SHA1:

D8369CB0D8CCEC95B2A49BA34AA7749B60998661

SHA256:

3E035F2D7D30869CE53171EF5A0F761BFB9C14D94D9FE6DA385E20B8D96DC2FB

SSDEEP:

1536:wBrE2D2ZjyKBQs8swOVWCqBTXdXu3+MkNCMm2i9w4:iBD2RfQ/7OVWS3+1rm2i9w4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • javaw.exe (PID: 3272)

    • Attempting to scan the network

      • javaw.exe (PID: 3272)

    • Bluesky note has been found

      • javaw.exe (PID: 3272)

    • Renames files like ransomware

      • javaw.exe (PID: 3272)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • javaw.exe (PID: 3272)

    • Potential Corporate Privacy Violation

      • javaw.exe (PID: 3272)

    • Creates files like ransomware instruction

      • javaw.exe (PID: 3272)

  • INFO

    • Checks supported languages

      • javaw.exe (PID: 3272)

    • Reads the computer name

      • javaw.exe (PID: 3272)

    • Reads the machine GUID from the registry

      • javaw.exe (PID: 3272)

    • Manual execution by a user

      • rundll32.exe (PID: 3176)

    • Dropped object may contain TOR URL's

      • javaw.exe (PID: 3272)

    • Creates files or folders in the user directory

      • javaw.exe (PID: 3272)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2085:02:07 16:05:31+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 94.8
CodeSize: 67584
InitializedDataSize: 7168
UninitializedDataSize: -
EntryPoint: 0xe880
OSVersion: 5.1
ImageVersion: 48623.16013
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLUESKY javaw.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3176"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\leeintroduction.png.blueskyC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
3272"C:\Users\admin\AppData\Local\Temp\javaw.exe" C:\Users\admin\AppData\Local\Temp\javaw.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
2 545
Read events
2 541
Write events
4
Delete events
0

Modification events

(PID) Process:(3272) javaw.exeKey:HKEY_CURRENT_USER\Software\9763CCC75B33F1BA24ABCB533E4CE199
Operation:writeName:RECOVERYBLOB
Value:
7BEE250A7CBE69E4E41D00206640BE8B4F51A6F1B565F0C4E1F2BA94AA71A2C434C23364D7189F748066041C7153E3CC256C585EBC63702879627AA0565924AEB30726014B07EB3AC725395C1F22E3FF7B2D05B8BD4EF4F7EF8A07D7CA372B7A6B52BB60768B51610D92B8AE0ECF31504A0B3B31AA76C047
(PID) Process:(3272) javaw.exeKey:HKEY_CURRENT_USER\Software\9763CCC75B33F1BA24ABCB533E4CE199
Operation:writeName:x25519_public
Value:
11F288D93DA07ABDB2F7B7329A43923BDC5C58FFB676A225F17C06433A45C118
(PID) Process:(3272) javaw.exeKey:HKEY_CURRENT_USER\Software\9763CCC75B33F1BA24ABCB533E4CE199
Operation:writeName:completed
Value:
0
(PID) Process:(3272) javaw.exeKey:HKEY_CURRENT_USER\Software\9763CCC75B33F1BA24ABCB533E4CE199
Operation:writeName:completed
Value:
1
Executable files
0
Suspicious files
139
Text files
104
Unknown types
7

Dropped files

PID
Process
Filename
Type
3272javaw.exeC:\users\admin\# DECRYPT FILES BLUESKY #.txttext
MD5:C02FEEC978FAC9B49ECBD3CA09C9F10B
SHA256:62B41D560EBB717226C42D4E2226C70D747A241233536CADBDB71BE84D343B36
3272javaw.exeC:\users\admin\.oracle_jre_usage\# DECRYPT FILES BLUESKY #.htmlhtml
MD5:4D3C7424C8D8B763BECED08ECC0FB356
SHA256:9FCA7AE30677D8DA808F227B87B5553A92E4F4EA50F5EA04A57725D569B1E826
3272javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.blueskybinary
MD5:547C23588D7EB23A93FC542DEBDD3D84
SHA256:497F1693E5DB1B79A4FFA47F0DC6E14516050B2B768DCA11E5532A15BD1AC96E
3272javaw.exeC:\users\admin\# DECRYPT FILES BLUESKY #.htmlhtml
MD5:4D3C7424C8D8B763BECED08ECC0FB356
SHA256:9FCA7AE30677D8DA808F227B87B5553A92E4F4EA50F5EA04A57725D569B1E826
3272javaw.exeC:\Users\admin\AppData\Local\VirtualStore\# DECRYPT FILES BLUESKY #.htmlhtml
MD5:4D3C7424C8D8B763BECED08ECC0FB356
SHA256:9FCA7AE30677D8DA808F227B87B5553A92E4F4EA50F5EA04A57725D569B1E826
3272javaw.exeC:\users\admin\desktop\# DECRYPT FILES BLUESKY #.txttext
MD5:C02FEEC978FAC9B49ECBD3CA09C9F10B
SHA256:62B41D560EBB717226C42D4E2226C70D747A241233536CADBDB71BE84D343B36
3272javaw.exeC:\Users\admin\AppData\Local\VirtualStore\# DECRYPT FILES BLUESKY #.txttext
MD5:C02FEEC978FAC9B49ECBD3CA09C9F10B
SHA256:62B41D560EBB717226C42D4E2226C70D747A241233536CADBDB71BE84D343B36
3272javaw.exeC:\msocache\# DECRYPT FILES BLUESKY #.htmlhtml
MD5:4D3C7424C8D8B763BECED08ECC0FB356
SHA256:9FCA7AE30677D8DA808F227B87B5553A92E4F4EA50F5EA04A57725D569B1E826
3272javaw.exeC:\users\admin\.oracle_jre_usage\90737d32e3abaa4.timestampbinary
MD5:547C23588D7EB23A93FC542DEBDD3D84
SHA256:497F1693E5DB1B79A4FFA47F0DC6E14516050B2B768DCA11E5532A15BD1AC96E
3272javaw.exeC:\users\admin\contacts\# DECRYPT FILES BLUESKY #.txttext
MD5:C02FEEC978FAC9B49ECBD3CA09C9F10B
SHA256:62B41D560EBB717226C42D4E2226C70D747A241233536CADBDB71BE84D343B36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
270
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6db8a07497701bb0
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
1060
svchost.exe
224.0.0.252:5355
whitelisted
192.168.100.162:49238
unknown
192.168.100.162:49239
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.206
whitelisted

Threats

PID
Process
Class
Message
3272
javaw.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers inside a home network.
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
javaw.exe