analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

03324224_pdf.jar

Full analysis: https://app.any.run/tasks/2968960e-42c3-4c96-a16c-f6c284f3b407
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: August 18, 2019, 07:53:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
trojan
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

6227D9B52C9BAF41AD82C7FF292EE4D4

SHA1:

1D67029261F2D72A1E7EE7330C38B4483A827723

SHA256:

4D9EF12C61B761397D00F8BBF43E30C3AE7A697C13A1467C0789EE4FD3CD27AD

SSDEEP:

3072:y6pw+dc2RXkocUzx0rXXtryf7VnZtHZDrEsLR2mMDRQgmIz9GngopXJ8RRWnQq0S:1pddcyFcRtryTj/VcmGXmw8PQq0342FK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • worker7172458875624574903.exe (PID: 4024)
      • worker7172458875624574903.exe (PID: 3344)

    • Actions looks like stealing of personal data

      • worker7172458875624574903.exe (PID: 4024)

    • Loads dropped or rewritten executable

      • worker7172458875624574903.exe (PID: 4024)
      • javaw.exe (PID: 2884)

  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 2884)
      • worker7172458875624574903.exe (PID: 4024)
      • powershell.exe (PID: 2652)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 2884)
      • worker7172458875624574903.exe (PID: 3344)

    • Loads Python modules

      • worker7172458875624574903.exe (PID: 4024)

    • Executes PowerShell scripts

      • worker7172458875624574903.exe (PID: 4024)

    • Reads the cookies of Google Chrome

      • javaw.exe (PID: 2884)

    • Reads the cookies of Mozilla Firefox

      • javaw.exe (PID: 2884)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2019:08:11 20:43:14
ZipCRC: 0x98459746
ZipCompressedSize: 61
ZipUncompressedSize: 59
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start javaw.exe worker7172458875624574903.exe worker7172458875624574903.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\03324224_pdf.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3344C:\Users\admin\AppData\Local\Temp\tmp1487208727164\worker7172458875624574903.exeC:\Users\admin\AppData\Local\Temp\tmp1487208727164\worker7172458875624574903.exe
javaw.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
4024C:\Users\admin\AppData\Local\Temp\tmp1487208727164\worker7172458875624574903.exeC:\Users\admin\AppData\Local\Temp\tmp1487208727164\worker7172458875624574903.exe
worker7172458875624574903.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2652powershell.exe /c " function get-iehistory { [CmdletBinding()] param () $shell = New-Object -ComObject Shell.Application $hist = $shell.NameSpace(34) $folder = $hist.Self $hist.Items() | foreach { if ($_.IsFolder) { $siteFolder = $_.GetFolder $siteFolder.Items() | foreach { $site = $_ if ($site.IsFolder) { $pageFolder = $site.GetFolder $pageFolder.Items() | foreach { $visit = New-Object -TypeName PSObject -Property @{ URL = $($pageFolder.GetDetailsOf($_,0)) } $visit } } } } } } get-iehistory "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeworker7172458875624574903.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
226
Read events
164
Write events
0
Delete events
0

Modification events

No data
Executable files
21
Suspicious files
3
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
2884javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:E76B1CD11275887C0D1E0F4D8589204F
SHA256:DA4002EC7FC7D4BC065EE78ECDD25061669A122F0BEC03812207332B35CE7D0F
3344worker7172458875624574903.exeC:\Users\admin\AppData\Local\Temp\_MEI33442\_elementtree.pydexecutable
MD5:1C143C741A5EC702BDC52EF496905662
SHA256:C2FC1A8775B9B593A07CFE6DA23ED43EA1D806A9529654A7CAB380DC0F37790A
3344worker7172458875624574903.exeC:\Users\admin\AppData\Local\Temp\_MEI33442\python27.dllexecutable
MD5:39A952048D2FCF4D31FF8BD9AF252249
SHA256:71A902F0CBC1E51F930F5782E2DC6065D20F7CE536A9416BFF67CCCF83BFB93E
4024worker7172458875624574903.exeC:\users\admin\appdata\local\temp\4exsn3
MD5:
SHA256:
4024worker7172458875624574903.exeC:\users\admin\appdata\local\temp\ehnoqsspn
MD5:
SHA256:
2652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J5DB2EHSMQQDGF6CUTXT.temp
MD5:
SHA256:
2884javaw.exeC:\Users\admin\AppData\Local\Temp\tmp1487208727164\worker7172458875624574903.exeexecutable
MD5:E3D01098E4B9FFF919EDBA7E2A8739E9
SHA256:7071EA8AD454F54BC611C3ACEA5F08D5514C4214C1AB53E504B52A96093FDB19
3344worker7172458875624574903.exeC:\Users\admin\AppData\Local\Temp\_MEI33442\mein.exe.manifestxml
MD5:E557B7F294A442645B0A70E0F5541A96
SHA256:39C6914111FA88B6637917D431B4BD7C48E7A548D142DA2484FAF73FC5C4BFD4
3344worker7172458875624574903.exeC:\Users\admin\AppData\Local\Temp\_MEI33442\Microsoft.VC90.CRT.manifestxml
MD5:0BCAE6094FDA15852A9D5C1E1F03BB24
SHA256:454E12BC0DED5A81B52F38D73942E9F0A1BD2073AC2E976F63A8AF115C7EA296
3344worker7172458875624574903.exeC:\Users\admin\AppData\Local\Temp\_MEI33442\Crypto.Cipher._AES.pydexecutable
MD5:DD3DB5480EB52E8F69D47F3B725E6BFB
SHA256:51054F4D28782B6698B1B6510317650E797E11F87FA29FCEAF8559B6BCBF4DFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2884
javaw.exe
GET
200
66.171.248.178:80
http://bot.whatismyipaddress.com/
US
text
12 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2884
javaw.exe
206.81.27.160:80
US
malicious
2884
javaw.exe
66.171.248.178:80
bot.whatismyipaddress.com
Alchemy Communications, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
bot.whatismyipaddress.com
  • 66.171.248.178
shared

Threats

PID
Process
Class
Message
2884
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
2884
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
2884
javaw.exe
A Network Trojan was detected
MALWARE [PTsecurity] JavaPython.Stealer.Pyrogenic
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
03324224_pdf.jar