analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

AZ_Minecraft_Launcher_Offline.exe

Full analysis: https://app.any.run/tasks/68d51636-9abd-45a7-8702-470b720d1750
Verdict: Malicious activity
Analysis date: July 13, 2020, 00:39:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5:

0228DAF1B7B76F3042DC71F70DBC3D3E

SHA1:

C1979D89B88C2757EC5978BBCF116E82F8636574

SHA256:

4EECDF6F86C8A1B7FB39108B86EFE0352CA2877A589902814E1A8C725368A818

SSDEEP:

12288:EYVqWlkHNrinqwOv2p1Wy8dcu3bkHTWO0WtLjt2:EqlkHNCqipWyu3bkHTWetLjt2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the user directory

      • javaw.exe (PID: 2808)
      • javaw.exe (PID: 1920)

    • Executes JAVA applets

      • AZ_Minecraft_Launcher_Offline.exe (PID: 2080)
      • javaw.exe (PID: 2808)

    • Application launched itself

      • javaw.exe (PID: 2808)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • javaw.exe (PID: 1920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

ProductVersion: dev-SNAPSHOT
ProductName: az-downloader
OriginalFileName: az-downloader.exe
LegalCopyright: -
InternalName: az-downloader
FileVersion: dev-SNAPSHOT
FileDescription: AZ Minecraft Launcher.
CompanyName: -
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 1
OSVersion: 4
EntryPoint: 0x1290
UninitializedDataSize: 36352
InitializedDataSize: 262656
CodeSize: 24064
LinkerVersion: 2.56
PEType: PE32
TimeStamp: 2016:06:13 05:04:24+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 13-Jun-2016 03:04:24
Detected languages:
  • English - United States
  • Process Default Language
CompanyName: -
FileDescription: AZ Minecraft Launcher.
FileVersion: dev-SNAPSHOT
InternalName: az-downloader
LegalCopyright: -
OriginalFilename: az-downloader.exe
ProductName: az-downloader
ProductVersion: dev-SNAPSHOT

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 13-Jun-2016 03:04:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005D70
0x00005E00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.99288
.data
0x00007000
0x00000040
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.163808
.rdata
0x00008000
0x00000510
0x00000600
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.01224
.bss
0x00009000
0x00008C30
0x00000000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00012000
0x00000AA8
0x00000C00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.64392
.rsrc
0x00013000
0x0003EC88
0x0003EE00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.82796

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.29268
704
UNKNOWN
Process Default Language
RT_VERSION
2
2.25163
6
UNKNOWN
Process Default Language
RT_RCDATA
3
7.97888
49616
UNKNOWN
Process Default Language
RT_ICON
4
4.94827
296
UNKNOWN
Process Default Language
RT_ICON
5
5.28622
488
UNKNOWN
Process Default Language
RT_ICON
6
5.28314
744
UNKNOWN
Process Default Language
RT_ICON
7
4.85636
1640
UNKNOWN
Process Default Language
RT_ICON
8
5.84899
1384
UNKNOWN
Process Default Language
RT_ICON
9
6.57784
1736
UNKNOWN
Process Default Language
RT_ICON
10
3.72161
19
UNKNOWN
Process Default Language
RT_RCDATA

Imports

ADVAPI32.DLL
KERNEL32.dll
SHELL32.DLL
USER32.dll
msvcrt.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start az_minecraft_launcher_offline.exe no specs javaw.exe javaw.exe

Process information

PID
CMD
Path
Indicators
Parent process
2080"C:\Users\admin\AppData\Local\Temp\AZ_Minecraft_Launcher_Offline.exe" C:\Users\admin\AppData\Local\Temp\AZ_Minecraft_Launcher_Offline.exeexplorer.exe
User:
admin
Company:
-
Integrity Level:
MEDIUM
Description:
AZ Minecraft Launcher.
Exit code:
0
Version:
dev-SNAPSHOT
Modules
Images
c:\users\admin\appdata\local\temp\az_minecraft_launcher_offline.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
2808"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -classpath "C:\Users\admin\AppData\Local\Temp\AZ_Minecraft_Launcher_Offline.exe;anything;az-common-dev-SNAPSHOT.jar" LC:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
AZ_Minecraft_Launcher_Offline.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1920"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Xmx512m -jar C:\Users\admin\AppData\Roaming\.azlauncher\launcher.jar --downloaderVersion 1 --demoC:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
Modules
Images
c:\program files\java\jre1.8.0_92\bin\javaw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
46
Read events
43
Write events
3
Delete events
0

Modification events

(PID) Process:(2808) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
(PID) Process:(1920) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
9
Suspicious files
30
Text files
142
Unknown types
426

Dropped files

PID
Process
Filename
Type
2808javaw.exeC:\Users\admin\AppData\Local\Temp\imageio6169303800728512745.tmp
MD5:
SHA256:
2808javaw.exeC:\Users\admin\AppData\Roaming\.azlauncher\tmp\launcher_78d9917ba7e3710c8a1136fefbd8d028.jar
MD5:
SHA256:
1920javaw.exeC:\Users\admin\AppData\Local\Temp\imageio6063527760409196991.tmp
MD5:
SHA256:
1920javaw.exeC:\Users\admin\AppData\Local\Temp\imageio6803512433804158974.tmp
MD5:
SHA256:
1920javaw.exeC:\Users\admin\AppData\Local\Temp\imageio2921001583929362135.tmp
MD5:
SHA256:
1920javaw.exeC:\Users\admin\AppData\Local\Temp\imageio3793442992446231992.tmp
MD5:
SHA256:
1920javaw.exeC:\Users\admin\AppData\Local\Temp\imageio1544188708744410091.tmp
MD5:
SHA256:
1920javaw.exeC:\Users\admin\AppData\Local\Temp\imageio338052896114672254.tmp
MD5:
SHA256:
1920javaw.exeC:\Users\admin\AppData\Local\Temp\imageio5811084938409919762.tmp
MD5:
SHA256:
2808javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:34CCCB19BE4A641189479392F5AAF705
SHA256:4A916CB8BF57AAA8521F2C8E976F5CB180499BB3EFEA34A12BC8AFA77B65186D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
530
TCP/UDP connections
53
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1920
javaw.exe
GET
302
74.114.154.18:80
http://mcupdate.tumblr.com/
CA
suspicious
1920
javaw.exe
GET
200
104.24.123.225:80
http://www.azlauncher.nz/files/libraries/com/az/launcher/pvpfix/az-pvpfix/1.2/az-pvpfix-1.2.jar
US
java
762 Kb
malicious
2808
javaw.exe
GET
200
172.67.154.75:80
http://www.azlauncher.nz/files/launcher/launcher_78d9917ba7e3710c8a1136fefbd8d028.jar
US
compressed
4.11 Mb
malicious
1920
javaw.exe
GET
200
143.204.201.32:80
http://resources.download.minecraft.net/30/305371e2bbe60af6462a420db34ecf4eb2b78d8e
US
text
12.1 Kb
shared
1920
javaw.exe
GET
200
104.24.123.225:80
http://www.azlauncher.nz/files/libraries/optifine/OptiFine/1.9.4_HD_U_B6/OptiFine-1.9.4_HD_U_B6.jar
US
compressed
1.65 Mb
malicious
1920
javaw.exe
GET
200
104.24.123.225:80
http://www.azlauncher.nz/files/libraries/com/az/launcher/pvpfix/az-pvpfix/1.2/az-pvpfix-1.2.jar
US
java
762 Kb
malicious
2808
javaw.exe
GET
200
172.67.154.75:80
http://www.azlauncher.nz/files/launcher/version.md5?t=1771779
US
text
33 b
malicious
1920
javaw.exe
GET
200
52.216.101.213:80
http://assets.mojang.com/cobalt/cobalt_logo_150.PNG
US
image
14.3 Kb
shared
1920
javaw.exe
GET
200
104.24.123.225:80
http://www.azlauncher.nz/files/libraries/net/minecraft/launchwrapper/1.12/launchwrapper-1.12.jar
US
compressed
32.2 Kb
malicious
1920
javaw.exe
GET
200
143.204.201.32:80
http://resources.download.minecraft.net/1c/1c722dfd43b06c28273bc8c56d1d02c1a6ea5e48
US
ogg
8.24 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2808
javaw.exe
172.67.154.75:80
www.azlauncher.nz
US
malicious
1920
javaw.exe
216.58.212.142:443
www.google-analytics.com
Google Inc.
US
whitelisted
1920
javaw.exe
99.86.4.83:443
libraries.minecraft.net
AT&T Services, Inc.
US
suspicious
1920
javaw.exe
152.199.21.147:443
px.srvcs.tumblr.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
1920
javaw.exe
192.0.77.40:443
assets.tumblr.com
Automattic, Inc
US
suspicious
1920
javaw.exe
152.199.19.43:443
66.media.tumblr.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1920
javaw.exe
74.114.154.18:80
mcupdate.tumblr.com
Automattic, Inc
CA
malicious
1920
javaw.exe
74.114.154.18:443
mcupdate.tumblr.com
Automattic, Inc
CA
malicious
1920
javaw.exe
99.86.2.139:443
launchermeta.mojang.com
AT&T Services, Inc.
US
unknown
1920
javaw.exe
104.24.123.225:80
www.azlauncher.nz
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.azlauncher.nz
  • 172.67.154.75
  • 104.24.122.225
  • 104.24.123.225
malicious
www.google-analytics.com
  • 216.58.212.142
whitelisted
launchermeta.mojang.com
  • 99.86.2.139
whitelisted
mcupdate.tumblr.com
  • 74.114.154.18
  • 74.114.154.22
suspicious
assets.tumblr.com
  • 192.0.77.40
whitelisted
66.media.tumblr.com
  • 152.199.19.43
suspicious
assets.mojang.com
  • 52.216.101.213
shared
px.srvcs.tumblr.com
  • 152.199.21.147
whitelisted
static.tumblr.com
  • 152.199.21.147
whitelisted
s3.amazonaws.com
  • 52.216.106.222
shared

Threats

PID
Process
Class
Message
2808
javaw.exe
Potentially Bad Traffic
ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs
2808
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
1920
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
1920
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
1920
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
1920
javaw.exe
A Network Trojan was detected
ET INFO JAVA - Java Archive Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
AZ_Minecraft_Launcher_Offline.exe