download: | AZ_Minecraft_Launcher_Offline.exe |
Full analysis: | https://app.any.run/tasks/68d51636-9abd-45a7-8702-470b720d1750 |
Verdict: | Malicious activity |
Analysis date: | July 13, 2020, 00:39:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows |
MD5: | 0228DAF1B7B76F3042DC71F70DBC3D3E |
SHA1: | C1979D89B88C2757EC5978BBCF116E82F8636574 |
SHA256: | 4EECDF6F86C8A1B7FB39108B86EFE0352CA2877A589902814E1A8C725368A818 |
SSDEEP: | 12288:EYVqWlkHNrinqwOv2p1Wy8dcu3bkHTWO0WtLjt2:EqlkHNCqipWyu3bkHTWetLjt2 |
.exe | | | Win32 Executable MS Visual C++ (generic) (41) |
---|---|---|
.exe | | | Win64 Executable (generic) (36.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.6) |
.exe | | | Win32 Executable (generic) (5.9) |
.exe | | | Win16/32 Executable Delphi generic (2.7) |
ProductVersion: | dev-SNAPSHOT |
---|---|
ProductName: | az-downloader |
OriginalFileName: | az-downloader.exe |
LegalCopyright: | - |
InternalName: | az-downloader |
FileVersion: | dev-SNAPSHOT |
FileDescription: | AZ Minecraft Launcher. |
CompanyName: | - |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 1 |
OSVersion: | 4 |
EntryPoint: | 0x1290 |
UninitializedDataSize: | 36352 |
InitializedDataSize: | 262656 |
CodeSize: | 24064 |
LinkerVersion: | 2.56 |
PEType: | PE32 |
TimeStamp: | 2016:06:13 05:04:24+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 13-Jun-2016 03:04:24 |
Detected languages: |
|
CompanyName: | - |
FileDescription: | AZ Minecraft Launcher. |
FileVersion: | dev-SNAPSHOT |
InternalName: | az-downloader |
LegalCopyright: | - |
OriginalFilename: | az-downloader.exe |
ProductName: | az-downloader |
ProductVersion: | dev-SNAPSHOT |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 13-Jun-2016 03:04:24 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005D70 | 0x00005E00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.99288 |
.data | 0x00007000 | 0x00000040 | 0x00000200 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.163808 |
.rdata | 0x00008000 | 0x00000510 | 0x00000600 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.01224 |
.bss | 0x00009000 | 0x00008C30 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00012000 | 0x00000AA8 | 0x00000C00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.64392 |
.rsrc | 0x00013000 | 0x0003EC88 | 0x0003EE00 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.82796 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.29268 | 704 | UNKNOWN | Process Default Language | RT_VERSION |
2 | 2.25163 | 6 | UNKNOWN | Process Default Language | RT_RCDATA |
3 | 7.97888 | 49616 | UNKNOWN | Process Default Language | RT_ICON |
4 | 4.94827 | 296 | UNKNOWN | Process Default Language | RT_ICON |
5 | 5.28622 | 488 | UNKNOWN | Process Default Language | RT_ICON |
6 | 5.28314 | 744 | UNKNOWN | Process Default Language | RT_ICON |
7 | 4.85636 | 1640 | UNKNOWN | Process Default Language | RT_ICON |
8 | 5.84899 | 1384 | UNKNOWN | Process Default Language | RT_ICON |
9 | 6.57784 | 1736 | UNKNOWN | Process Default Language | RT_ICON |
10 | 3.72161 | 19 | UNKNOWN | Process Default Language | RT_RCDATA |
ADVAPI32.DLL |
KERNEL32.dll |
SHELL32.DLL |
USER32.dll |
msvcrt.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2080 | "C:\Users\admin\AppData\Local\Temp\AZ_Minecraft_Launcher_Offline.exe" | C:\Users\admin\AppData\Local\Temp\AZ_Minecraft_Launcher_Offline.exe | — | explorer.exe | |||||||||||
User: admin Company: - Integrity Level: MEDIUM Description: AZ Minecraft Launcher. Exit code: 0 Version: dev-SNAPSHOT Modules
| |||||||||||||||
2808 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -classpath "C:\Users\admin\AppData\Local\Temp\AZ_Minecraft_Launcher_Offline.exe;anything;az-common-dev-SNAPSHOT.jar" L | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | AZ_Minecraft_Launcher_Offline.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
1920 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -Xmx512m -jar C:\Users\admin\AppData\Roaming\.azlauncher\launcher.jar --downloaderVersion 1 --demo | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | javaw.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 Modules
|
(PID) Process: | (2808) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe | |||
(PID) Process: | (1920) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
2808 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio6169303800728512745.tmp | — | |
MD5:— | SHA256:— | |||
2808 | javaw.exe | C:\Users\admin\AppData\Roaming\.azlauncher\tmp\launcher_78d9917ba7e3710c8a1136fefbd8d028.jar | — | |
MD5:— | SHA256:— | |||
1920 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio6063527760409196991.tmp | — | |
MD5:— | SHA256:— | |||
1920 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio6803512433804158974.tmp | — | |
MD5:— | SHA256:— | |||
1920 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio2921001583929362135.tmp | — | |
MD5:— | SHA256:— | |||
1920 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio3793442992446231992.tmp | — | |
MD5:— | SHA256:— | |||
1920 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio1544188708744410091.tmp | — | |
MD5:— | SHA256:— | |||
1920 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio338052896114672254.tmp | — | |
MD5:— | SHA256:— | |||
1920 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio5811084938409919762.tmp | — | |
MD5:— | SHA256:— | |||
2808 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:34CCCB19BE4A641189479392F5AAF705 | SHA256:4A916CB8BF57AAA8521F2C8E976F5CB180499BB3EFEA34A12BC8AFA77B65186D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1920 | javaw.exe | GET | 302 | 74.114.154.18:80 | http://mcupdate.tumblr.com/ | CA | — | — | suspicious |
1920 | javaw.exe | GET | 200 | 104.24.123.225:80 | http://www.azlauncher.nz/files/libraries/com/az/launcher/pvpfix/az-pvpfix/1.2/az-pvpfix-1.2.jar | US | java | 762 Kb | malicious |
2808 | javaw.exe | GET | 200 | 172.67.154.75:80 | http://www.azlauncher.nz/files/launcher/launcher_78d9917ba7e3710c8a1136fefbd8d028.jar | US | compressed | 4.11 Mb | malicious |
1920 | javaw.exe | GET | 200 | 143.204.201.32:80 | http://resources.download.minecraft.net/30/305371e2bbe60af6462a420db34ecf4eb2b78d8e | US | text | 12.1 Kb | shared |
1920 | javaw.exe | GET | 200 | 104.24.123.225:80 | http://www.azlauncher.nz/files/libraries/optifine/OptiFine/1.9.4_HD_U_B6/OptiFine-1.9.4_HD_U_B6.jar | US | compressed | 1.65 Mb | malicious |
1920 | javaw.exe | GET | 200 | 104.24.123.225:80 | http://www.azlauncher.nz/files/libraries/com/az/launcher/pvpfix/az-pvpfix/1.2/az-pvpfix-1.2.jar | US | java | 762 Kb | malicious |
2808 | javaw.exe | GET | 200 | 172.67.154.75:80 | http://www.azlauncher.nz/files/launcher/version.md5?t=1771779 | US | text | 33 b | malicious |
1920 | javaw.exe | GET | 200 | 52.216.101.213:80 | http://assets.mojang.com/cobalt/cobalt_logo_150.PNG | US | image | 14.3 Kb | shared |
1920 | javaw.exe | GET | 200 | 104.24.123.225:80 | http://www.azlauncher.nz/files/libraries/net/minecraft/launchwrapper/1.12/launchwrapper-1.12.jar | US | compressed | 32.2 Kb | malicious |
1920 | javaw.exe | GET | 200 | 143.204.201.32:80 | http://resources.download.minecraft.net/1c/1c722dfd43b06c28273bc8c56d1d02c1a6ea5e48 | US | ogg | 8.24 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2808 | javaw.exe | 172.67.154.75:80 | www.azlauncher.nz | — | US | malicious |
1920 | javaw.exe | 216.58.212.142:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
1920 | javaw.exe | 99.86.4.83:443 | libraries.minecraft.net | AT&T Services, Inc. | US | suspicious |
1920 | javaw.exe | 152.199.21.147:443 | px.srvcs.tumblr.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | suspicious |
1920 | javaw.exe | 192.0.77.40:443 | assets.tumblr.com | Automattic, Inc | US | suspicious |
1920 | javaw.exe | 152.199.19.43:443 | 66.media.tumblr.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1920 | javaw.exe | 74.114.154.18:80 | mcupdate.tumblr.com | Automattic, Inc | CA | malicious |
1920 | javaw.exe | 74.114.154.18:443 | mcupdate.tumblr.com | Automattic, Inc | CA | malicious |
1920 | javaw.exe | 99.86.2.139:443 | launchermeta.mojang.com | AT&T Services, Inc. | US | unknown |
1920 | javaw.exe | 104.24.123.225:80 | www.azlauncher.nz | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.azlauncher.nz |
| malicious |
www.google-analytics.com |
| whitelisted |
launchermeta.mojang.com |
| whitelisted |
mcupdate.tumblr.com |
| suspicious |
assets.tumblr.com |
| whitelisted |
66.media.tumblr.com |
| suspicious |
assets.mojang.com |
| shared |
px.srvcs.tumblr.com |
| whitelisted |
static.tumblr.com |
| whitelisted |
s3.amazonaws.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2808 | javaw.exe | Potentially Bad Traffic | ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs |
2808 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |
1920 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |
1920 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |
1920 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |
1920 | javaw.exe | A Network Trojan was detected | ET INFO JAVA - Java Archive Download |