File name: | 11.1.jar |
Full analysis: | https://app.any.run/tasks/f49d869e-91ae-4c39-ba63-59bc24b5a8e9 |
Verdict: | Malicious activity |
Analysis date: | February 25, 2020, 13:00:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | 5505EC151916D81CE0B065926DFE8005 |
SHA1: | FFC51A2A73F0C230856BCA0BE0E3675652EF3E92 |
SHA256: | 63D05D8545F0604EC104DFF8E07F889D1A15CCFEF10A3C65B1A7C73DF02FF8EA |
SSDEEP: | 6144:FQu7BUkU8Xwat1+OIiYid4yaqM4z5li2NXocOKU95SNWpw8OFHVZfWAoynHv+Edb:ZtrUmzt1ZI3mq4zPi2BRUCWpwzF1Eynl |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | META-INF/MANIFEST.MF |
---|---|
ZipUncompressedSize: | 512 |
ZipCompressedSize: | 395 |
ZipCRC: | 0x8af85fba |
ZipModifyDate: | 2020:02:25 19:51:23 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0808 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3368 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\11.1.jar.zip" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | explorer.exe | |
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.920.14 | ||||
2876 | cmd.exe | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
548 | WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2836 | cmd.exe | C:\Windows\system32\cmd.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1332 | WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2856 | attrib +h C:\Users\admin\Oracle | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2788 | attrib +h +r +s C:\Users\admin\.ntusernt.ini | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4012 | attrib -s -r C:\Users\admin\IueMc\Desktop.ini | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2748 | attrib +s +r C:\Users\admin\IueMc\Desktop.ini | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2516 | attrib -s -r C:\Users\admin\IueMc | C:\Windows\system32\attrib.exe | — | javaw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3548) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3548) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\ieframe.dll,-912 |
Value: HTML Document | |||
(PID) Process: | (3548) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\notepad.exe,-469 |
Value: Text Document | |||
(PID) Process: | (372) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (372) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\display.dll,-4 |
Value: S&creen resolution | |||
(PID) Process: | (372) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @C:\Program Files\Windows Sidebar\sidebar.exe,-11100 |
Value: &Gadgets | |||
(PID) Process: | (372) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @C:\Windows\system32\themecpl.dll,-10 |
Value: Pe&rsonalize | |||
(PID) Process: | (3368) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce |
Operation: | write | Name: | ZlUNqYe |
Value: "C:\Users\admin\Oracle\bin\javaw.exe" -jar "C:\Users\admin\IueMc\tIKhw.class.txt" | |||
(PID) Process: | (3368) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | ZlUNqYe |
Value: "C:\Users\admin\Oracle\bin\javaw.exe" -jar "C:\Users\admin\IueMc\tIKhw.class.txt" | |||
(PID) Process: | (3368) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3368 | javaw.exe | C:\Users\admin\Oracle\bin\client\classes.jsa | — | |
MD5:— | SHA256:— | |||
3368 | javaw.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:D7E7A1E50F3B7FD60BFD7D33B3CB1394 | SHA256:B86426B8484D329FFB09A07F7F53E6EBCEC26798A3ED654EFB2D8F9035D90C18 | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\hprof.dll | executable | |
MD5:9449E99B7E7C8A9ED74AC6B8E1AB0EB9 | SHA256:CC82BEAA275F4ED4C33B694154BEBC5FD097ADA50072201D250AED3F269A41B6 | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\glib-lite.dll | executable | |
MD5:7AB8AFD789E45C2D08CBC3233DAEC0BF | SHA256:465541EF4E9337108B375984C23F5D31E6C060FED16820BB9BC5AF79A2109EAC | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\dtplugin\npdeployJava1.dll | executable | |
MD5:D73A1252502A5F6218C916219B52139D | SHA256:62248D7AB742E200996BF87433B4E8478E4D8BCFBC0A2EE7CBE3A5A62F6268C3 | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\gstreamer-lite.dll | executable | |
MD5:28D020770921DEF13B9A8755FEADF8E9 | SHA256:379A14D561AFEB364F8902C0B5193DA229882C6273F2793339E1AD682AF516F4 | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\awt.dll | executable | |
MD5:775D4B37E0DDBFA0EB56DB38126FB444 | SHA256:E5D4FC7D47A38A389884AF1EA5F06F7C61C5CDE6AFC154A23A3CB5A127DA1E34 | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\glass.dll | executable | |
MD5:BE9D67DFFCC06D2073831F5D8CDE2DC0 | SHA256:A92DF0E1F93E29FAE427DA766D9B91BDA4B421E6AB86AEB9CDD060B218028D35 | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\deploy.dll | executable | |
MD5:720EDC1469525DFCD3AE211E653D0241 | SHA256:BFF79FB05667992CC2BDA9BAE6E5A301BAF553042F952203641CCD7E1FC4552D | |||
3368 | javaw.exe | C:\Users\admin\Oracle\bin\dt_shmem.dll | executable | |
MD5:0744E6A5145AA945D89A16EAC835FAB2 | SHA256:C417390F681276EC0D55D81A91B87EAE75CA245045F5C23E9B43550B708FB1A6 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3368 | javaw.exe | 118.100.66.100:4424 | dman20.ddns.net | TM Net, Internet Service Provider | MY | unknown |
Domain | IP | Reputation |
---|---|---|
dman20.ddns.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |