File name: | kill me.jar |
Full analysis: | https://app.any.run/tasks/50df50de-8239-49bd-8a76-87c0ff677e91 |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 23:11:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/java-archive |
File info: | Java archive data (JAR) |
MD5: | 98D3CEBBCE492AD48C6D443076EB9A0C |
SHA1: | D7CDA9268026FA92566499A68FFC22C9F407FC8B |
SHA256: | 6E8AC0D98F89B91237EC16C982AD35E2E2E64F0E767FA688353B4D93976E2755 |
SSDEEP: | 1536:jOyga1gvvRQEX15RRJum7jaNd5HgMAL22R6RJxarE8Bk8IU3Tdbemt:JnendX/UVddLALDRy7arHBnbUC |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | 0x0808 |
ZipCompression: | Deflated |
ZipModifyDate: | 2022:01:14 23:11:09 |
ZipCRC: | 0x8d6c774e |
ZipCompressedSize: | 396 |
ZipUncompressedSize: | 570 |
ZipFileName: | META-INF/MANIFEST.MF |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1252 | "C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\Desktop\kill me.jar.zip" | C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe | Explorer.EXE | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.2710.9 Modules
| |||||||||||||||
2884 | C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M | C:\Windows\system32\icacls.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3780 | schtasks /create /tn Firewall /tr "javaw.exe -jar 'C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar'" /sc minute /mo 1 | C:\Windows\system32\schtasks.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3784 | attrib +s +h +r "C:\Users\admin\AppData\Roaming\servidorcito\*.*" | C:\Windows\system32\attrib.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2316 | attrib +s +h +r "C:\Users\admin\AppData\Roaming\servidorcito" | C:\Windows\system32\attrib.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
4048 | "C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar" | C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe | javaw.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.2710.9 | |||||||||||||||
392 | javaw.exe -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar" | C:\Program Files\Common Files\Oracle\Java\javapath\javaw.exe | — | taskeng.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.2710.9 | |||||||||||||||
1384 | cmd.exe /c dir | C:\Windows\system32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | |||||||||||||||
1168 | javaw.exe -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar" | C:\Program Files\Common Files\Oracle\Java\javapath\javaw.exe | — | taskeng.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.2710.9 | |||||||||||||||
3428 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\temporalito5693553201825881713e.txt | C:\Windows\system32\NOTEPAD.EXE | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1252) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Firewall |
Value: "C:\Program Files\Java\jre1.8.0_271/bin/javaw.exe" -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar" | |||
(PID) Process: | (4048) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: javaw.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio513179831430294926.tmp | image | |
MD5:3A359CAB8B8C1D912E3D229C561B4D7C | SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520 | |||
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio460538308995786951.tmp | image | |
MD5:3A359CAB8B8C1D912E3D229C561B4D7C | SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520 | |||
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio6367349336626882806.tmp | image | |
MD5:3A359CAB8B8C1D912E3D229C561B4D7C | SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520 | |||
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio3102205744144588607.tmp | image | |
MD5:3A359CAB8B8C1D912E3D229C561B4D7C | SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520 | |||
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio1102180285705417302.tmp | image | |
MD5:81C200C0248CA75D764F0EEF1FE4D430 | SHA256:D57300BC2FD1C05FC20801C722A371961FBADED09DC32FA4D9AAD76458EE6949 | |||
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio8635926290470837405.tmp | image | |
MD5:73048201EB731DF1D228490112A3E70F | SHA256:9A933992FB188CE429D831A9526880929D067DDBF7FC428842DB7C6A7DF18E87 | |||
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio8274786529896187655.tmp | image | |
MD5:D48C6A10D2C4E5A5963D9E0EE5E76E41 | SHA256:3E33330D26C048EEAA5489A7421A83DE63F154B5F30C64BA206F25E125EE0CED | |||
1252 | javaw.exe | C:\Users\admin\AppData\Roaming\servidorcito\Desktop.ini | ini | |
MD5:788F59BE3D77F611248675B9632E2E64 | SHA256:C09AFD16D6E90CC2301853E074A231189298B0665B39180406260226A61E2835 | |||
1252 | javaw.exe | C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar | java | |
MD5:98D3CEBBCE492AD48C6D443076EB9A0C | SHA256:6E8AC0D98F89B91237EC16C982AD35E2E2E64F0E767FA688353B4D93976E2755 | |||
4048 | javaw.exe | C:\Users\admin\AppData\Local\Temp\imageio3676089905003476477.tmp | image | |
MD5:D42CF8DBFE1F865ABCDE9BC451C1C1CA | SHA256:848B058F2AA35802F4C27A0F5F35BE22158755D6A9D0425AFACB0B31077D5CB4 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4048 | javaw.exe | 79.66.71.109:5000 | nipodipo.duckdns.org | Tiscali UK Limited | GB | malicious |
4048 | javaw.exe | 79.66.71.109:5321 | nipodipo.duckdns.org | Tiscali UK Limited | GB | malicious |
Domain | IP | Reputation |
---|---|---|
nipodipo.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |