analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

kill me.jar

Full analysis: https://app.any.run/tasks/50df50de-8239-49bd-8a76-87c0ff677e91
Verdict: Malicious activity
Analysis date: January 14, 2022, 23:11:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

98D3CEBBCE492AD48C6D443076EB9A0C

SHA1:

D7CDA9268026FA92566499A68FFC22C9F407FC8B

SHA256:

6E8AC0D98F89B91237EC16C982AD35E2E2E64F0E767FA688353B4D93976E2755

SSDEEP:

1536:jOyga1gvvRQEX15RRJum7jaNd5HgMAL22R6RJxarE8Bk8IU3Tdbemt:JnendX/UVddLALDRy7arHBnbUC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • javaw.exe (PID: 1252)

    • Changes the autorun value in the registry

      • javaw.exe (PID: 1252)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3780)

  • SUSPICIOUS

    • Reads the computer name

      • javaw.exe (PID: 1252)
      • javaw.exe (PID: 4048)
      • javaw.exe (PID: 392)
      • javaw.exe (PID: 1168)
      • javaw.exe (PID: 2232)

    • Creates files in the program directory

      • javaw.exe (PID: 1252)

    • Uses ICACLS.EXE to modify access control list

      • javaw.exe (PID: 1252)

    • Checks supported languages

      • javaw.exe (PID: 1252)
      • javaw.exe (PID: 4048)
      • javaw.exe (PID: 392)
      • cmd.exe (PID: 1384)
      • javaw.exe (PID: 1168)
      • javaw.exe (PID: 2232)

    • Executes JAVA applets

      • javaw.exe (PID: 1252)

    • Application launched itself

      • javaw.exe (PID: 1252)

    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 1252)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • javaw.exe (PID: 1252)

    • Creates files in the user directory

      • javaw.exe (PID: 1252)

    • Executed via Task Scheduler

      • javaw.exe (PID: 392)
      • javaw.exe (PID: 1168)
      • javaw.exe (PID: 2232)

    • Check for Java to be installed

      • javaw.exe (PID: 392)
      • javaw.exe (PID: 1168)
      • javaw.exe (PID: 2232)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 4048)

    • Uses REG.EXE to modify Windows registry

      • javaw.exe (PID: 4048)

  • INFO

    • Checks supported languages

      • icacls.exe (PID: 2884)
      • attrib.exe (PID: 2316)
      • schtasks.exe (PID: 3780)
      • attrib.exe (PID: 3784)
      • NOTEPAD.EXE (PID: 3428)
      • reg.exe (PID: 1372)

    • Reads the computer name

      • icacls.exe (PID: 2884)
      • schtasks.exe (PID: 3780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2022:01:14 23:11:09
ZipCRC: 0x8d6c774e
ZipCompressedSize: 396
ZipUncompressedSize: 570
ZipFileName: META-INF/MANIFEST.MF
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
12
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe icacls.exe no specs schtasks.exe no specs attrib.exe no specs attrib.exe no specs javaw.exe javaw.exe no specs cmd.exe no specs javaw.exe no specs notepad.exe no specs reg.exe no specs javaw.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1252"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\Desktop\kill me.jar.zip"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe
Explorer.EXE
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2884C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\system32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
3780schtasks /create /tn Firewall /tr "javaw.exe -jar 'C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar'" /sc minute /mo 1C:\Windows\system32\schtasks.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3784attrib +s +h +r "C:\Users\admin\AppData\Roaming\servidorcito\*.*"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
2316attrib +s +h +r "C:\Users\admin\AppData\Roaming\servidorcito"C:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
4048"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.2710.9
392javaw.exe -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar"C:\Program Files\Common Files\Oracle\Java\javapath\javaw.exetaskeng.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
1384cmd.exe /c dirC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1168javaw.exe -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar"C:\Program Files\Common Files\Oracle\Java\javapath\javaw.exetaskeng.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
3428"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\temporalito5693553201825881713e.txtC:\Windows\system32\NOTEPAD.EXEjavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 117
Read events
3 115
Write events
2
Delete events
0

Modification events

(PID) Process:(1252) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Firewall
Value:
"C:\Program Files\Java\jre1.8.0_271/bin/javaw.exe" -jar "C:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jar"
(PID) Process:(4048) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
javaw.exe
Executable files
1
Suspicious files
0
Text files
55
Unknown types
0

Dropped files

PID
Process
Filename
Type
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio513179831430294926.tmpimage
MD5:3A359CAB8B8C1D912E3D229C561B4D7C
SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio460538308995786951.tmpimage
MD5:3A359CAB8B8C1D912E3D229C561B4D7C
SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio6367349336626882806.tmpimage
MD5:3A359CAB8B8C1D912E3D229C561B4D7C
SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio3102205744144588607.tmpimage
MD5:3A359CAB8B8C1D912E3D229C561B4D7C
SHA256:90C621BDE6FEC18816544956182ABB5FAC59AE30E46754D1D1D2F275D2183520
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio1102180285705417302.tmpimage
MD5:81C200C0248CA75D764F0EEF1FE4D430
SHA256:D57300BC2FD1C05FC20801C722A371961FBADED09DC32FA4D9AAD76458EE6949
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio8635926290470837405.tmpimage
MD5:73048201EB731DF1D228490112A3E70F
SHA256:9A933992FB188CE429D831A9526880929D067DDBF7FC428842DB7C6A7DF18E87
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio8274786529896187655.tmpimage
MD5:D48C6A10D2C4E5A5963D9E0EE5E76E41
SHA256:3E33330D26C048EEAA5489A7421A83DE63F154B5F30C64BA206F25E125EE0CED
1252javaw.exeC:\Users\admin\AppData\Roaming\servidorcito\Desktop.iniini
MD5:788F59BE3D77F611248675B9632E2E64
SHA256:C09AFD16D6E90CC2301853E074A231189298B0665B39180406260226A61E2835
1252javaw.exeC:\Users\admin\AppData\Roaming\servidorcito\servidorcito.jarjava
MD5:98D3CEBBCE492AD48C6D443076EB9A0C
SHA256:6E8AC0D98F89B91237EC16C982AD35E2E2E64F0E767FA688353B4D93976E2755
4048javaw.exeC:\Users\admin\AppData\Local\Temp\imageio3676089905003476477.tmpimage
MD5:D42CF8DBFE1F865ABCDE9BC451C1C1CA
SHA256:848B058F2AA35802F4C27A0F5F35BE22158755D6A9D0425AFACB0B31077D5CB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4048
javaw.exe
79.66.71.109:5000
nipodipo.duckdns.org
Tiscali UK Limited
GB
malicious
4048
javaw.exe
79.66.71.109:5321
nipodipo.duckdns.org
Tiscali UK Limited
GB
malicious

DNS requests

Domain
IP
Reputation
nipodipo.duckdns.org
  • 79.66.71.109
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
kill me.jar